With schools closed until March at least, most students will be learning remotely for the foreseeable. For many universities, colleges and schools, the transition from physical to online models happened so quickly that it has left their IT networks exposed to serious harm from outside forces. Recent evidence suggests that cybercriminals are taking notice of the seemingly endless vulnerabilities learning centres now face.
So, why is the education sector particularly vulnerable to cyber-attacks? One of the main issues institutions face is that they are operating large corporate-sized networks without the budgets to match. Add to that the fact that teachers and students aren’t always properly trained to use new technologies safely and securely.
In this article, we highlight four lessons universities and schools need to take on board to avoid falling victim to cyber-attacks that can come with serious consequences.
Lesson 1: your critical research is highly vulnerable
Some of the research done in universities comes with a high market value, which makes it particularly attractive to cybercriminals. A leading medical research institution in the US working on a cure for COVID-19 has admitted that it paid hackers a US$1.14m ransom after a covert negotiation witnessed by BBC News.
You may also remember last year when hackers, backed by the Russian state, hit news headlines, accused by official sources in the US, UK and Canada of trying to steal COVID-19 vaccine and treatment research.
It’s no great surprise then that a recent survey has revealed 54% of UK universities have reported a breach to the ICO (Information Commissioner’s Office) in the past twelve months. The world-leading research conducted by many UK universities makes them an alluring target for financially-motivated cybercriminals and state-sponsored hackers in search of valuable intellectual property.
To compound the problem, we are increasingly seeing ransomware attackers trying to sell off the stolen information to the highest bidder, causing a serious headache for the victims while potentially increasing the value of their pay-out.
Lesson 2: sensitive employee and student information can easily fall into the wrong hands
A test of UK university defences against cybercrime found that in every case hackers were able to obtain “high-value” data within two hours. The National Cyber Security Centre, part of the GCHQ intelligence agency, says that successful cyber-attacks are often followed by a ransom note demanding payment for the recovery of frozen or stolen data. This sometimes comes with the added threat of publicly releasing sensitive information.
Universities received millions of phishing emails last year, with one institution claiming it had detected as many as 130 million and another saying that the number of attacks had increased by 50% since 2019. Attackers use phishing to infiltrate university networks and navigate their way around, undetected, in search of the information they perceive to be of the highest value. Quite often, this information is sold or published on the dark web, which can lead to staff and students becoming victims to further crimes, such as identity theft.
One of the best ways to counter this problem is with regular penetration testing. This is when security professionals act on your behalf to find and test weaknesses that criminals could exploit. Additionally, you could use training tools such as Sophos Phish Threat, which educates and tests end users through automated attack simulations, security awareness training and actionable reporting metrics.
Lesson 3: a cyber-attack can bring everything to a grinding halt
Universities and colleges were warned last September by the UK’s cybersecurity agency that rising numbers of cyber-attacks were threatening to disrupt the start of the academic year. The warning from the NCSC followed a spate of ransomware attacks against academic institutions such as Newcastle University and Northumbria, in which malicious software or ‘malware’, was used to lock out users from their own computer systems, paralysing online services, websites and phone networks.
With learning currently all being done remotely online, an attack could see students being left sitting at home, helplessly unable to access course materials, online tools and any of the other resources they need to get on with their work. For university students who pay thousands of pounds a year, the implications of these crimes are enormous on both a financial and personal level. The harm to the reputation of the institution can also be long-term and seriously damaging and in turn have dire financial consequences for universities that rely on students for income.
Lesson 4: even the safety of your students can be compromised by cyber-attacks
In 2018, live video footage from three schools in Blackpool found its way on to a US website that allows people to view unsecured CCTV cameras. This was a particularly worrying example of how stolen content can end up where you least expect it. This incident also reminds us that a cyber-attack can have even more dire consequences if it features children under the age of 16.
It’s not just online dangers educators should be worried about; education facilities have a pastoral role to play in the lives of students young and old – in some cases providing essential services such as mental health guidance or counselling. With many university students currently isolated from family and friends, an attack on educational establishments can have a detrimental impact on the wellbeing of highly vulnerable individuals. It’s a huge concern for all authorities involved if students fail to receive the support they need from facilities to learn safely.
Undoubtedly, one of the best ways to safeguard staff and students is with preventative action, seeking out cybercriminals on the network before they have the chance to cause harm. Better still, with good cyber hygiene and security awareness, educational institutions can minimise the chance of attackers infiltrating their system in the first place.
With their budgets stretched in every direction due to the ongoing effects of the pandemic, cash-strapped universities, colleges and schools will be asking themselves if they can afford to invest in the necessary cybersecurity defences to combat this problem. Unfortunately, due to the seriousness of the threats around today, they really need to be asking themselves if they can afford not to.
You might also like: The digitisation of education will continue this year – here’s how