Six FAQs about what’s happening, why, and what we can do about it
1. Why are schools under cyber attack?
There are several factors involved. First off, educational institutions have a wealth of sensitive data. Consider that schools hold health information, financial information, academic performance records, personal student and faculty records, and more. Further, note that post-secondary schools can also have extremely valuable, proprietary research and development data and intellectual property.
If that information falls into the wrong hands, it can be exploited or monetized in several ways:
- used for identity theft and fraud
- pivoted to use the data to launch spearphishing (targeted phishing) attacks on others
- held for ransom and extortion
- sold to other criminals on the dark web
Now layer in the fact that, due to the COVID-19 pandemic, educational institutions were forced to undergo a digital transformation practically overnight. Remote classrooms, research collaborations, student/teacher communications, third-party and vendor management all had to be supported remotely. While this quick transition helped to ensure the physical health and safety of students and staff, it also dramatically increased what we call the “attack surface” – all the different places where bad actors could try to find a way into school networks and systems and databases.
That’s motive and opportunity for cyber criminals… and they certainly have the means, too. While hacking tools and software have never been easier to acquire and deploy for small-time criminals, we have also seen the rise of many well-organized and sophisticated hacking gangs that can launch attacks from anywhere in the world. Criminals see the ed sector as potentially vulnerable, and likely quick to respond to a ransom demand since schools may not have any other practical way of recovering from an attack.
2. What do these attacks look like?
While some people – whom we call hacktivists – may break into systems to expose security weaknesses or make a statement without causing significant damage, the vast majority of cyber crime targeting schools is financially motivated. We are seeing a particular type of cyber attack – a ransomware attack – emerging as one of the top methods used by threat actors. A recent IBM Security X-Force Threat Intelligence Index analysis showed the percentage of ransomware attacks against the education sector more than doubled globally from 2020 to 2021. In fact, the FBI and CISA in the United States issued a cybersecurity advisory in September 2022 warning of a particular hacking group called Vice Society that is “disproportionately targeting the education sector with ransomware attacks”.
Ransomware attacks typically involve encrypting a victim’s computers with malicious software, then demanding payment to release the locked systems. Schools are also seeing more and more instances of “double extortion”, wherein data is copied before it gets encrypted – so they are threatened with a ransom to decrypt their systems, as well as facing a payment to have stolen data deleted. And of course, all of this is predicated on trusting that the criminals will follow through, even if the school does pay a ransom.
Needless to say, the results of a successful breach can be devastating for students, faculty, and their families. The disclosure of sensitive health information, social insurance numbers, financial information, academic records, and other personal identifiable information can have serious, long-term effects on the victims. For the school itself, the impacts include loss of productivity and teaching time for students and faculty, damage to network infrastructure, crippling increased costs (investigating and remediating the breach, legal fees, third-party assistance costs, etc.), and supply chain disruption (order processing, communications, etc.)
And it’s important not to overlook the reputational damage a cyber attack can have: in a recent survey conducted by Angus Reid Forum on behalf of ISA Cybersecurity, nearly half (46%) of students surveyed say it would influence their decision to attend a university or college if the school was known to have experienced a data breach or had a reputation for weak cybersecurity.
3. What are the barriers holding back institutions from building stronger cybersecurity programs?
Staying on top of the latest cybersecurity technology, trends, and threats is difficult for any organization, as they are often more focused on their day-to-day operations. Educational institutions are no different: the pace of change frequently outstrips what schools can react to, much less plan ahead for. Even important fundamental practices like security awareness training, patch management, and incident response planning can fall by the wayside.
And frankly, for a lot of schools, a significant barrier to strengthening their cybersecurity posture often comes down to constrained budgets. Many schools find they just don’t have the financial resources to establish robust cyber programs, strengthen their defences, or even attract and retain the cybersecurity staff to manage everything. It’s a difficult situation.
There’s no doubt that schools, boards, and districts want to keep their data safe, but complexity of overseeing the cyber framework (security, privacy, and data management) for any organization can be a daunting task. That’s why we are seeing more and more schools look to trusted partners to help them with their cyber programs, rather than try to work on their own.
