Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
Australia has been a premium education destination for decades – and hackers, sadly, are increasingly in on the action.
Schools and universities across Australia and New Zealand have been hit with worrying frequency in the last few years, with legacy systems, underfunded cyber teams and valuable data all attracting the bad guys. In this piece, I’ll be exploring the threats our education institutions are facing, and analyse the steps security teams can take to beat them.
Australian education is one of the world’s top targets
Attacks on the education sector are an increasing problem right across the world. In the US, strikes on schools have been described as an existential threat, with attack numbers rising. Ransomware is the most common attack type, and while the average ransom hovers at around $100,000, the average cost of recovery – which at $2.7 million is 50% higher than in other sectors – has forced at least one school to close.
Yet Australia is being hit especially hard. Its education sector is worth $135.5 billion and is the fourth most targeted in the world (behind only Italy, India and Israel) with attacks rising by almost 20% through 2021. In recent years, cybercriminals have hit Melbourne Polytechnic and the NSW Department of Education, compromised the data of 200,000 people in a strike on the Australian National University and taken down networks at schools across New Zealand.
With state-linked actors increasingly targeting critical infrastructure, the stakes are rising ever higher, and some organisations are using surprising ways to stay safe – Monash University has launched a public bug bounty program that offers $2,500 to anyone who uncovers vulnerabilities in its systems.
Our education sector is uniquely vulnerable
So what makes the education sector such an enticing target?
Digital access for students is a complex issue, with a regular ebb and flow of students who bring a host of unmanaged personal devices with them
many schools and universities are bureaucratic, siloed bodies that rely on outdated software and hardware (almost ⅔ of respondents to one survey said that their biggest risk was legacy applications)
at the same time, the education sector is racing to adopt technology that can improve teaching, raise student engagement and facilitate remote work (a major shift since the pandemic)
payment portals at fee-paying institutions offer hackers opportunities for making a quick buck
the sector retains a significant body of personal data, much of it referring to children, who are uniquely vulnerable and whose personal details will be useful for far longer than those of older individuals
universities, scientific institutions and military colleges may handle significant amounts of intellectual property and research that can be used for commercial advantage (or targeted by state-sponsored actors)
large institutions may have hundreds or thousands of students and teachers – meaning a Distributed Denial of Service (DDoS) have a huge impact
many colleges and universities do not have consistent or effective backup procedures, adding to the cost of recovery and the impact of ransomware
Change in the sector is much-needed – particularly as the continued rise of the Internet of Things (IoT) and remote work open institutions up to ransomware attacks and more. But complete security may be difficult to achieve. In nearly 40% of educational establishments, the most senior cybersecurity expert reports to a technology-focused role below the CIO, meaning security may be left out of the boardroom when the big decisions are made.
Institutions and their reputations are on the line
Any cyber incident at a school, college or university can have huge implications on their status. Parents and students are drawn to institutions on the strength of their reputation, and anything that affects that – like a public ransomware attack – can be very difficult to recover from. However, cybersecurity doesn’t need to be a massive, cost-prohibitive undertaking. Focusing on the basics can yield great returns in terms of security and has the benefit of delivering quick results.
Awareness training is a critical first step
How can schools and universities - with their limited resources and heavy bureaucracy - limit their exposure to cyber risk? Given the vast majority of breaches start with human error – typically a click on a phishing email – the training of staff and students is a crucial first step. That means teaching password etiquette (unique passphrases are best), ensuring awareness of common scams, encouraging reporting and spelling out the value of personal data. By prioritising awareness training, institutions can defend themselves against the vast majority of cyber risks at a comparatively smaller cost.
Training should be engaging, ongoing and tailored to its recipients (temporary staff, students of different ages and researchers working with confidential data will all have different needs) – with reporting of potential threats or breaches encouraged.
But training can only take you so far
Even then, awareness training is just one part of the picture. Schools, universities and colleges are characterised by a regularly shifting student body – and no matter how hard you train, someone will always drop the ball. Your training must be backed with measures such as:
Multi-Factor Authentication (MFA) and biometrics, which can stop attackers gaining control of accounts
timely and accurate threat intelligence can help you stay ahead of attacks
encrypting data and managing endpoints via application control and device policies to reduce your attack surface
deeper analytics, to allow cyber teams identify and remediate threats more quickly
network segmentation and zero-trust frameworks, to protect data and help stop attacks spreading across your networks
Preparing for the worst by making regular backups, testing your restoration process and having a clear strategy for incident response
Multi-layered, integrated security can reduce your attack surface, contain attacks and limit the damage they cause. And advanced analytics and threat intelligence offer additional value: they can help security professionals make a case for more budget and a bigger voice at the top table, getting schools and universities off the back foot, and onto the front one.
Cybersecurity in education is an ongoing journey
Historic underfunding, siloed departments and legacy tech mean cyberattackers have repeatedly returned to feast on the education sector, and the rise of remote work and IoT technology may make schools and universities even more vulnerable.
There’s no single answer to this security conundrum. Instead, organisations should mix targeted awareness training with integrated products that can protect endpoints, safeguard data and improve detection. Do it right, and your organisation can teach hackers a vital lesson: to stay away from the education sector.