The education sector experienced a "record-breaking" year of cyber attacks in 2020. In case you'd been sleeping under a rock, there was a global pandemic that drove up the need for virtual setups.
According to Microsoft, education is globally the sector most vulnerable to threats like malware, accounting for more than 6.8 million (over 63%) of total reported encounters in early 2022.
It's not one sole segment of the industry that's hurting either. In August 2020, the average number of attacks against U.S.-based education organizations had increased 30% month-over-month, compared to 6.5% across all sectors.
The number of ransomware attacks against higher education institutions worldwide also doubled between 2019 and 2020.
With budget cuts hamstringing institutions in both Canada and the U.S., the need for security awareness training to strengthen data protection across various devices, networks, and other collaboration tools has never been greater.
"Students are practically born with technology between their hands, but they don't have the information about security" – CISO from a major University in Canada.
Therefore, cyber security must be integral to every education organization's mandate. Students, teachers, and administrators need access to the learning tools necessary to understand, detect, and avoid cyber threats they may encounter daily.
To help us get to that point, analyzing data breaches from years past is key to understanding how schools are targeting and what can be done to minimize information security risk factors.
Recent Cyber Attacks Targeting Schools and Universities
Schools are an ideal target for hackers because they are a goldmine of personal information rarely protected by the same level of cyber security practices used by many private enterprises. Many institutions also manage sizable budgets that malicious entities are keen to exploit.
Take the February 2021 cyber attack that victimized Simon Fraser University in British Columbia, Canada. As per reports, hackers breached a server containing sensitive information like student and staff ID numbers, admissions details, and other academic records. In all, about 200,000 people were affected by the cyber attack.
This data breach came one year after cyber criminals compromised the personal information of 250,000 individuals who attended or worked at the same university.
Cyber criminals are also targeting Canadian government offices associated with the education sector. In February 2020, Quebec's Minister of Education confirmed hackers stole the personal information of 360,000 teachers and ex-teachers. Though arrests were made by local law enforcement, related cases of suspected identity theft were rampant.
Across the Atlantic, the story remains the same. As per a July 2020 report, 54% of U.K. universities reported a data breach to a regulator.
And, despite the country's post-secondary institutions hosting over 2.3 million students and 430,000 staff members, the report also claims that 46% of university staff didn't receive security training in the 12 months before publication. Then, you have a case like the Blackbaud hack, a ransomware attack first reported back in the summer of 2020, as an example of a massive data breach that crosses international lines.
Nearly a dozen U.S., U.K., and Canadian universities were affected, including the University of London and the Rhode Island School of Design. According to Blackbaud's official statement, they acquiesced to the cyber criminals' demands and paid the ransom for the stolen data, including phone numbers, donation histories, and more.
In September 2022, the Los Angeles Unified School District experienced a ransomware attack that disrupted services for several days for their over 600,000 students. It is still unclear how much student and staff data were stolen in the process, but several lists of contacts and information were found for sale on the dark web related to this incident.
And the trend is on the rise; Checkpoint Research recently found that the education sector had experienced a 44% increase in cyber attacks compared to 2021.
Key Lessons from Past Education Industry Data Breaches
Schools are a prime target for cyber criminals
The high volume of attacks shows that schools need to up their data protection measures against cyber attacks. Investing in affordable anti-virus and anti-malware solutions is a must to protect systems.
Staff require more security training
To combat the lack of awareness of IT threats, educators and other school employees must be regularly briefed on the latest security risks to know how to respond intelligently to data breaches, ransomware, and phishing attacks.
Be wary of phishing attacks
Cyber criminals target academic institutions with phishing attempts to manipulate teachers into giving up personal identity and tax information. Knowing the signs of phishing attacks is critical to spotting them when they occur.
Cyber Security Tips for Students and Teachers
To strengthen information security in an educational environment, students, teachers, and employees require access to a mixture of education and IT security solutions. Here are some key tips for keeping your systems safe during the return to school:
Keep software up to date
Regularly updating software eliminates vulnerabilities that hackers can use to launch ransomware attacks. Patching your software and devices stops anyone from accessing your systems without your permission.
Install anti-malware and anti-virus software
Anti-malware and anti-virus software will enable you to block malware and other malicious software from infecting school devices. Look for solutions with automated updates and virus scanning, and anti-phishing support to tighten your defenses.
Choose strong passwords
Choosing a strong password makes it much more difficult for cyber criminals to break into institutional accounts and portals. Creating passwords based on non-dictionary words with a mixture of uppercase and lowercase letters, numbers, and symbols will reduce the likelihood of a successful hacking attempt. Enabling multi-factor authentication for remote access to your network is also very important.
Undergo security awareness training
Cyber attacks are constantly evolving, and arranging security awareness training and phishing awareness training for staff and faculty will help them develop the skills to detect phishing and social engineering attempts. If you are an institution that conducts research, consider extending training to your students.
Appoint internal cyber security ambassadors
Appoint several volunteers interested in cyber security as ambassadors and implement a training and mentorship program to develop their knowledge of threats and best practices. Once these initial participants achieve certification, monitor their progress to look for areas to improve.
Avoid clicking on email links or opening attachments
Clicking on email links or opening attachments from senders you don't know is a security risk, same with opening an ill-intentioned email link or attachment can lead to installing malware. Staff and faculty should be regularly reminded to check if the sender is legitimate before clicking on anything.
Cyber culture beats cyber strategy
Educational environments present new learning opportunities for everyone enrolled and on staff. But many of these institutions are vulnerable to cyber attacks.
With the global pandemic giving hackers ample time to develop new scams and harmful software, education is the key to addressing the fast-moving threat landscape.
Security awareness training must be at the forefront of your defense strategy to protect your data. Proactive security awareness training will give the participants a heads-up on cyber criminals' methods and educate them on best practices to safeguard their information and systems.
That means both students and teachers must be given the right tools and information to recognize threats and act correctly when they see them. The only way to establish such a strategy is to have a plan everyone agrees on. The education sector will always be the guardian of a giant trove of personal information; it comes with the number of students that go through their doors every year.
Having software security isn't enough. Institutions must create a cyber security-aware culture to ward off potential attacks.
Cyber Security Hub : Access Exclusive Cyber Security Content
Build a robust cyber culture starting with our free Cyber Security Hub, which contains actionable tips on a variety of important cyber security topics, including phishing, social engineering, ransomware, passwords, and much more.