4. What can students do to protect themselves?
Here are a few basic tips that can make a big difference:
- Don’t over-share information on social media. Pet names, important dates, addresses, and even personal items in the background of a picture can all be used by cyber criminals to guess passwords, develop convincing phishing emails, or steal your identity.
- Use multi-factor authentication whenever possible.
- Create strong passwords or phrases, and never re-use passwords: if hackers steal one of your passwords, they will try to use it on your other accounts. Consider using a secure password manager application to help keep track of user names and passwords so you don’t feel forced to reuse or write down credentials.
- Keep computers and mobile devices updated with new versions of software as they come out. Consider setting devices to auto-update to avoid missing patches.
- Avoid using unknown public Wi-Fi network or use a VPN to establish a secure, encrypted channel to protect private or sensitive data.
- Stay up to date on the latest phishing scams, fake websites, and other social engineering attacks. Maintain a healthy suspicion of unsolicited or unexpected emails, texts, or calls.
- Use the cloud or maintain regular, current data backups in case your device gets lost or stolen, or your files become corrupted or locked by malware.
Finally, every student should take full advantage of the cyber awareness training and resources that their schools provide. Many facilities offer great resources that just aren’t getting used: in our recent survey, just over half (51%) of survey respondents said they don’t follow the guidelines that their academic institutions put out. This is troubling when you consider that students are potentially the hardest hit by a data breach affecting their personal information.
Getting cyber savvy now will help students build a foundation of awareness and vigilance that will help them the rest of their lives, and ensure that they bring a security, privacy, and data protection perspective – a cyber mindset – into their working lives as well. Cyber awareness isn’t some “tech thing” – it’s a life skill.
5. What can schools do to protect themselves?
There are basic tactical steps that any educational institution should have in place:
- Document IT policies and procedures, which are essential to set user expectations and acceptable behaviours. Ensure that a tested incident response plan is a key part of your procedure framework so your team can respond quickly and effectively in case of an attack.
- Educate staff and students, and provide regular security awareness training and testing of those skills. People are the first line of defense against many forms of cyber attack.
- Implement multi-factor authentication (MFA). Passwords are not enough – MFA is the single biggest defensive improvement you can make to protect your systems, even if passwords are hacked.
- Use an asset management system to keep track of your fleet of devices, and maintain robust patch management. Many cyber breaches exploit already-known and fixable vulnerabilities in systems, so it’s critical to ensure they are always patched and up to date to defend against attacks.
- Maintain – and test – regular backups. If the worst happens, a tested backup of your system may be all that stands between you and a ransom payment.
- Implement endpoint protection. Modern malware protection software goes way beyond yesterday’s anti-virus programs, protecting your systems against both known and unknown threat patterns.
- Implement a security information and event management (SIEM) program, which is vital to watch for irregularities on your network that could signal problems – both inadvertent and malicious. Plus, a SIEM is required for cyber insurability and many compliance regimes.
Many schools look to business partners to provide guidance or hosted/managed services for many of these areas. No institution should feel alone.
6. Where can we learn more?
The Government of Canada’s Get Cyber Safe website is a great resource. It has engaging and practical information for all Canadians to help increase their cybersecurity awareness. They recently published a blog on some of the latest trends in phishing, and how students can protect themselves. The Canadian Anti-Fraud Centre website also has information on current phishing outbreaks and other scams. Coinciding with Security Awareness Month in October 2022, the The Insurance Bureau of Canada (IBC) has also launched a new cyber education initiative called the Cyber Savvy Challenge, a portal with a quiz, tips, and resources to help raise the security awareness level for all Canadians.
ISA Cybersecurity is also here to help. In addition to articles and resources on our website, we have partnered with several Ontario post-secondary institutions to provide guidance and support to their security programs, so we have a strong background in the sector and a keen understanding of the pain points that schools feel today. We have taken that depth of experience to market and are proud to provide cyber services to many individual schools, school boards and school districts right across Canada. We take a risk-based approach to developing cyber programs — rather than chasing the latest technology or a flashy point solution — to help schools strengthen their cyber posture. This approach addresses real-world risks cost-effectively and balances those risks against other critical imperatives, such as ensuring timely, effective, and efficient educational services. We can help bring order to chaos.
Contact us today to learn more.