A. M. Educational institutions have become a popular target for attacks due to a combination of porous networks, large number of users, highly monetizable data and limited security expertise and budgets. The research team at ESET, a leading proactive threat detection company, observed sophisticated APT (Advanced Persistent Threat) groups attacking institutions around the world.
Nation-state sponsored actors and cybercriminals are among the biggest current threats to schools, colleges and universities. In the period from april to september 2024, the education sector was among the top three industries attacked by APT groups aligned with China, among the top two by North Korea, and among the top six by actors aligned with Iran and Russia.
In the UK, 71% of secondary schools and almost all universities (97%) suffered a serious security attack or breach last year, compared to only half (50%) of businesses, according to government data. In the United States, the most recent figures available from the K12 Security Information Exchange (SIX) reveal that, between 2016 and 2022, the nation experienced more than one cyber incident per school day.
Regarding the tactics, techniques and procedures used to attack educational institutions, ESET clarifies that it depends on the final target and the threat actor. ESET analyzes the points that make educational establishments attractive to cyberattackers:
- Limited budget and expertise: The education sector is often under greater budgetary pressure than private companies and is often more limited in hiring cybersecurity talent and adopting security tools. This can create dangerous coverage and capability gaps.
- Use of personal devices without adequate security: According to Microsoft, BYOD (Bring Your On Device) is very common among those studying at U.S. institutions. The use of school networks with personal devices can provide a way to access sensitive data and systems if not accompanied by an adequate security policy.
- Low level of user awareness: The human factor remains one of the biggest challenges for security personnel. Staff and students in educational environments are a prime target for phishing, so implementing awareness programs is critical. But, to give an example, only 5% of UK universities carry out such activities aimed at students.
- Culture of information sharing and external collaboration: The culture of information sharing and openness to external collaboration tends to increase risks. Tight control is necessary, especially in e-mail communications, and this can become difficult when there are so many connected third parties, from alumni and donors to charities and suppliers.
- A wide attack surface: The cyberattack surface has expanded with the advent of virtual learning and remote working. From cloud servers to personal mobile devices, to home networks and the vast number of employees and students, there are many targets for threats to target.
- Large amounts of personally identifiable information: Schools and universities store, manage and process large volumes of personally identifiable information (IPI) about staff and students, including health and financial data. This makes them an attractive target for financially motivated fraudsters and ransomware authors. In addition, many institutions conduct sensitive research that also makes them a target for nation-states.
In the UK, universities rank ransomware as the top cyber threat to the sector, followed by social engineering/phishing and unpatched vulnerabilities. And in the United States, a Department of Homeland Security report states, “K-12 school districts have been a near constant target for ransomware due to school systems’ IT budget constraints and lack of dedicated resources, as well as cybercriminals’ success in extracting payment from some schools that are required to operate on certain dates and times”.
“The ever-increasing size of the attack surface, including personal devices, legacy technology, large numbers of users and open networks, makes the threat actor’s job much easier. While there may be a unique set of reasons why threat actors attack schools, colleges, and universities the techniques they use to do so are tried and true. This means that for protection, the usual security standards apply”, says Camilo Gutiérrez Amaya, head of ESET Latin America’s Computer Security Lab.
In terms of care, protection, and security, ESET suggests educational institutions to focus on people, processes, and technology to mitigate cyber risk:
- Enforce strong, unique passwords and multi-factor authentication (MFA) to protect accounts.
- Practicing cyber hygiene with immediate patching, frequent backups and data encryption
- Develop and test a robust incident response plan to minimize the impact of a breach
- Educate staff, students and management team on security best practices, with a focus on detecting phishing emails
- Develop and share a detailed acceptable use policy with students, including the security you expect them to pre-install on their devices
- Partner with a trusted cybersecurity provider that protects the organization’s endpoints, data and intellectual property
- Consider using managed detection and response (MDR) to monitor suspicious activity 24/7 and help detect and contain threats before they can affect the organization
“Educators around the world already have many problems to deal with, from shortages of qualified personnel to funding issues. But ignoring the cyber threat will not make it go away. If left to escalate, breaches can cause enormous financial and reputational damage that, for universities, could be disastrous. Ultimately, security breaches undermine the ability of institutions to deliver the best possible education. It is something we should all be concerned about”, says Camilo Gutiérrez Amaya, head of ESET Latin America’s Computer Security Lab.
