May 23, 2022  |  Lynn Schear

Making Cybersecurity a Priority for Education

You’ve likely seen news stories on data breaches occurring in hospitals, banks and retailers. Or perhaps you’ve received an alert from a company where you’ve made a purchase or received a service. Cybersecurity is a concern in any industry that involves gathering and storing valuable information. As more organizations conduct operations digitally, cybersecurity is important for keeping information secure.

Despite the education sector facing its own slew of challenges, such as lack of staffing and funding resources, cyberattacks still happen and the number of attacks is growing every year. More than 1,000 educational institutions suffered ransomware attacks in 2019 alone, and that number has only increased as many schools shifted to online learning during the pandemic. The sector also continues to expand its use of technology for administrative needs and student learning, increasing opportunities for attacks.

According to CBC, ABC13 and GAO.gov, schools that have been hit by a ransomware attack may end up paying a significant fee to restore their data – like the University of Calgary, which paid CA$20,000 in bitcoin after an attack that also affected multiple U.S. computer networks and caused an estimated $30 million in damage, or the 10,000+ student school district in Texas that paid nearly $207,000 when attackers locked critical software systems. In an example of a phishing scam, a Kentucky school district received a fraudulent email that looked to be from a legitimate vendor and mistakenly paid a $3.7 million invoice to the attackers.

Why education is a prime target for cybercriminals

Similar to healthcare, educational institutions vary in size, scope and location. It’s not a one-size-fits-all cybersecurity approach. A cybercriminal’s motive for attacking a college or university won’t necessarily be applicable to an elementary school.

Some of the reasons cyberattacks occur in the education sector include:

• Data theft: Schools house student and staff data, including sensitive information like names and addresses, Social Security numbers, disability and disciplinary information, grades and performance evaluations. Attackers can sell this information to a third party or use it for bargaining to extort money.
• DDoS attack: This type of attack is a distributed denial of service. An attacker’s motive is to cause widespread disruption to an institution’s network, affecting productivity.
• Financial gain: Typically, attacks for financial gain are targeted toward private schools and universities with a large number of students. Since a lot of fees and tuition can be paid online, cybercriminals will try to hack those large sums of money during transfer.
• Espionage: This type of cyberattack involves hacking valuable intellectual property, in order to steal scientific, engineering and medical research.

Schools store a great deal of personal information and valuable research data. They are often vulnerable to attacks due to more limited budgets and lack of IT staff. According to a CoSN study, only a fifth (21%) of districts have a full-time employee dedicated to network security. Because educational institutions provide valuable resources to their communities, attackers know they can’t afford to shut down and may be more likely to pay a ransom.

How is education targeted?

Based on the Verizon 2021 Data Breach Investigations Report, external attacks pose a greater risk, making up 80% of breaches, than internal threats of misuse or human error by students or staff. The majority of reported ransomware attack victims during the 2020 school year were K-12 schools.

There are several ways that hackers and cybercriminals attack schools, but among the top methods are:

• Phishing, which involves emails that look to be from reputable senders and try to trick individuals into revealing personal information.
• Ransomware/malware, distributed through emails, compromised websites and infected file downloads.
• Lack of awareness, causing people to mistakenly give attackers access or leave information vulnerable to being stolen.
• People using their own personal devices, which may not be secure.
• Lack of awareness or adherence to policy.

Tips for securing school networks

According to Education Week, school districts may serve thousands of students and work with hundreds of technology vendors. Such a wide-reaching network can be difficult to manage and secure.

In some schools, cybersecurity is a job responsibility for one or more staff members. Other schools choose to outsource management to another organization that has expertise in cybersecurity. Either way, districts will need more funding to keep their networks secure.

With so many cybersecurity challenges currently and potentially facing the education market, it’s important to ramp up security efforts and IT teams now more than ever. Here are some areas of focus:

• Awareness: Sharing information about cybersecurity and the prevalence and consequences of cyberattacks with staff, students and school families is an important first step.
• Training: A more formal training program is a valuable way to reduce vulnerabilities and minimize human errors. According to a CoSN study, across K-12 schools, the most frequently used methods for improving cybersecurity are IT staff training (65%) and end-user training (63%). Surprisingly, 30% of districts don’t require any cybersecurity training for their teachers, administrators, or staff.
• Authentication, including secure logins, dual-factor authentication: Security best practices make a difference. Most districts (55%) use off-site backups and 54% encourage staff to upgrade their passwords. Increasing the number of characters in a password from eight to twelve characters significantly increases the time required to crack a password.
• Insurance: The majority (62%) of districts purchase cybersecurity insurance. Cybersecurity experts recommend having insurance as a best practice.

Cybersecurity continues to be a top priority – and a major concern – for school districts and IT leaders. Marketers who can provide solutions to the issue of cybersecurity have an opportunity to help. School districts are looking for ways to increase their security efforts through education, training, insurance and technology. To connect with key decision-makers, tap into the MCH education database and identify relevant institutions and IT contacts that would benefit from your products and services.

If you missed our previous education blogs, check out part 1, part 2 and part 3 of understanding the K-12 district sales cycle.