Author: Mark Stone
Cyber security incidents such as ransomware attacks are on the rise for both K-12 and higher education organizations. As schools juggle changing mandates to hold classes online or embrace a hybrid model, education cyber security challenges are increasing.
Adding to the complexity, staff and students working or learning from home may stretch IT infrastructures beyond the safe confines of an institution's network and security systems. The massive amounts of data schools and universities store make them attractive targets for hackers. Because the potential financial and reputational losses for education are so significant, preventing cyber security attacks on schools is a top priority for the sector.
Trends in education cyber security threats
The Verizon 2021 Data Breach Investigations Report (DBIR) notes threats to the education sector, underscoring the importance of cyber security hygiene and education.
Social engineering attacks—which try to trick the victim into instigating a fraudulent transfer of funds—represent almost half of cyber security attacks on schools, according to the report. Additionally, the report found that the most common attacks within the sector use some form of pretexting to increase the chances of success. With pretexting, hackers initiate back-and-forth dialogue with victims to establish credibility with information they glean from publicly available data beforehand. Attackers who use pretexting will often impersonate an executive or another important member of an organization to make the request seem more urgent. This tactic is typical in other sectors but a new one for many educators.
The DBIR reported 1,332 education cyber security incidents, with 344 confirmed cases of data disclosure. While social engineering was the most common factor, miscellaneous errors and system intrusion round out the top three types of cyber security attacks on schools.
Lost and stolen assets, a threat once considered a critical issue for education cyber security, only made up a small portion of breaches. This means that social engineering should be a key focus for IT decision-makers.
The cost of cyber security attacks on schools
In 2021, the average cost of a data breach to the education sector was $3.79 million per incident. The Sophos State of Ransomware in Education 2021 report examined ransomware attacks on educational institutions in 2020 and found the sector to be particularly vulnerable to cyber threats. In 2020, along with retail, education experienced the highest level of ransomware attacks, with 44% of organizations victimized.
Besides the ransom itself, other costs include lost labor, downtime, lost opportunity and device and network costs. Students pay, too; cyber security attacks on schools have disrupted online learning at many institutions this year.
Finally, with a successful attack, hackers can block access to critical systems, steal confidential information and even publish sensitive information if the institution fails to pay the ransom.
How schools can help prevent education cyber security threats
Ultimately, for IT decision-makers, one cost effective way to prevent cyber security attacks on schools is through training and awareness about cyber security. All students and faculty should be brought up to speed on the risks of being targeted by malicious actors and taught ways to spot potential security threats online and in email.
One strategy to consider is using test emails to mimic a phishing attack. A school or university can gauge how well its security message is getting across and train staff on what to look for to decrease the chances of being tricked a second time.
Policies surrounding education cyber security should be clearly communicated and easy to understand. Moreover, employees and students need to know why these policies are important. Encourage your IT and security teams to remain transparent and open to questions. But risk readiness is about more than training: Technology is equally important.
One way to mitigate the risk of unauthorized access or phishing is by using two-factor or multifactor authentication (MFA). You may not require MFA for every type of login, but MFA should be used whenever possible, especially for accessing confidential data and resources. If a hacker needs to take an additional step to access your systems, they may just move on to the next target.
As an additional precaution, schools should create controls and logging mechanisms that trigger an alert for suspicious activity. For any schools lacking dedicated security resources, a managed security service provider can play a critical role in enhancing the overall security posture of the institution.
Discover Verizon's education cyber security solutions to help safeguard your students, staff and schools.