Education sector cyber incidents keep piling up. In March 2021, cyber-attackers hit Florida’s Broward County Public Schools with a $40m ransom demand. Several prestigious US universities were added to the Clop gang’s dark web leak site a month later, after being compromised via a buggy file transfer application. Later, across the Atlantic in southern England, two schools were forced to close after an attack that may have led to the theft of pupils’ parents’ bank details.
This year, both the UK’s National Cyber Security Centre (NCSC) and the US’ Cybersecurity and Infrastructure Security Agency (CISA) have updated their guidance for the sector in light of escalating ransomware attacks. A report from US non-profit, the K-12 Cybersecurity Resource Center, claimed the sector witnessed “a record-breaking number” of publicly disclosed incidents last year, resulting in “school closures, millions of stolen taxpayer dollars, and student data breaches directly linked to identity theft and credit fraud.”
The bottom line is that schools, colleges and universities are increasingly attractive targets for data theft and extortion. How did things get so bad, and what can security leaders do to protect staff, students and the bottom line?
No Money, No Clue
Industry experts that Infosecurity interviewed are in broad agreement that cybersecurity budget and skills are a key challenge for schools and universities, but this affects different organizations in slightly different ways.
“Anyone with cybersecurity experience is a hot commodity and most education institutions can’t compete based on salary alone. Public institutions’ budgets are usually set by state legislatures, so when policymakers make a push to cut taxes, that is typically a warning sign,” SANS Institute senior instructor and Virginia Tech CISO, Randy Marchany, tells Infosecurity.
“The level of control those legislatures impose on the institution depends on the state. Conversely, private institutions rely on tuition, alumni donations and other grants for their funding.”
Budget constraints also slow down training, especially for smaller institutions, he adds.
For former Gartner managing partner David Irwin, who sits on the board of Madison Public Schools and is the co-founder at education consultancy Thru, a major problem is that K-12 school superintendents aren’t technologists and their CIOs are usually not security specialists. There is also a vast disparity of district sizes in the US, ranging from those with hundreds of thousands of students to those with just a few thousand. Aside from the top 100, security savviness is often lacking, he warns. The challenge is that even a district with only 5000 students may have an annual budget of as much as $50m, making it an attractive target for online extorters.
“Imagine what kind of security a $50m company with 5000 employees would have in place to secure their assets?” he asks Infosecurity. “School districts just don’t think that way: it’s unheard of. A lot of them are also covered by cyber-insurance.”
The COVID Effect
The pandemic has had a significant impact on these institutions and universities, as unchecked digital transformation efforts increased the attack surface.
“Suddenly, institutions everywhere were told that their students had to attend from home. A lot of their systems didn’t have the appropriate conferencing, collaboration and other technologies to make that happen, paired with students potentially not having the right devices and internet to even access said things,” Forrester analyst, Steve Turner, tells Infosecurity.
“Institutions left and right had to stand up technology literally overnight to make this all happen, and when we’re told to rush, there are tons of things that get overlooked. A lot of academic institutions are struggling with the same issues as other organizations when they’re moving towards cloud-based technology but haven’t necessarily adapted the way they’ve done security or upskilled their security/IT staff where appropriate.”
Jason Nurse, associate professor in cybersecurity at the University of Kent, argues that the pandemic also had a significant financial impact on universities.
“Education has been heavily impacted due to COVID-19, which has meant that many universities have reduced income from students, especially international students. This has further harmed other university services,” he tells Infosecurity. “In my research, we also found that cyber-criminals often launched attacks directly after or around government announcements and lockdowns. In the education sector, the increase in attacks has meant that more emphasis has been placed on securing remote access and remote devices, creating robust ways to allow students and staff to access services.”
"In the education sector, the increase in attacks has meant that more emphasis has been placed on securing remote access and remote devices"
A Matter of National Significance
So what are the main threats today? State-backed data thieves were already targeting universities before the pandemic. Now they must contend with ransomware actors also looking for lucrative data to steal and encrypt, according to SonicWall EMEA VP, Terry Greer-King.
“If a hacker gains access to faculty credentials, intellectual property or research in an environment where multi-factor authentication (MFA) is not used, they will be able to access all of an organization’s records, bypassing security altogether,” he warns Infosecurity. “Frankly, this is a matter of national importance, as certain departments will contain research that is of key geopolitical significance.”
The personal and financial information of staff, students and parents is also in high demand for sale on the dark web, and consequently used in follow-on fraud. The identities of school-age students are particularly highly sought after because they set off fewer alarms when used to apply for credit fraudulently.
Phishing is still a popular tactic for hijacking inboxes and stealing data. However, it’s only one of several initial threat vectors for ransomware, according to the NCSC. The others comprise vulnerable or misconfigured remote access infrastructure like VPNs and RDP endpoints and exploitation of other buggy software such as Microsoft Exchange Server.
A $122bn Opportunity
So what happens next? For Thru’s Irwin, there is a $122bn opportunity for secure-by-design technology deployments in school districts, thanks to the Biden administration’s American Rescue Plan Elementary and Secondary School Emergency Relief (ARP ESSER) fund. However, to ensure suitable investments are being made, school boards and superintendents must get more cyber-savvy.
“Boards are accountable to the public that elects them, so if there’s a breach, it’s partly on them. There needs to be greater awareness,” he argues. “They need to be asking ‘what’s our risk appetite? What’s our crisis incident management strategy?’ At the moment, it’s often not even on the radar.”
According to Forrester’s Turner, funds should be directed to robust spam and phishing controls, a comprehensive backup strategy, regularly tested incident response plans, MFA, endpoint protection and network segmentation. He adds that best practices should extend to securing and limiting privileged accounts, regular patching of all IT assets and email gateway blocking of uncommon attachments, alongside continuous testing of third-party security controls.
For Virginia Tech’s Marchany, any new security architecture must be designed with three key areas in mind: administrative, academic and research. The first will closely resemble a traditional corporate security model, with centralized management of assets to secure processes in HR, payroll, legal, facilities and other administrative areas, he says.
The second must adapt to fit a new world of BYOD, which means it will look more like the security architecture of an ISP, Marchany claims.
“At Virginia Tech, students connect an average of three personally owned devices to our network every day. Institutions should therefore ensure that users are meeting minimum security standards before connecting for course delivery or learning management networks,” he explains. “Because organizations can’t dictate what software or hardware is on those devices, conducting network monitoring while also leveraging threat intelligence is important.”
Finally, it is vital to secure the processes that support research at facilities, which will demand a hybrid security approach, he says.
“Researchers connect instruments to the network, build their own devices, and use university assets to do their research,” Marchany argues. “This requires a local or decentralized management model. Research data, however, needs stronger protection mechanisms because of its potential monetary value.”
Whatever ways schools, colleges and universities decide to proceed, there is an urgent need to change the status quo. For fee-paying institutions, the reputational damage of severe attacks alone could cost them dearly. For others, there is not just a financial impact, but also the risk of yet more disruption to teaching, exams and coursework. Students deserve better.