That the Education sector faces major challenges is not news to most. Issues such as a lack of staffing and a lack of funding and resources are well known and persistent. But now UK Schools and Further Education are facing another challenge — cyber-attacks.
This diagram, taken from the Cyber Security Breaches Survey 2021 published by Gov.UK & the National Cyber Security Council (NCSC), shows the percentage of UK organisations that reported incidents of cyber-attacks over the past year, and shows that the percentage of Primary Schools attacked last year was on a par with UK Businesses as a whole, while attacks on both Secondary Schools and Further Education were even more common.
It is also important to note that the rate of cyber-attacks against the education sector has been rising significantly over recent years meaning that Cyber-security in Education is vital to protect against not only financial loss and prevent disruption, but even more critically, to protect students from harm.
Therefore, the Education sector needs to do everything it can to ensure their applications and systems are protected, and work to overcome any challenges.
In this article, we’ll look at the current state of cyber-security in Education. We’ll discuss the most common reasons for attacks and the primary threats and challenges facing the sector, and how you can protect your educational institution.
Why do cyber-criminals target Education?
There are four key reasons why cyber-criminals target the Education Sector.
With Education venues ranging in size, purpose, and stature, the motives for attack can vary too. For example, what might be a common threat for well-known Universities/Colleges will likely not be an issue for schools or school districts. So, institutions need to evaluate the risk to them and understand what data is vulnerable to unauthorised access.
Disruption — These sorts of attacks often take the form of Distributed Denial of Service Attacks (commonly referred to as DDoS Attacks), with the attacker’s motive to cause widespread disruption to the institute’s network, having a negative effect on productivity. These can be a relatively easy attack for amateur cyber-criminals to carry out, especially if the target network is poorly protected. There have been reported instances of students or teachers successfully carrying out a DDoS attack, with motives ranging from simply wanting a day off, to protesting the way a complaint was handled.
Data theft — This is another attack affecting all levels of education because all institutions hold student and staff data, including sensitive details like names and addresses. This type of information can be valuable to cyber-criminals for several reasons, whether they plan to sell the information to a third party or use it as a bargaining tool and extort money. The concerning aspect of this type of attack is that hackers can go unnoticed for long periods of time, such as a recent incident at a renowned university where more than 150,000 medical records were stolen over several months.
Financial gain — Another motive for hackers carrying out an attack on an educational institution is for financial gain. Private institutions and Universities/Colleges handling student fees are a prime target for cyber-criminals with students or parents commonly paying fees via an online portal, often transferring large sums of money to cover tuition. Public schools too can be a target, usually tying back to data theft, with information being harvested for use in fraudulent activities.
Espionage — Higher education institutes like Universities/Colleges are often centers for research and hold valuable intellectual property. Scientific, engineering and medical research by UK Universities have been reported to have been compromised by hackers in targeted attacks.
With these four motives in mind, it is important to identify how cyber-criminals will typically carry out an attack on Education networks to further help us understand how to protect them.
How is Education targeted?
The most common forms of cyber-attack against the Education Sector are, as you might expect, also the most common types of cyber-attacks period. The following table, also taken from the Gov.UK/NCSC “Cyber Security Breaches Survey 2021”, shows the percentages of various incident types reported.
This data shows us that the most common attack vectors fall into 3 camps.
Phishing — Phishing scams often take the form of an email or instant message designed to trick the user into trusting the source in a fraudulent attempt to access their credentials — whether that’s sensitive student data or confidential research. This type of attack is highlighted as the top threat facing education venues, suggesting hackers regularly target the sector using this method.
Ransomware/Malware — Also in the top three cyber threats highlighted by the report, ransomware and malware attacks prevent users from accessing the network or files and cause disruption. More advanced forms of this threat can see attackers hold files to ransom. Ransomware or malware typically infects devices using a trojan, a file, or an attachment disguised to look legitimate. However, some ransomware (like the WannaCry attack) has been shown to travel between devices without user interaction.
Lack of awareness — Another common threat is a lack of awareness or accidents. This could be on the part of staff or students who aren’t sufficiently trained to practice good cyber-hygiene or accidentally compromise the network. Despite taking on different appearances, human error plays a key role in most cyber-security threats, something that is not unique to the Education Sector, of course. With better cyber-security training and awareness of the motives and methodology of attackers, education venues can better protect themselves against cyber-attacks.
What are the challenges that Education is facing?
There are many challenges when it comes to protecting Education networks.
Lack of resources and budget — There is typically a lack of finances to invest in cybersecurity, be it software or staff.
Cultural issues — With ‘Bring Your Own Device’ culture being common in educational institutions, this can present difficulties in securing the wider network, particularly with IT staff already facing stretched resources.
An absence of policy — Setting out policies for using the network and making sure they’re adhered to can be difficult in large institutions with a dynamic population.
Despite these challenges, the Education sector is still expected to secure their networks against unauthorised access and cyber-threats. Especially when the repercussions can be as severe as the examples we discussed earlier. With the increasing frequency and potential severity cyber-attacks pose to the Education sector, it’s crucial to work with IT professionals to find a solution to the challenges that you face.
Top tips for securing your Education IT network
The Education sector should focus efforts on minimising the risk of a cyber-attack, rather than a reactive attitude after one has happened.
Training — Providing basic training for all users of your network is one way to mitigate the effects of a lack of funding and resource. This can be something as simple as sharing a handbook with staff and students including information about what to look out for, and tips for practicing good cyber-security hygiene. Giving people the necessary information to protect the network at all access points, could reduce the number of incidents caused by human error.
Cyber Essentials — This is the UK Government-sponsored cyber-security standard that has become a requirement already for businesses to bid for public sector contracts and is being phased in as a requirement for the Education Sector too. While a certification standard may not seem, on the surface of it, to be a practical step for Education to protect itself, Cyber Essentials is a very practical and sensible approach to cyber-security and as such undertaking, it will ensure that your School, College or University has implemented the critical mitigations for cyber-attacks and demonstrate this to your stake-holders.
Authentication — Another cost-effective way to protect the safety of your institution and students is to implement a user-friendly multi-factor authentication (MFA) tool. Including that extra security step for users who are logging onto the network will help prevent unauthorised access.
These are just some of the cost-effective ways to protect your venue from any form of unauthorised access.
Want more advice? If you would like advice on IT for your school, get in touch.