3 million records a year are stolen in the educational sector – and that number is growing
The education sector is significantly lagging behind when it comes to cybersecurity. Cybercriminals know that schools have limited resources, but mounds of financial and personal data that are easily accessible. According to ED Guards’ Education Industry Cyber Incidents Report for 2018, 3 million records on average are stolen per year in the educational sector. And the number is growing.
In July, the U.S. Department of Education revealed that 62 colleges and universities were hacked by cybercriminals who gained access to student information via malicious requests on the internet, with reports claiming at least 600 fake or fraudulent student accounts were created in a 24-hour period and used for criminal activity almost immediately.
Hackers also recently took down Monroe College’s website and demanded $2 million USD in Bitcoin to restore the site according to the New York Daily News.
Strained resources are making it difficult for colleges, universities, and K-12 schools to defend themselves against cyberattacks, especially as they become increasingly more complex and targeted. According to an analyst from Education Dive, this lack of resources is contributing to an upward trend in cyberattacks on educational institutions.
What else is contributing?
IT shortages – Most schools have small IT teams, who are not only responsible for protecting hundreds to thousands of devices, but whose time is taken up solving daily issues around improving internet connectivity, distributing devices, and repairing them. Little to no time is left for managing cybersecurity issues. Also battling budget constraints, the teams remain small and less equipped than typical businesses or government agencies to deal with major cyberthreats.
Endless entry points – Widespread internet use by faculty, students, staff, and visitors across the school network adds many points of vulnerability. School and university public Wi-Fi networks create another avenue for attack, along with uniform email accounts with predictable handles that make it easy for cybercriminals to send mass phishing emails targeting students and faculty.
Insufficient funding – It’s common knowledge that the education sector is often strapped for cash. With underpaid staff and underfunded programs, it can be difficult or nearly impossible to secure additional budget for a proactive security strategy.
For Operations Director Ted Burrows from Harrap ICT (pictured), an IT service provider for K-12 schools across the United Kingdom, staying within school budgets is a top challenge. He recently shared his educational security strategies for managing 400 schools with Avast Business.
“With threats like crypto-ransomware and phishing emails targeting schools, we need the ability to monitor, detect, and stop threats before any damage can be done,” he explains. “Our focus has always been finding the best value for the education sector without sacrificing protection, and we work hard to research and test solutions." Read more about Harrap ICT here.
Valuable data
Cybercriminals don’t discriminate when it comes to choosing an educational organization to target. K-12 school data is just as valuable as a university’s. Young children’s Social Security numbers are highly valued on the cybercrime black market, along with financial information and intellectual property found on a college network.
Criminals can sell any of this information on the darknet, use it for identity theft and credit card fraud, or hold it for ransom to obtain money.
Vulnerable software
All types of software can potentially lead to vulnerabilities within school systems. The newest teaching tools, accounting software, and grading applications require timely patching when new versions are released. School IT administrators struggle to keep up with testing and approving every update and patch while also handling daily technical issues on a small budget.
5 tips for protecting educational institutions from cybercrime
- Educate faculty, students, and staff – First, it's important to set a security policy. The policy should include password, email, internet, acceptable use policies and more. Depending on technology and processes, the policy’s purpose is to set rules and procedures for everyone on the campus to follow while utilizing school Wi-Fi and devices. Once finalized, publish the security policy to several easy-to-access locations and send it out to new users as an introductory step in setting up devices or accounts. It’s vital to keep your faculty and staff educated and aware by holding monthly or bi-monthly trainings during workdays to brush up on detecting phishing emails and learn about new threats.
- Layered security – Schools, colleges, universities, and other institutions need a trusted antivirus that learns and updates as new threats are realized. Then it’s important to build layers of security, such as anti-malware, firewalls, secure gateways, patching software, and more to build a strong defense. The layered cybersecurity approach is a safe way to protect data and devices in an always-changing environment. If one layer is compromised, such as a firewall, additional layers are in place to ensure your data is safe and untouched.
- Keep software patched – Schools use countless applications and servers with vulnerabilities that allow cybercriminals to easily gain access to the network. Staying on top of patching by using a patch management system ensures your institution is protected.
- Back up your network data – If cybercriminals gain access to your data and threaten to encrypt or destroy it, having a backup and recovery strategy is essential. Using automated backup and recovery software ensures that your data is kept safe and is accessible from anywhere.
- Monitor your network – Ensure visibility across your entire network. Being able to locate where vulnerabilities exist and remediate them remotely saves IT teams time, while saving the network from widespread damage.
Deploying a managed antivirus solution to provide an aerial view of the entire network or unpatched endpoints can automate tasks for busy education IT teams. With hundreds and sometimes thousands of computers and devices, it can be hard to track down a specific issue. According to Harrap ICT’s Ted Burrows, Avast Business CloudCare has allowed his team to monitor their school systems much more closely than ever before.
“Monitoring is a key aspect of IT service management, as well as having visibility into the IT infrastructure. We needed a comprehensive security solution that included instant notifications, up-to-date virus definitions, and a view into every school network we manage. We found all of that in CloudCare and more,” Ted adds.
Want to know more about cybersecurity for schools? Contact an Avast Business cybersecurity specialist today.