Educational institutions have been a prime target for cybercriminals within the past 12 months. These organisations are not only adopting digital transformation to enhance their scholastic environment; teaching and learning settings have shifted into an online space and moreover, into less regulated conditions. The pandemic has necessitated increased connectivity in a socially distanced world, and academics as well as students have leaned into BYOD culture. Introducing devices such as personal computers and mobile phones has caused immense growth in education’s attack surface, particularly at the tertiary level.
At every level of schooling, institutions are battling with insiders threats, such as a lack of security knowledge and individuals who exhibit higher risk behaviours. Poor judgment of both staff and students has the potential to cause internal data disclosure as unsafe security practices can lead to unauthorised access to both the academic and administrative networks.
Cybercriminals know that the education industry suffers with limited security funding and outdated systems. They understand the massive impact they have on education IT infrastructure and for that reason, are persistent in their attacks. Just last year, the Australian National University announced a data breach that had been ongoing since late 2018. The hacker accessed a plethora of staff, student and visitor information dating back nearly 20 years, including personal details such as names, addresses, emails, phone numbers, tax file numbers, pay roll and possibly academic research.
A similar incident struck Melbourne Polytechnic, where 55,000 personal files had been stolen, affecting approximately 90,000 people. Individual victims were warned that bank card details, passport and driver’s licenses, as well as Medicare details were breached.
Top 4 Threats for Education
1. Lack of Security Awareness.
Attackers often find success in compromising organisations by exploiting human nature. By catering to human’s innate curiosity and manipulating trust, cybercriminals can gain a foothold into any network.
We can assist you with easy Security Awareness Training. For more information, please contact us.
2. Malware and Ransomware.
Email and web security are of critical concern for any organisation, and are often the chosen vectors for malware. Phishing emails are executed to steal usernames and passwords, and cloud-based administrative and financial portals are often hacked in order to steal data. Malware campaigns involve sending messages that contain links to fraudulent websites or malicious ransomware attachments. Once data is breached, it is often sold or encrypted and held ransom until the victim can provide monetary compensation.
3. Distributed Denial-of-Service (DDoS).
Politics and international relations play an interesting and important role within tertiary education, as university societies reflect political relations in a microcosmic way. DDoS attacks are often deployed in hopes of sending political messages and hindering or interrupting the normal operations of institutes that uphold differing opinions to that of the individual or entity that hired the DDoS actor.
Educational institutions are home to an abundance of valuable intellectual property and research and are therefore targeted by state-sponsored cyber-actors and other cybercriminals in hopes of disrupting progress or stealing vital research.
It is difficult to truly assess the impact the breach of this information might have. The theft of this data has lasting effects not only on institutions but can cause immense stress for the affected individuals.
3 Tips for Securing Education Networks
1. Implement Security Awareness Training.
For Security Awareness Training to be successful, it must be encouraged from the top down. The importance of awareness programs and proper security conduct must be encouraged by chancellors, vice-chancellors, managing directors and principals and funneled towards the participation of staff and students within awareness programs. Conditioning better security behaviours means enforcing the consistent use of good email, web and password practices, such as Multi-Factor Authentication (MFA) across institutions.
For more information on how SAT can transform businesses, visit this blog post.
2. Identify and Monitor Legacy Systems.
Due to the lack of funding in the education industry, schools, colleges and universities are often operating on legacy systems. If retiring outdated software and hardware is not yet feasible, it is recommended that organisations patch any vulnerabilities and update systems where possible.
3. Invest in Incident Response.
Incident Response (IR) is crucial for reducing response time and minimising the financial, operational, compliance and reputational costs associated with a breach. IR can help academic institutions contain incidents, protect confidential staff, student and visitor data, and avoid disruption.
Don't hesitate to secure your network. Get in contact with our trusted cybersecurity advisors for more information by clicking below.