The public sector has always been popular with cybercriminals, with education bearing the brunt of much of that activity. In recent years, however, the frequency, sophistication level, and cost of cyber-attacks against the sector has increased.
Education saw the largest year-on-year increase of email fraud attacks of any industry in 2019, with 192% growth, averaging 40 attacks per institution. And those institutions pay a heavy price; the average annual cost of cybercrime to the public sector is almost US$8 million.
While alarming at first glance, these figures are less surprising when you consider that the education sector recently ranked last out of 17 major industries in terms of cybersecurity preparedness.
And now, an already ill-prepared sector faces an even greater challenge: the coronavirus pandemic has, at once, forced education centres around the world to make the switch to remote learning. A sector already struggling to secure its many points of access just saw its potential attack surface rapidly increase.
“Without significant changes to security environments across the board, the education sector is a sitting duck”
And cybercriminals have wasted little time taking advantage of the situation. As a recent PSA issued by the FBI makes clear, threat actors are actively looking to exploit this new-found reliance on virtual solutions. Without significant changes to security environments across the board, the education sector is a sitting duck.
A disaster waiting to happen?
The coronavirus pandemic may have upped the ante, but the education sector has been something of a powder keg for a very long time.
Education institutions hold masses of highly sensitive data on individuals – perhaps more so than any industry outside of healthcare. Along with personal information such as name, address and DOB, there’s also the potential to hold payment details, ID or social security numbers, health records, and much more.
This trove of information puts a target on the back of every good-sized school, college, or university. Also, like medical institutions, education centres must maintain short- and long-term continuity. Cancelling exams, writing off grades, and cutting off services is not an option, and cybercriminals know this, which also makes the sector one of the most targeted by ransomware attacks.
Then comes the issue of users. Contrary to popular belief, the younger generation is often more relaxed toward cybersecurity than their older counterparts. Weak passwords and the sharing and reuse of credentials is rife among students in particular.
Adding further fuel to the fire is resource – or rather, a lack of it.
Public sector institutions are not known for their sizeable IT budgets, nor are they blessed with an abundance of skilled cybersecurity professionals at their disposal.
This, naturally, results in a lack of controls.
Despite email phishing being the most common vector for security compromises, almost two-thirds of the UK’s top 20 universities have no published DMARC (Domain-based Message Authentication, Reporting and Conformance) record, leaving them woefully exposed to domain spoofing and phishing attacks.
The result – highly-prized information with minimal protection – is a considerable jackpot for anyone with malicious intent. In the wake of coronavirus, the fervour to hit that jackpot will only increase.
Protecting your data during a pandemic
The impact of coronavirus has made an already precarious situation much worse for the education sector. Data, networks, and infrastructure that was already poorly secured has now been quickly migrated into an environment that’s much more difficult to defend.
The consequences aren’t hard to predict. Sophisticated threat groups are already targeting students and staff at major institutions. Despite its creators being indicted by the US Department of Justice, the Silent Librarian spear-phishing campaign infiltrated several major universities in recent years, causing millions of dollars of damage in the process.
With a sector now seemingly on the ropes, scrambling to secure a more complex environment with the same limited resources, attacks like these are already on the rise.
Microsoft’s Global Threat Activity tracker shows over five million detected malware incidents within the education sector in the last 30 days. That represents almost two-thirds of all malware incidents in the top eight most affected industries. The next most affected, Business and Professional Services, has experienced just 842,000 events over the same period.
A robust cyber defence
Clearly, this is a sector under attack. And the only defence is one that places the very people under attack at its heart.
Almost 100% of cyber -attacks require human interaction to be successful. That same human interaction can also bring about failure. Universities should ensure all staff and students are aware of basic security hygiene and the mechanics of common threats. This awareness training must be in context. All users must now how they are likely to encounter an attack and the role they play in defending against it.
Pay particular attention to email security. Ensure all users are aware of the tell-tale signs of phishing, such as spelling and grammatical mistakes, time-sensitive requests, unsolicited requests for information, and spoofed links.
As well as in-depth and ongoing training, provide all users with a clear set of security guidelines that must be followed, whether at home or in the classroom. This should cover the sharing and reuse of credentials, the use of personal devices and external storage, data protection, and other standard best practice.
Finally, deploy a range of tools and controls to protect your data and your networks, along with multi-factor authentication across all systems, devices, and applications.
Once again, tightening email security should be a top priority. Make use of a solution to find and filter suspicious messages, as well as flagging behaviours such as deletion of login alerts, abnormal device usage, and any indicators of account compromise.
We don’t yet know for how long e-learning will be a fixture in student life. Security teams must act now to protect our institutions and our students, throughout the pandemic, and beyond.
You might also like: How technology is driving teacher-parent engagement during the pandemic