Six FAQs about what’s happening, why, and what we can do about it
1. Why are schools under cyber attack?
There are several factors involved. First off, educational institutions have a wealth of sensitive data. Consider that schools hold health information, financial information, academic performance records, personal student and faculty records, and more. Further, note that post-secondary schools can also have extremely valuable, proprietary research and development data and intellectual property.
If that information falls into the wrong hands, it can be exploited or monetized in several ways:
- used for identity theft and fraud
- pivoted to use the data to launch spearphishing (targeted phishing) attacks on others
- held for ransom and extortion
- sold to other criminals on the dark web
Now layer in the fact that, due to the COVID-19 pandemic, educational institutions were forced to undergo a digital transformation practically overnight. Remote classrooms, research collaborations, student/teacher communications, third-party and vendor management all had to be supported remotely. While this quick transition helped to ensure the physical health and safety of students and staff, it also dramatically increased what we call the “attack surface” – all the different places where bad actors could try to find a way into school networks and systems and databases.
The explosion of IoT devices in the educational sector has also increased that attack surface. Schools are rolling out more and moreInternet-connected devices (e.g., tablets, smart screens, smart sensors, 3D printers, etc.), which can create new vulnerabilities due to their often weak security features. Zscaler reports that IoT attacks at schools increased 961% from 2022 to 2023 alone.Looking outside the classroom, the increased use of cloud-based systems has introduced new risks in the form of misconfigured settings, inadequate access controls, and data exposure. For example, Netskope reported that cloud-based malware delivery increased 45% from 2022 to 2023 among schools.
That’s motive and opportunity for cyber criminals… and they certainly have the means, too. While hacking tools, software, and ransomware-as-a-servicehave never been easier to acquire and deploy for small-time criminals, we have also seen the rise of many well-organized and well-funded hacking gangs that can launch attacks from anywhere in the world. The rise of artificial intelligence has been a gamechanger for cyber criminals as well, who are now leveraging AI to launch more and more sophisticated attacks, and help them avoid detection once inside the target.
Cyber criminals see the education sector as potentially vulnerable, and likely quick to respond to a ransom demand. Schools have little tolerance for downtime: the risk of damage to student experience and institutional reputation is too great. And since many schools operate without key cybersecurity programs in place, they may be more inclined to pay a ransom in the absence of any other practical way of responding to – or recovering from – an attack.
2. What do these attacks look like?
While some people – whom we call hacktivists – may break into systems to expose security weaknesses or make a statement without causing significant damage, the vast majority of cyber crime targeting schools is financially motivated. Phishing attacks and credential abuse are the two main initial attack vectors, with threat actors seeking to deploy ransomware on their targets. The frequency of attacks has increased in recent months as well: Check Point Research reports that the education/research sector was the most targeted industry in the first half of 2024, with a shocking average of 3,086 attacks per organization per week – a 37% increase over 2023.
Ransomware attacks typically involve encrypting a victim’s computers with malicious software, then demanding payment to release the locked systems. Schools are also seeing more and more instances of “double extortion”, wherein data is copied before it gets encrypted – so they are threatened with a ransom to decrypt their systems, as well as facing a payment to have stolen data deleted. And of course, all of this is predicated on trusting that the criminals will follow through, even if the school does pay a ransom.
Needless to say, the results of a successful breach can be devastating for students, faculty, and their families. The disclosure of sensitive health information, social insurance numbers, financial information, academic records, and other personal identifiable information can have serious, long-term effects on the victims. For the school itself, the impacts include loss of productivity and teaching time for students and faculty, damage to network infrastructure, crippling increased costs (investigating and remediating the breach, legal fees, third-party assistance costs, etc.), and supply chain disruption (order processing, communications, etc.)
And it’s important not to overlook the reputational damage a cyber attack can have: in a survey conducted on behalf of ISA Cybersecurity, nearly half (46%) of students surveyed say it would influence their decision to attend a university or college if the school was known to have experienced a data breach or had a reputation for weak cybersecurity.
3. What are the barriers holding back institutions from building stronger cybersecurity programs?
Staying on top of the latest cybersecurity technology, trends, and threats is difficult for any organization, as they are often more focused on their day-to-day operations. Educational institutions are no different: the pace of change frequently outstrips what schools can react to, much less plan ahead for. Even important fundamental practices like security awareness training, patch management, and incident response planning can fall by the wayside. For example, according to a Consortium for School Networking (CoSN) study in the United States, an average of 13% of teachers, staff, and administrators receive no cybersecurity training at all.
Frankly, for a lot of schools, a significant barrier to strengthening their cybersecurity posture often comes down to constrained budgets. Many schools find they just don’t have the financial resources to establish robust cyber programs, strengthen their defences, or even attract and retain the cybersecurity staff to manage everything. It’s a difficult situation.
