Education is a hot target – but it can fight back

Australia has been a premium education destination for decades – and hackers, sadly, are increasingly in on the action.

Schools and universities across Australia and New Zealand have been hit with worrying frequency in the last few years, with legacy systems, underfunded cyber teams and valuable data all attracting the bad guys. In this piece, I’ll be exploring the threats our education institutions are facing, and analyse the steps security teams can take to beat them.

Australian education is one of the world’s top targets

Attacks on the education sector are an increasing problem right across the world. In the US, strikes on schools have been described as an existential threat, with attack numbers rising. Ransomware is the most common attack type, and while the average ransom hovers at around $100,000, the average cost of recovery – which at $2.7 million is 50% higher than in other sectors – has forced at least one school to close.

Yet Australia is being hit especially hard. Its education sector is worth $135.5 billion and is the fourth most targeted in the world (behind only Italy, India and Israel) with attacks rising by almost 20% through 2021. In recent years, cybercriminals have hit Melbourne Polytechnic and the NSW Department of Education, compromised the data of 200,000 people in a strike on the Australian National University and taken down networks at schools across New Zealand.

With state-linked actors increasingly targeting critical infrastructure, the stakes are rising ever higher, and some organisations are using surprising ways to stay safe – Monash University has launched a public bug bounty program that offers $2,500 to anyone who uncovers vulnerabilities in its systems.

Our education sector is uniquely vulnerable

So what makes the education sector such an enticing target?

1. Digital access for students is a complex issue, with a regular ebb and flow of students who bring a host of unmanaged personal devices with them

2. many schools and universities are bureaucratic, siloed bodies that rely on outdated software and hardware (almost ⅔ of respondents to one survey said that their biggest risk was legacy applications)

3. at the same time, the education sector is racing to adopt technology that can improve teaching, raise student engagement and facilitate remote work (a major shift since the pandemic)

4. payment portals at fee-paying institutions offer hackers opportunities for making a quick buck

5. the sector retains a significant body of personal data, much of it referring to children, who are uniquely vulnerable and whose personal details will be useful for far longer than those of older individuals

6. universities, scientific institutions and military colleges may handle significant amounts of intellectual property and research that can be used for commercial advantage (or targeted by state-sponsored actors)

7. large institutions may have hundreds or thousands of students and teachers – meaning a Distributed Denial of Service (DDoS) have a huge impact

8. many colleges and universities do not have consistent or effective backup procedures, adding to the cost of recovery and the impact of ransomware

Change in the sector is much-needed – particularly as the continued rise of the Internet of Things (IoT) and remote work open institutions up to ransomware attacks and more. But complete security may be difficult to achieve. In nearly 40% of educational establishments, the most senior cybersecurity expert reports to a technology-focused role below the CIO, meaning security may be left out of the boardroom when the big decisions are made.

Institutions and their reputations are on the line

Any cyber incident at a school, college or university can have huge implications on their status. Parents and students are drawn to institutions on the strength of their reputation, and anything that affects that – like a public ransomware attack – can be very difficult to recover from. However, cybersecurity doesn’t need to be a massive, cost-prohibitive undertaking. Focusing on the basics can yield great returns in terms of security and has the benefit of delivering quick results.

Awareness training is a critical first step

How can schools and universities - with their limited resources and heavy bureaucracy - limit their exposure to cyber risk? Given the vast majority of breaches start with human error – typically a click on a phishing email – the training of staff and students is a crucial first step. That means teaching password etiquette (unique passphrases are best), ensuring awareness of common scams, encouraging reporting and spelling out the value of personal data. By prioritising awareness training, institutions can defend themselves against the vast majority of cyber risks at a comparatively smaller cost.

Training should be engaging, ongoing and tailored to its recipients (temporary staff, students of different ages and researchers working with confidential data will all have different needs) – with reporting of potential threats or breaches encouraged.

But training can only take you so far

Even then, awareness training is just one part of the picture. Schools, universities and colleges are characterised by a regularly shifting student body – and no matter how hard you train, someone will always drop the ball. Your training must be backed with measures such as:

1. Multi-Factor Authentication (MFA) and biometrics, which can stop attackers gaining control of accounts

2. timely and accurate threat intelligence can help you stay ahead of attacks

3. encrypting data and managing endpoints via application control and device policies to reduce your attack surface

4. deeper analytics, to allow cyber teams identify and remediate threats more quickly

5. network segmentation and zero-trust frameworks, to protect data and help stop attacks spreading across your networks

6. Preparing for the worst by making regular backups, testing your restoration process and having a clear strategy for incident response

Multi-layered, integrated security can reduce your attack surface, contain attacks and limit the damage they cause. And advanced analytics and threat intelligence offer additional value: they can help security professionals make a case for more budget and a bigger voice at the top table, getting schools and universities off the back foot, and onto the front one.

Cybersecurity in education is an ongoing journey

Historic underfunding, siloed departments and legacy tech mean cyberattackers have repeatedly returned to feast on the education sector, and the rise of remote work and IoT technology may make schools and universities even more vulnerable.

There’s no single answer to this security conundrum. Instead, organisations should mix targeted awareness training with integrated products that can protect endpoints, safeguard data and improve detection. Do it right, and your organisation can teach hackers a vital lesson: to stay away from the education sector.