Cybersecurity in Educational Institutions
When a hacker is looking for their next target, they typically go after organizations with poorly guarded systems. It is common knowledge that most K-12 schools do not have the funding or resources for a fully operational cybersecurity team. With that being said, thousands of schools, their students and their faculty, are at risk of having their privacy invaded, ultimately leading to identity theft or fraud. Therefore it is imperative schools stay informed on the cyber threats they face, and work to implement a strategy to protect their student and faculty data.
How Frequent Are Attacks?
One most recent attack was just this year at several K-12, New York City public schools. Over 820,000 current and former student’s data was compromised in the breach. The attack took place on the school’s management platform, Illuminate Education used to allow parents to check grades and communicate with parents. Attacks are becoming more frequent, steadily rising in numbers over the past few years, with 2020 being a record-breaking year due to the remote format of learning implemented during the COVID-19 pandemic. According to a 2020 publication titled “The State of K-12 Cybersecurity: 2020 Year in Review” by the K12 Security Information Exchange, over 408 cases of K-12 data breaches were reported in 2020, resulting in the loss of millions of taxpayer dollars.
Why Attack Schools?
Why would a cybercriminal looking for money target a school when there are many more profitable targets? The answer is simple. Schools and institutions prove to be an easier target for criminals, due to a likely lack of budget for cybersecurity and training. Criminals on the hunt for easier to obtain sensitive information find schools to be much easier targets. Once criminals gain sensitive information such as a school’s finances or private information on faculty and students, it gives them the leverage they need to extort money from their targets or sell the information to third parties for a profit. Colleges and universities also pose a frequent target, as criminals know that many tuition bills and fees are paid online, making online bill paying portals for higher education institutions a desired target for hackers.
How Cyber Criminals Attack Schools
In the instance that a school or institution is attacked by cyber criminals, it is most often using one of three forms of attack. The first and most common of the three, is online phishing. Phishing scams often are presented to the target via electronic communication, such as an email, a text message or direct message. In this case, these messages are sent with the intent of scamming their target into giving sensitive information about the institution.
The second means of attack is ransomware/malware. This type of attack is typically carried out using a form of malware, for example trojan horse. The malware is used to disguise an attachment or document into looking legitimate. When the target clicks on the attachment their device is immediately infected with the malware and the information on their device is now open to criminals. Sensitive information is then either used to leverage ransom money from the institution or if the institution’s financial information was on the device, money may already be in the process of being stolen.
The last method of attack, more lucrative than the previous, is the exploitation of the lack of awareness or cybersecurity training of staff of institutions. For example, if a staff member is not aware of what a phishing email might look like, they will be more likely to accidentally compromise the school’s information. One of the most effective ways of keeping a healthy cybersecurity posture is to implement staff training in cybersecurity.
Challenges Facing Schools
Two of the biggest reasons preventing educational institutions from having better cybersecurity posture is one, a lack of budget and/or resources for cybersecurity training and software. Second is the number of individual devices walking into schools on any given day that are out of the schools’ control. Below are some preventative measures that could help you minimize your risk of attack.
Preventative Measures
Here’s three ways you can start minimizing your institutions risk today:
- Annual Faulty Training
Provide faculty with annual cybersecurity training. Teaching your staff how to recognize, prevent and report any suspicious activity will dramatically improve your institution’s security posture - Authentication
Implementing MFA onto your faculty’s devices logins is another cost-effective way to make sure only your faculty has access to their devices and the sensitive information that may be on it. - Outsourcing Your Cybersecurity
On average, it would cost an educational facility nearly $450,000 annually to employ and run a security operations center (SOC) in-house. AgileBlue is a 24/7 SOC-as-a-Service platform that is proven to detect cyber threats before a breach. In comparing costs, AgileBlue can save you over $388,500 per year just by outsourcing your cybersecurity needs. Interested in learning more? Download our ROI guide or Request a demo with us!