Cyberattacks in education are not new, but amid the sharp increase in remote learning and virtual classrooms driven by the pandemic, schools, colleges and universities suffered a ‘record-breaking’ year.
The UK Government Department for Digital, Culture, Media and Sport (DCMS) revealed 41% of primary schools suffered a data breach over a 12 month period. At the same time, 76% of secondary schools and 80% of higher education institutes experienced at least one data breach.
80% of higher education institutes experienced at least one data breach
Schools, colleges and universities make attractive targets for cyber criminals because they are often under-resourced and do not have the in-house IT security skills. They are a goldmine of personal information that’s rarely protected by the same level of cybersecurity defences and practices that are available to many private enterprises. Educational institutions also manage sizeable budgets that cyber criminals are keen to get their hands on.
Ransomware – a cause for concern
One of the biggest threats to schools is ransomware attacks, whereby hackers gain access to data, steal it and as the name suggests, demand a ransom to release it. Ransomware attacks during the pandemic resulted in schools losing financial records, as well as students’ coursework and Covid-19 testing data.
In March this year, an attack on multiple schools left 37,000 pupils unable to access their email. The Harris Federation, which runs 50 primary and secondary academies in and around London had to temporarily disable email while it dealt with the attack.
This month (12 October) the University of Sunderland revealed it experienced a suspected cyber attack with telephone lines, website and IT systems disabled.
It’s a case of beating the ransomware criminals at their own game… You can’t demand a ransom for garbage.
Given this spate of ransomware attacks on schools, the UK National Cyber Security Centre (NCSC) was also forced to issue a special alert. The Department for Education wrote to school leaders stating, “it’s vital that (schools) urgently review existing defences and take the necessary steps to protect your networks from cyberattacks”.
At the same time, schools, colleges and universities are being forced to collect more information digitally and with new and evolving data protection laws, which come with the threat of financial penalties for noncompliance, the pressure is mounting.
The problem is that the traditional approach to cybersecurity isn’t working. The ordinary castle and moat method used to keep the cyber criminals out is failing, as determined hackers will always find a way to get through and detecting their increasingly sophisticated malicious activities isn’t easy.
Solutions such as signature-based anti-virus solutions are reactive and only work on known threats that have already happened – and have been given a ‘signature’. And it doesn’t matter how strong the backup and recovery plans are; in most cases, it’s simply too late.
So, it’s time to do away with all the complicated security hardware and software that only works by looking for bad stuff – such as malicious code running on your computer and other devices – and instead use tools that can detect if something is not authorised and stop it from running.
This solution is known as Application Control and with the power of advanced machine learning and AI technology, it provides a zero-tolerance approach to both known and unknown threats. That means, if someone at home, in the classroom or the office clicks on a malicious link or opens a rogue document that tries to install malware – including ransomware – it’s like the bouncer on the door or the teacher at the school gate; if you are not on the list or the register, then you can’t come in.
Belt and braces
If we can’t be sure to keep the cyber criminals out nor trust the people around us, the obvious thing to do is to adopt a data-centric approach, where security is built into data itself using encryption.
It’s a case of beating the ransomware criminals at their own game. Imagine their frustration when they find the data that has been stolen is already encrypted and useless to them. You can’t demand a ransom for garbage.
Even seemingly trivial information can be useful to a cybercriminal
Full disk encryption technology is often used to protect data when it is at rest on a hard disk or USB stick, which is great if you lose your laptop but is of absolutely no use in protecting data against unauthorised access or theft from a running system. Data therefore needs to be protected not only at rest but also in transit and in use, on-site or in the cloud.
Even seemingly trivial information can be useful to a cybercriminal, so it’s no good encrypting only the ‘most important’ or ‘sensitive’ data. With advances in technology and fast processing speeds, seamless data encryption can now be used to protect all data, all of the time.
A combination of zero-tolerance and data-centric security will go a long way to protecting schools, colleges and universities in the face of increasing attacks. Sadly cyber criminals have no moral compass and simply go for the weakest targets.
SecureAge’s Grant Program aims to create a safer and more productive environment for research and learning at no cost. So, when budgets are being squeezed, the initiative gives schools, colleges and universities free access to SecureAPlus intuitive endpoint protection software that can detect known and unknown threats to provide enterprise-grade protection.
For more information, visit https://www.secureage.com/article-grant-program
You might also like: DfE quadruples staff cybersecurity training places in one year