There’s no doubt that schools, boards, and districts want to keep their data safe, but the complexity of overseeing the cyber framework (security, privacy, and data management) for any organization can be a daunting task. That’s why we are seeing more and more schools look to trusted partners to help them with their cyber programs, rather than try to work on their own.
4. What can students do to protect themselves?
Here are a few basic tips that can make a big difference:
- Use multi-factor authentication whenever possible.
- Create “long and strong” passwords or phrases, and never re-use passwords: if hackers steal one of your passwords, they will try to use it on your other accounts. Consider using a secure password manager application to help keep track of user names and passwords so you don’t feel forced to reuse or write down credentials.
- Keep computers and mobile devices updated with new versions of software as they come out. Consider setting devices to auto-update to avoid missing patches.
- Avoid using unknown public Wi-Fi network or use a VPN to establish a secure, encrypted channel to protect private or sensitive data.
- Don’t over-share information on social media. Pet names, important dates, addresses, and even personal items in the background of a picture can all be used by cyber criminals to guess passwords, develop convincing phishing emails, or steal your identity.
- Stay up to date on the latest phishing scams, fake websites, and other social engineering attacks. Maintain a healthy suspicion of unsolicited or unexpected emails, texts, or calls.
- Use the cloud or maintain regular, current data backups in case your device gets lost or stolen, or your files become corrupted or locked by malware.
Finally, every student should take full advantage of the cyber awareness training and resources that their schools provide. Many facilities offer great resources that just aren’t getting used: in ISA Cybersecurity’s survey, just over half (51%) of survey respondents said they don’t follow the guidelines that their academic institutions put out. This is troubling when you consider that students are potentially the hardest hit by a data breach affecting their personal information.
Getting cyber savvy now will help students build a foundation of awareness and vigilance that will help them the rest of their lives, and ensure that they bring a security, privacy, and data protection perspective – a cyber mindset – into their working lives as well. Cyber awareness isn’t some “tech thing” – it’s a life skill.
5. What can schools do to protect themselves?
There are basic tactical steps that any educational institution should have in place:
- Document IT policies and procedures, which are essential to set user expectations and acceptable behaviours. Ensure that a tested incident response plan is a key part of your procedure framework so your team can respond quickly and effectively in case of an attack.
- Educate staff and students, and provide regular security awareness training and testing of those skills. People are the first line of defense against many forms of cyber attack.
- Implement multi-factor authentication (MFA). Passwords are not enough – MFA is the single biggest defensive improvement you can make to protect your systems, even if passwords are hacked.
- Use an asset management system to keep track of your fleet of devices, and maintain robust patch management. Many cyber breaches exploit already-known and fixable vulnerabilities in systems, so it’s critical to ensure they are always patched and up to date to defend against attacks.
- Maintain – and test – regular backups. If the worst happens, a tested backup of your system may be all that stands between you and a ransom payment.
- Implement endpoint detection and response (EDR) protection. Modern EDR software goes way beyond yesterday’s anti-virus programs, protecting your systems against both known and unknown threat patterns and accelerating response to potential attack.
- Implement a security information and event management (SIEM) program, which is vital to watch for irregularities on your network that could signal problems – both inadvertent and malicious. Plus, a SIEM is required for cyber insurability and many compliance/regulatory programs.
Many schools look to business partners like ISA Cybersecurity to provide guidance or managed services for many of these areas. No institution should feel alone.
6. Where can we learn more?
As October’s Cybersecurity Awareness Month 2024 wraps up, there are lots of great resources available for additional information. Canada’s Communications Security Establishment provides links to our national Get Cyber Safe program that features new Generation Cyber Safe resources. These sites have engaging and practical information for all Canadians to help increase their cybersecurity awareness. The Canadian Anti-Fraud Centre website also has information on current phishing outbreaks and other scams. In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) also released a host of updated resources and information for staying safe online.
ISA Cybersecurity is also here to help. In addition to practical articles and education-focused resources on our website, we have partnered with several post-secondary institutions in Canada to provide guidance and support to their security programs. We have a strong, proven background in the education sector and a keen understanding of the pain points that schools feel today. We have taken that depth of experience to market and are proud to provide cyber services to many individual schools, school boards and school districts right across Canada. We take a risk-based approach to developing cyber programs – rather than chasing the latest technology or a flashy point solution – to help schools strengthen their cyber posture. This approach addresses real-world risks cost-effectively and balances those risks against other critical imperatives, such as ensuring timely, effective, and efficient educational services. We can help bring order to chaos.
Contact us today to learn more.
