Education is a prime target for cyber attacks along with sectors such as finance and healthcare. Globally, education is continuing to see increases in cyber attacks against the sector. Check Point Research (CPR) found a 75% increase in cyber attacks against education establishments in 2021, placing it in the top spot in terms of the number of cyber attacks compared to other industry sectors.
Education is a favoured target of cybercriminals because it has certain aspects that make it vulnerable. For example, educational establishments may not have the luxury of a dedicated security team. Other factors include a dynamic user base and policies such as “Bring Your Own Device” (BYOD), where students and staff use mobile devices to log in to the network and cloud apps.
As cyber attacks continue to wreak havoc on this vulnerable sector, cyber security training for the education sector becomes a vital weapon against these attacks.
Type of Cyber-Threats to Education Establishments
The Ponemon Institute and IBM explored the impact of security breaches within the education sector in a recent report. The researchers found that 48% of breaches in the sector were from malicious attacks that took up to 212 days for the breach to be identified and contained. The malicious attacks focused on data, including exam results, with 43% in the sector reporting that student data was the target.
Some staggering figures have come out of UK Government research. The following percentage of educational establishments were a victim of a cyber attack in 2020-2021:
- 36% of primary schools
- 58% of secondary schools
- 75% of universities
Like many other sectors, the human element is central to the success of a cyber attack. Research from Stanford University has found that 88% of security breaches begin with a human being, such as an employee.
The following types of cyber-threats target educational establishments, and because they all have human beings at the core of the attack, Security Awareness Training can help prevent them:
Phishing
Phishing emails, voice phishing (Vishing), and spear-phishing (targeted phishing attacks) are a favourite amongst cybercriminals because they work well. Research from Symantec found that 96% of data breaches begin with a phishing email. Schools, colleges, and universities are all at risk from phishing. A 2021 report from Netwrix found that 60% of educational institutions had experienced a phishing attack.
Ransomware
Ransomware is no longer just about encrypting data and demanding a ransom to decrypt it. Now, the data is typically stolen and used as leverage to put pressure to pay the ransom and/or sold on to other cybercriminals.
The National Cyber Security Centre (NCSC) has issued a number of warnings in the last year about increased ransomware attacks against the education sector. Phishing is amongst the three most common methods used to infect education networks with ransomware. Other methods exploit poor authentication and vulnerabilities in software.
Data Breaches and Accidental Exposure
Data breaches are expensive for schools, colleges, and universities: a report on the cost of a data breach from IBM and Ponemon found that the industry average cost was $141 (£107) per breached record. However, this figure rose to $200 (£153) in the education sector.
Accidental data leaks also result in costs and downtime: the Netwrix report discovered that almost all educational institutions need days or weeks to discover an accidental data leak. And, around a third of these took weeks to recover from an accidental data leak.
Social Engineering
Social engineering often brings together many elements of a complex scam. Phishing is a typical method used to steal login credentials, but increasingly, fraudsters are also using other methods, including social media and phone calls, to find out information about a target person and/or educational establishment.
Insecure Home Learning Environments
Covid-19 and remote learning highlighted the need for good security in a home environment. But remote working often means that security goes out of the window as members of the same household share devices and Wi-Fi connections.
How Can Cyber Security Training Help Prevent Cyber Attacks on Schools, Colleges, and Universities?
As research has shown, data exposure is often a consequence of human factors. This includes both individuals having a lack of knowledge about security and cybercriminals manipulating human behaviour.
Security Awareness Training fills the gap in understanding what security is about and gives people the tools to prevent cyber attacks from happening. Security Awareness Training for the education sector is most successful when the Security Awareness Training program is tailored to the sector. Education has some unique challenges, and each type of education establishment, from primary schools to universities has its own unique environment and structure.
Enterprise Security Awareness Training must cover many types of roles within a company; roles such as accounts payable and HR being targeted for specific types of cyber attacks, for example, Business Email Compromise (BEC).
Educational establishments also have many of the same roles as an enterprise, however, universities, for example, also must train students as well as staff. Designing a training program that covers all these different types of people and roles is achievable with a role-based approach to security training. But it must be able to also reach remote users too. Training programs that are delivered using Software as a Service (SaaS) are ideal for the distributed nature of modern education.
Five Key Elements of Cyber Security Training for Education
The five main elements to look for when choosing a program that fits an educational establishment’s unique needs are, the program must be:
- Designed to work across a wide range of individuals from staff to students
- Can be tailored to reflect the types of cyber attack types that affect the education sector
- Can be delivered using SaaS to all, including remote workers and students
- Incorporates fun and interactive training modules that keep the attention of all types of learners
- Can generate reports and evidence to help with regulatory compliance, including UK GDPR.
Cybercriminals have no morals and attacking the education sector shows how low they will go. However, the unique profile of the education sector means that the delivery of security awareness must be tailored to those needs. When choosing a Security Awareness Training program, ensure the solution can meet the five key elements above.
