Across all industries, cyber-attacks continue to grow in number and severity, with various pieces of research suggesting that the education sector is becoming particularly targeted.
This blog explores the reasons behind the increase in attacks on educational institutions, the impact of breaches on the sector, and what schools and universities can do to educate themselves on better protecting their biggest security gaps – privileged accounts.
Research commissioned by specialist insurer Ecclesiastical found that a fifth of education institutions have reportedly suffered cyber attacks. BitSight Insights ‘The Rising Face of Cyber Crime: Ransomware’ report states that the education sector has recently overtaken healthcare as the industry that suffers the highest number of ransomware attacks. The ICO reports that data security incidents in the Education sector rose by 68% during Q2 of 2017, and Verizon’s 2017 Data Breach Investigations Report shows that there were 455 cybersecurity incidents in the education sector last year. Though the exact numbers of these reports differ, what remains clear is that the Education sector is being increasingly targeted, particularly when taken into account that not all attacks are reported.
We shouldn’t be surprised; there are stories everywhere. Staff from an educational body recently had their data leaked after a third-party supplier stored it poorly online, and last June, University College London suffered a very public malware attack. Attack vendors range from predictable malware or social engineering techniques, to attacks on university apps. Attacks on Colombia Falls forced more than thirty schools to close for three days and came with threats of violence, shaming and bullying directed towards children.
In April this year, CCTV footage of three Blackpool schools was broadcast live on a US-based website. Though it was taken down an hour after discovery, it’s hard to reassure parents about security after something like that occurs. The scale is growing; some cybercriminals reportedly hope to use school districts as gateways to other government networks such as state voting systems. But why is the Education sector being targeted?
One reason for the increase in attacks on the Education sector could be attributed to the lucrative nature of the data held. Medical records, financial information, personally identifiable information (including SSN’s), and social security details of students, applicants, alumni, parents, teachers, and all staff accounts for a huge amount of sensitive data that makes a lucrative product on the dark web.
The average value of university data is $200, so hacking a university can be a profitable business. DDoS as service attacks can cost as little as $5 on the dark web now and children’s details are popular with criminals forging documents. In addition, schools typically keep all this information in one place, creating a one-stop shop for cyber attackers. Last year, the personal details of millions of students, teachers, and parents who use Edmodo (the ‘Facebook for schools’ app) were up for sale on a dark web marketplace.
Another reason for the increase in attacks is the fact that the Education sector provides the perfect conditions for the proliferation of cyber-attacks, including the organisation of their IT infrastructure, third party outsourcing, a lack of training on IT security, large numbers of portable devices which bypass defences, and the opportunity for human error.
The average education IT infrastructure is a security nightmare. Huge volumes of sensitive data make data handling very complex and increase the risk of being exposed to scams and other social engineering attacks. Schools use cloud services and outsource the pupil’s personal data management to various third parties and apps, making it very hard to keep an eye on data. Cyber attackers see teachers and parents as soft targets because schools have never been trained in how to properly defend themselves against IT security threats.
Portable devices are prevalent, and many schools have a 1:1 student device ratio in an environment where IT security-naïve students easily fall victim to phishing scams via email, SMS or social media. 91% of cyber-attacks happen this way, with educational institutions typically falling victim to phishing scams, ransomware attacks and DDoS attacks. Human error is also a risk, as campus software is usually designed more around functionality and usability than cybersecurity. All it takes is one student or employee trying to download a PDF to accidentally download malware and bring down an entire university infrastructure with one infected device. An educational institution in London recently had confidential data leaked online because a staff member simply failed to follow the proper data handling procedures, and data being sent by email to the wrong recipient actually accounted for a whopping 37% of reported education sector incidents in 2017.
All these factors create a backdoor into IT infrastructure for hackers, making it nearly impossible for IT teams in schools to control and protect networks.
In addition to the challenges already mentioned, with the recent introduction of GDPR, the Education sector fell even further behind in security. Over one in four education establishments in the UK said they were unprepared for a cyber-attack, and more worryingly almost half didn’t know that GDPR would affect them.
Schools and universities are leaving themselves wide open to an attack and will face non-compliance fines just as severe as we’ve seen finance and healthcare institutions suffer in the headlines (4% of annual turnover, to be precise). The WannaCry attack in May 2017 absolutely devastated NHS systems and crippled their business operations, serving as a warning to educational institutions everywhere. Institutions must cover themselves properly, secure all data relating to EU citizens, and plug increasingly gaping holes in IT security infrastructure.
The effect of data breaches on educational institutions has the potential to be shocking. Reputational damage will have a huge knock-on effect on key stakeholders, including students, parents, staff and governors (particularly if the school concerned is a private one or the story catches the media’s attention). Attacks can be the nail in the coffin for institutions unprepared or unequipped to deal. Around three-tenths of the worst security breaches of the year led to lost business, and 10% of organisations that suffered a data breach in the last year were so badly damaged by the attack that they had to change the nature of their business.
As well as potentially losing ransom money in the breach, there are also the costs of system downtime, figuring out what happened, how, and taking preventative steps so that it doesn’t occur again. 14% of businesses took over a month to detect their most damaging breach of the year. Ransomware remediation costs are expected to hit $11.5 billion by 2019, but schools pay because they can’t afford to interfere with the education of hundreds or thousands of students while they try to repair the damage. Even then there’s no guarantee that paying a ransom will get you your data back.
Organisations across every sector are realising the importance of privileged access management. Privileged accounts are prime targets, not just for students but external parties and malicious insiders too, due to the sensitive and valuable nature of student information. Hacktivists, disgruntled students, an ex-employee, a clumsy current one, competitors, a contractor looking to make some extra money – anyone can be motivated to abuse access.
Privileged users have largely unmonitored access to extremely sensitive data, sometimes above and beyond what they require to do their jobs, and the accounts are often shared by too many people. 86% of large organizations either do not know or have wholly underestimated the extent of their privileged account security problem, while more than half share privileged passwords internally. Elevated privileges allow users to perform a wide variety of malicious actions, from data deletion and theft to completely compromising the system. Tracks are easy to cover and the attack itself simply looks like everyday activity.
With limited IT resources, schools must focus on gaining total visibility of the movement of data within their organisation, and of who’s doing what with that data. By monitoring and restricting access to privileged accounts, and separating people from passwords, educational institutions can greatly improve security for their organisation, and everyone inside it. It’s about controlling access and separating people from passwords.
Our Privileged Access Management solution, Osirium PAM, addresses both security and compliance requirements by defining who gets access to what and when, providing a full audit trail and details of the identity to role mapping used. The platform seamlessly integrates with existing solutions and rules can be defined per device, not only meeting but exceeding compliance policies.
2018 is anticipated to be the worst year yet for cyber-attacks and data loss. 64% of universities don’t believe that their existing IT infrastructure will protect them over the next 12 to 18 months. Outdated systems are putting children at risk and currently, the attackers are always one step ahead and getting more sophisticated every day. The education sector needs to educate itself on the benefits of Privilege Access Management before it’s too late and institutions ends up with a lot more than a slapped wrist from the ICO.
Check out our free Privileged Access Management solution, PAM Express.