Why has the education sector become a key target for cyberattacks? Threat actors have increased their cyber security threats against the education sector and institutions for numerous reasons. Let's go over them.
Characteristics that create an attractive context for cyberattack
The education sector has presented a set of characteristics that signals opportunities to threat actors. These long-running characteristics include:
- Reliance on legacy technology, especially in higher education. The IT architecture for communication and collaboration, operational processes and student management is often built on legacy systems that are several decades old. Today, educational institutions face a significant journey to digital transformation that has not been completed, and the rush to remote learning from COVID-19 has been cluttered with flaws, attracting attention from cyber security threat actors.
- School districts have the task of selecting their own IT providers, and different departments at the same university often have the right to go their own way in selecting IT systems. These decentralized approaches proliferate vulnerabilities that threat actors can leverage due to the looser security.
- A dynamic and large user population where students usually leave an institution after 2-5 years. This ever-changing roster of students across multiple systems creates a complex mix of access rights and permissions where mistakes or weak links give threat actors avenues of unauthorized access. Once students have completed their studies, educational institutions want to stay in contact, but over time this creates problems dealing with identity management and cyber security threats.
- The education sector has always underinvested in cybersecurity and poorly prepared to handle cybersecurity threats. Only a handful of K-12 institutions have cybersecurity specialists on staff, but as their technology becomes more legacy, it becomes much more difficult to prepare for the new cyberattacks of today. In fact, a study in 2018 of cybersecurity preparedness from 17 industries placed the education sector dead last with the least secure and highest number of security vulnerabilities.
The pandemic has made things worse
Within the context of an already vulnerable sector, the COVID-19 health pandemic from 2020 has only made things worse.
- Institutions are more invested for creating physical spaces and infrastructure for bringing students together in-person, as opposed to creating online learning environments with strong cybersecurity protections. With schools having an ingrained cultural emphasis on physical classrooms, in-classroom teaching technology, outdoor activities like playing fields, the suddenness of the COVID-19 pandemic and major pivot it required caught the most unprepared for a set of very different requirements.
- Teachers are trained to manage children in a classroom environment, rather than in a remote learning environment. Many teachers have low competence on the cybersecurity threats of remote learning technologies, malicious apps, and security standards. To them, these issues are not of high importance, and even in an age when researchers on cybersecurity threats are targeted, teachers present a much easier attack vector. In fact, an experiment in Mississippi saw 83% of targeted staff open a simulated phishing message, 48% clicked the malicious link, and 20% entered their credentials in the phishing page.
- New challenges in how to prove the identity of a student taking a class, sitting an exam, or requesting access to financial information. In fully digital learning environments, the ability to rely on in-person verification is no longer available.
- Remote video learning systems were quickly compromised due to weak or non-existent password usage. Threat actors began plotting denial-of-service and ransomware attacks to hit at the most inopportune and high-leverage times, such as a day or two before a school district was due to begin classes or just before significant holidays when IT staff were looking forward to time off.
Regulatory obligations increase the risks of cyberattacks and cyber security threats for educational institutions. In the United States, this is led by the requirements of the Family Education Rights and Privacy Act (FERPA). It confers three rights on the parents of children under 18 (and then upon the student personally when he or she turns 18 or enrolls in post-secondary education), including the right of access to educational reports, the right of modification in the event of error or when changes are needed, and the right to control disclosure.
There are other regulatory obligations, depending on the nature of the educational institution.
- Universities providing healthcare to students or that include a medical center will need to comply with the provisions of HIPAA (Health Insurance Portability and Accountability Act) and its subsequent updates in the United States. HIPAA includes privacy and security requirements covering administrative, physical, and technical safeguards for health information that is linked to an individual. Stanford University for example suffered several high-profile breaches of health information from three separate medical facilities associated with the university, and carried costs for HIPAA violations even when they were not directly at fault.
- Educational providers accepting payments by credit and debit card must comply with the provisions of PCI-DSS (Payment Card Industry Data Security Standard). Protections are required for payment card information during transmission and storage.
Keep Reading: Cybersecurity in Education
In this whitepaper, we look at the cybersecurity threats the education sector faces and highlight new security solutions, like different methods for multi-factor authentication (MFA).
Download this whitepaper to learn more about:
• The education sector's characteristics making it susceptible to cyberattacks
• How elevated security protections without improving convenience will fail
• Best practices for cybersecurity preparedness