Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
The troubling state of cybersecurity in the education sector
Time to throw out the school bells and homework diaries, because it looks like video lectures and virtual classrooms are here to stay.
The education sector is in the middle of a digital transformation, and with the rise of e-learning platforms, our high schools and universities are becoming prime targets for all kinds of cyberattacks.
Last year, the Australian National University and the Australian Catholic University were blindsided by surprisingly sophisticated and well-organised cyber attacks that compromised the data of thousands of people.
Microsoft Security Intelligence found that 60% of nearly 8 million enterprise malware encounters reported in the past month came from devices in the education sector, making it the most affected industry. With every school and university rushing to make the switch to remote learning, the attack surface of the educational sector is growing absolutely massive.
Why cybercriminals are targeting schools and unis
Traditionally, schools and universities have only had very basic cybersecurity arrangements and small IT teams who have to make do with limited resources. Many educators and managers still erroneously believe that they don’t have any data worth stealing.
But nothing could be further from the truth. Educational institutions, schools and universities are data-rich gold mines. From student and employee records to sensitive financial information, campuses contain tons of valuable data that is poorly secured and easy to hack. Cybercriminals are well aware of this and are looking to take every advantage they can from the chinks in the loosely-cobbled-together cyber-armour that most schools have.
That’s not to say that educators are completely unaware of the threats out there. Many do want to upgrade their security, but cost and complexity are big barriers to overcome.
To that effect, the federal government has announced that it will provide $1.6 million to boost the cybersecurity capabilities of Australia’s universities, which is a welcome step, but many schools will still need to take the initiative to strengthen their security.
The biggest cyber threats schools are facing
The sudden shift to online education, while wonderfully useful, has dropped a whole new set of problems on school administrators’ plates. Many students are expected to use their personal laptops and devices for schoolwork, and a lot of teachers rely on free video conferencing software to conduct their classes digitally. Free software often comes with its own vulnerabilities, and educators aren’t always the most tech-savvy people, which makes them easy targets for cybercriminals.
And with the confidential data of children, students, teachers and parents at stake, data security isn’t something schools can take lightly. The most common threat schools have to deal with is phishing attacks that try to trick people into giving up their data. Common scams for schools and universities can include everything from impersonating government agencies to offers from fake online stores pretending to sell personal protective equipment.
Ransomware attacks are another major threat which is particularly dangerous now, given how students are studying off-campus and can’t always be monitored. Most institutions are running on on-premise systems that weren’t designed for remote use, which means they’re not set up for automatic patches and updates.
The more technically-inclined hackers often exploit open Remote Desktop Protocol (RDP) ports and Server Message Block (SMB), a protocol used for file sharing and access to remote services, to spread malware across the school’s network.
Even though there is growing awareness about good cyber hygiene, it’s an uphill battle to revamp systems and policies to modernise cybersecurity in schools and universities. Given the massive volume of responsibilities that many in the school system already have, sometimes convenience wins over good cybersecurity practices.
How schools can upgrade their cybersecurity
Luckily, there are a variety of options that campuses can take. Bringing on board an external company to handle cybersecurity can do wonders for their cybersecurity posture. With so many options available in the market, it doesn’t have to cost too much either.
But the most effective way schools can improve their security is by doubling down on the basics: things like creating strong passwords, using licensed software and training staff and students on good cyber practices.
While this sort of awareness training is super effective, it isn’t a one-shot cure. Ingraining cybersecurity into a school’s culture requires a long-term commitment to training, consistent messaging and repeated practice. It takes time for a cultural change like this to take root, but given the world of cyber risks we all live in now, it’s well worth the effort. And it’s going to cost far, far less than dealing with the consequences of a catastrophic data breach.