School systems and higher education campuses are a popular and fast-growing target for hackers. From 2005 to 2018 there were 840 reported breaches at educational institutions. Schools are an irresistible mark for attack. They store abundant data on students, alumni, and faculty. Colleges and universities also possess research data and intellectual property.
Adults’ personally identifiable information (PII) is highly marketable for thieves, but children’s PII is even more coveted. Identity theft perpetrated on children is hard to detect. (Fraud doesn’t show up on nonexistent bank accounts, and kids aren’t exactly pulling their credit scores to get car or home loans.) As a result, children’s data is 51 times more likely to be stolen than adults’ data. And schools are rich in children’s data.
Educational institutions are often caught flat footed in the event of a security incursion. Schools lack the funding for adequate systems maintenance and privacy compliance. Many institutions do not employ designated compliance staff to help with FERPA and PPRA. Only 61% of institutions consider themselves ready for an unexpected compliance check according to Netwrix’s 2018 IT Risks Report.
Let’s explore the areas where schools are most vulnerable.
The same external attacks that plague healthcare organizations, retail businesses, and individuals also arrive at schools, hoping to access or ransom precious data with an assist from ill-trained employees and students. Phishing messages appear in the inboxes of .edu address holders asking for W-2s during tax time or requesting wire transfers of school funds for seemingly legitimate reasons. Attackers may pose as district or university IT managers and request usernames and passwords for critical systems. A student may unwittingly open an attachment that allows a hacker to access their device in a university research facility.
The Monroe-Woodbury Central School District in New York recently suffered a ransomware attack that delayed the start of its 2019/2020 school year by two days. District officials took all systems offline to verify their integrity and begin the restoration process. While they are confident in the quality of their backups, the delay in starting school was highly disruptive. And with systems offline for up to several weeks, thousands upon thousands of pages of forms and educational materials will need to be printed to keep the schools in “business.”
In the face of external threats, schools must continually educate their staff and students about risks and risk reporting. They should also complete a risk assessment and regular vulnerability testing.
Sometimes students outsmart their teachers…and their schools. Schools, especially colleges and universities, are susceptible to attack from their own students. With motives ranging from a simple prank to delaying exams or student payment processing, students have attacked their own schools’ networks many times.
Most famously, from 2014 to 2016, Rutgers University experienced a series of DDoS attacks perpetrated by one of its students. Paras Jha, a young computer science student, co-authored and released a botnet malware strain that crashed Rutgers’ websites and interrupted Internet and wifi connections all over campus. He timed his attacks to delay class registration and exams–and just for the pleasure of the chaos he created. The university was ill-prepared to handle the attacks and spun its wheels (and spent its millions) attempting to prevent further disruption.
As schools modernize and move away from textbooks, pencils, and paper, more and more districts are investing in one-to-one technology initiatives for their students. Parents are thrilled to see a Chromebook in the hands of every middle and high school student. Teachers are invigorated by the open educational resources movement that leaves behind outdated textbooks. And students love their new electronics.
But the increase in mobile computing also represents an outsized attack surface for cyber criminals. There are many more devices that could either be hacked through phishing or password attacks. And many more devices that will be lost or stolen (because: kids). Anytime a school system undertakes an increase in devices, it must also invest in methods of protection that include user training, system protection, and remote data clearing capabilities.
Intellectual Property Theft
Open collaboration and the sharing of new ideas is at the cornerstone of quality education. However, many schools have invested significant sums of money in their intellectual properties and would like to protect them from theft. Intellectual property at educational organizations may include teaching plans, research data, unpublished scholarly papers, doctoral theses, patents, presentations, and more. While this type of information may not be your average hacker’s top target, it does hold value and should be considered in any information security risk assessment.
As with every vertical, technology alone will not bring an end to all risks to educational institutions. Schools need to take the time to add a definition of their risk to their business plans. They must allocate funds to both communicate secure practices to their staff and students and implement the cyber secure practices that they can afford.
Asylas is available to help with school and school system security needs. Email us at firstname.lastname@example.org or call 615-622-4591.