Educational establishments possess distinct attributes that make them appealing to malevolent entities. What is the appropriate response to counter cyber dangers?
14 Apr 2025
•
,
5 min. read
We all aspire for top-notch learning ventures for our youngsters. However, even the most strategic schemes can falter when met with a nimble, enduring, and cunning adversary. Nation state-allied actors and cyber offenders pose one of the most significant menaces to schools, colleges, and universities these days. According to Microsoft, the education sector was the third-most targeted sector in Q2 2024.
Moreover, sophisticated APT groups, as observed by ESET threat researchers, have been targeting institutions globally. From April to September 2024, the education sector ranked among the top three most assaulted industries by China-aligned APT groups, within the top two for North Korea, and in the top six for Iran- and Russia-aligned perpetrators according to reports.
Educational institutions possess distinctive attributes that make them appealing to malevolent entities. Fortunately, standard universal security measures continue to serve as an effective remedy against cyber hazards.
What drives cybercriminals to target educational institutions?
In the UK, 71% of secondary schools and almost all (97%) universities reported a significant security breach or attack over the previous year, contrasted with only half (50%) of businesses, as per official statistics. In the US, statistics from the K12 Security Information Exchange (SIX) show that, between 2016 and 2022, the nation encountered more than one cyber incident per school day.
So, why do adversaries target educational institutions so frequently?
It’s a mix of vulnerable networks, vast user numbers, highly exploitable data, and scarce security expertise and finances. Let’s delve deeper into these:
- Limited funds and expertise: The education sector struggles to compete with affluent private firms in terms of cybersecurity staffing. Budget constraints mean that institutions typically have minimal resources to allocate to security tools. This can lead to critical gaps in defense capabilities. Nonetheless, mitigating cyber risks becomes even more imperative given financial limitations. A study suggests that ransomware attacks on US educational institutions have incurred $2.5 billion in downtime costs since 2018.
- Personal gadgets: According to Microsoft, the practice of Bring Your Own Device (BYOD) is widespread in US schools, whereas university students are expected to provide their own laptops and devices. If these devices are permitted to access school networks without adequate security mechanisms, they could inadvertently serve as gateways for threat actors to access sensitive data and systems.
- Fallible users: Individuals remain a major hurdle for security personnel. The large number of staff and students in educational environments makes them prime targets for phishing attacks. Conducting awareness training is crucial. However, in the UK, for instance, only 5% of universities mandate student participation.
- A culture of transparency: Schools, colleges, and universities operate differently from conventional businesses. A culture of information exchange and openness to external collaborations can heighten risks and offer opportunities for threat actors to exploit. Implementing tighter controls, particularly regarding email communications, is preferable. However, this is challenging with numerous associated third parties, ranging from alumni and donors to charities and suppliers.
- An expansive attack landscape: The educational sector is just one layer of an expanding cyber attack surface that has broadened with the rise of virtual learning and remote work. From cloud servers to personal devices, home networks, and fluctuating large numbers of staff and students, there are myriad targets for threat actors to exploit. Compounded by the fact that many educational institutions operate on outdated and unsupported software and hardware.
- Personal Identifiable Information (PII) and Intellectual Property (IP): Schools and universities store, handle, and process vast amounts of personally identifiable information (PII) on faculty and students, encompassing health and financial details. This makes them appealing to financially-driven ransomware groups and fraudsters. Furthermore, the sensitive research managed by numerous universities exposes them to nation-state interest. The head of MI5 cautioned university leaders about this in April 2024.
The peril is tangible
These are not theoretical hazards. K12 SIX has recorded 1,331 publicly disclosed cyber incidents affecting US school districts since 2016. Additionally, the EU security entity ENISA reported over 300 incidents impacting the sector from July 2023 to June 2024. Many more incidents likely go unreported. Universities are frequently breached by ransomware criminals, resulting in catastrophic repercussions.
Typical adversary Tactics, Techniques, and Procedures (TTPs) encountered by the schooling sector
Regarding the methodologies employed to target educational institutions, itThe outcome varies depending on the final objective and the malicious actor involved. Coordinated operations by state-affiliated entities tend to be highly sophisticated, like those attributed to the Ballistic Bobcat group aligned with Iran (also known as APT35 or Mint Sandstorm). In a specific instance, ESET detected the group employing tactics to bypass security measures, including injecting malicious code into harmless processes and utilizing multiple components to avoid detection.
Within the United Kingdom, universities identify ransomware as their primary cybersecurity peril, followed by social engineering/phishing and unresolved software vulnerabilities. Meanwhile, in the United States, a Department of Homeland Security asserts that: “K-12 school districts have faced recurrent ransomware attacks due to limitations in IT funding and resources, as well as ransomware operators’ ability to extort payment from schools facing operational deadlines.”
The expanding attack landscape, encompassing personal gadgets, outdated technology, extensive user populations, and open networks, simplifies the efforts of malicious actors. Microsoft has even cautioned about an uptick in fraudulent activities linked to QR codes. These nefarious activities are crafted to facilitate phishing and malware campaigns by embedding malicious codes in emails, handouts, parking permits, financial assistance documents, and other legitimate correspondences.
What steps can educational institutions take to reduce cyber vulnerabilities?
Different reasons may motivate threat actors to target schools, colleges, and universities. However, their methods are usually well-established. Therefore, conventional security protocols are crucial. Prioritize individuals, procedures, and technology by adhering to the subsequent suggestions:
- Enforce robust, distinct passwords and implement multi-factor authentication (MFA) to safeguard accounts
- Maintain good cyber practices through timely updates, regular backups, and data encryption
- Create and evaluate a sound incident response strategy to mitigate breach consequences
- Educate faculty, students, and administrators on cybersecurity best practices, including identifying phishing attempts
- Communicate detailed instructions and a BYOD policy to students, stipulating the security measures expected on their devices
- Collaborate with a trustworthy cybersecurity provider to safeguard your organization’s resources, data, and intellectual property
- Contemplate incorporating managed detection and response (MDR) services to monitor suspicious activities round-the-clock, aiding in the identification and containment of threats before they impact your organization
Global educational institutions already contend with multiple challenges, from skills shortages to financial constraints. However, disregarding cybersecurity threats will not make them vanish. Failure to address these threats could lead to severe financial losses and reputational harm, particularly devastating for universities. Ultimately, security incidents impede institutions’ ability to deliver quality education, a matter of concern for us all.
About Author
