The education sector hasn’t made the grade when it comes to ransomware protection

The education sector is a major target for ransomware attacks, but is the current level of support enough to take them down?

Major ransomware attacks are frequently in the news and, with groups behind the US fuel pipeline attack reporting to have earnt $90m in the last nine months, it is easy to understand why these attacks keep growing.

You would think that wealthy financial services companies are a prime target. However, the education sector has come under fire with countless high-profile ransomware attacks in the last six months alone. And to add even more anxiety, educational institutions are now being threatened with the theft of students’ and parents’ personal data which will only be released if ransoms are paid.

This trend is supported by incident statistics, collected by the Information Commissioners Office (ICO) – the UK’s data protection regulator, listing education as the sector with the third highest number of ransomware incidents, falling just behind manufacturing and financial services.

The volume of attacks has reached such an extent that the UK government’s cybersecurity organisation, the NCSC, and the Department for Education (DfE) have issued official warnings that the education sector is being targeted and it needs to increase its level of protection.

The general opinion within the cybersecurity industry is that most successful attacks are opportunistic, casting their net wide enough to see what damage they can wreak. So, if the statistics from the ICO show this trend points towards the education sector, why is it considered such a big target?

Cybercriminals are most likely to target organisations based on how big an impact ransomware will cause, how likely an organisation is to pay up and how easy it will be to break in. I’m confident cybercriminals don’t believe schools, multi-academy trusts or universities have deep pockets, so the only conclusion must be that they think education is an easy target that will still cause a large impact.

I’m confident cybercriminals don’t believe schools, multi-academy trusts or universities have deep pockets, so the only conclusion must be that they think education is an easy target that will still cause a large impact

If a small organisation is shut down because of ransomware, it’s unlikely to make headline news. However, if an educational establishment is shutdown, hundreds if not thousands of students and parents are likely to take to social media and generate headline news, which is exactly the impact cybercriminals want.

It’s hard for any organisation, no matter what budget or resource available, to stay abreast of the latest critical security vulnerabilities. It’s even more difficult for the education sector with its legacy IT systems, over-stretched budgets, and little or no dedicated security staff – especially after being forced to rush in new technology to support remote learning due to COVID. If we add the difficulty that some institutes may have in enforcing strict security measures, as they may not fit with the academic ethos, the result could be a recipe for disaster.

What’s being done to support the education sector?

The NCSC has produced various resources on how to combat ransomware. This includes guidance on what security measures are needed to stop these attacks and training courses for teachers to increase their awareness. But is this enough?

IT staff within education institutes are likely to know what they need to do to prevent these attacks, but don’t have the necessary time, resources or money to tackle it properly. Without an injection of additional funding, it’s hard to see how anything will change. The US government has acknowledged this by allowing schools to tap into a deep pool of federal COVID relief funds to strengthen their cybersecurity defences.

Until similar resources are made available in the UK, education providers must do what they can to protect themselves. They need to prioritise important issues such as fixing security gaps in their perimeter defences (e.g. RDP, VPN), which could see an attacker break in without any interaction with staff or students. Furthermore, the risk of social engineering through phishing, by training programmes and anti-phishing/anti-malware technology on email and web traffic needs to be addressed. And finally, educational institutions must fix gaps within their internal defences that could see an attacker move freely around the internal network, such as weak passwords, poor network segregation and a lack of security monitoring.

One effective solution can be found in moving critical IT systems, such as payroll, to specialist hosting providers, allowing an institute to immediately obtain industry-leading security for their critical systems, and providing additional resilience in the event of an attack. Data checks and controls built into those platforms help prevent inaccurate data entry, reducing the cost of human errors and the risk of fraudulent activities. It’s the modern-day equivalent of not putting all your eggs in one basket.

It’s apparent the education sector is currently a major target for ransomware attacks so we are left wondering if the current level of support will be enough to reduce these going forward. Only time will tell. My opinion is it will either slow down because attackers come to the conclusion the education sector does not have the money to pay up, or because the sector finally makes the grade when it comes to cybersecurity defences.

You might also like: Teaching data literacy skills to unlock an economic recovery


Leave a Reply