Edmodo is a social platform that is used across 190 countries by teachers, parents, and students. In 2017, the personal data of 77 million individual users of the platform was stolen. This personal data soon made its way onto the Dark Web for sale to cybercriminals.
The education sector is no stranger to cyber attacks. In 2017, around 13% of cybersecurity incidents happened in educational establishments. Education is a people-centric industry which relies on Cloud or other online services. According to UK Government research, 77% of educational establishments hold personal data including that of minors, and 77% use external web hosting/Cloud services – so exposing data to the outside world.
Being custodians of personal data, the education sector is understandably concerned about its safety. Further research by YouGov and Sophos, has found that 34% of educational establishments place data loss as their greatest cybersecurity concern.
Hitting Where it Hurts: The Types of Cyber-attacks On Education
The education sector experiences the same types of attacks as general business. Three of the most common attacks on the education sector are all ‘big hitters’ that are used to steal data, cause damage, and/or extort money:
- Distributed Denial of Service (DDoS): This attack type is meant to wreak havoc on resources. For example, it may lead to a website going down or Cloud applications being adversely impacted. It can also be a rouse to take IT staff on a wild goose chase, trying to resolve the DDoS attack, whilst all along the cyber-attacker is exfiltrating personal data. In the first 6 months of 2018, Jisc found that 225 FE Colleges in the UK were victims of a DDoS attack.
- Ransomware: Ransomware encrypts your files then tells you to pay a ransom to get them back. The massive WannaCry ransomware attack of 2017, which made the headlines when the NHS was adversely affected by it, also impacted many educational establishments. An example was Durham Sixth Form Centre which was infected with ransomware during exam-time, causing havoc.
- Phishing: The cybercriminal “go to” tool is phishing. Phishing is modern day scam – tricking you into opening a malicious attachment or clicking on a spoof link. A new report by Symantec has found that most malware infections begin with a phishing email – or rather a spear phishing email, which targets a victim and is harder to spot. The phishing email will either contain an attachment which can infect your computer with software that steals data and/or login credentials or it will take you to a site that steals the same.
These most common of threats have severe consequences for any business. But educational establishments can least afford to deal with the aftermath; the education sector also recognises they have a cyber-skills shortfall as found in research by UK Government DDCMS in the “Cyber Security Breaches Survey 2018”. There is now a perfect storm of cyber-attacks increasing and lack of resources to cope.
Tips to prevent cybercrime hurting education
In the words of Baden Powel, schools need to “Be Prepared”. Here are our top tips to help stave off the issues of lack of resources and keep your education environment cyber-safe. Some basic cybersecurity action items could help prevent your school becoming a victim:
Tip #1: Know your enemy
The human-factor is used by cybercriminals to carry out their intent of malware infection and credential theft. Prevention through knowledge is the best way to remove the human in the cybersecurity equation. Security awareness training is used to teach all members of staff to understand how cybercrime affects an organisation and how it is committed. In addition, security awareness training can be used alongside phishing simulations. These simulations engage all employees in exercises that train them how to spot the signs that an email is a phishing message. This is a vital part of ensuring that cybercrime does not get past the first gate – your people. The previously mentioned YouGov/Sophos report found that 47% of teachers felt that dedicated cybersecurity training would give them more confidence in protecting student data.
Tip #2: Keep up to date
Malware usually works by exploiting a flaw in some software, such as a browser. Prevent malware from working by ensuring that your browser and other software is up to date and any updates and patches are quickly implemented.
Tip #3: Be Cloud-security aware
More and more educational establishments are using Cloud applications as teaching aids and to reach a wider audience. Cloud security measures need to be in place to ensure that not only security but also the privacy of personal data is upheld. Make sure your Cloud provider has robust security in place and ticks the boxes of the General Data Protection Regulation (GDPR) where required. Always choose a provider that puts security first.
Tip #4: Control access
Many phishing scams depend on only a single factor being used to login to a website or application. Wherever possible, use a second factor to control access. So, for example, as well as having a username and password (single factor) add in the need to provide another factor to log in. Second-factor options typically include a code received on a mobile application, an SMS text code, a choice of x characters from a passphrase or sometimes a biometric.
Another access control tip for access to sensitive data is to only give access on a need to know basis. This is known as “privileged access” and this, along with using a second factor, is a key part of having a best practice policy on access control.
Tip #5: Don’t forget mobile
Schools are increasingly embracing the Bring Your Own Device (BYOD) movement, but Mobile malware is continuing to be an issue. Symantec finding an increase of 54% of malware types for mobile. Ensure that your cybersecurity efforts extend to the use of mobiles devices, including iPads. This should include controlling where apps are downloaded from and having robust access control to mobile apps.
Cybersecurity, an Education
Education, like all other sectors, is fighting a battle against cybercrime. As the sector opens up the school gates to a hyperconnected future, the risks to data and the wider IT infrastructure increase. Understanding where these risks lie is part of the concerted effort the sector has to make to stay cyber-safe. Being cyber-aware and using security awareness training and simulated phishing campaigns, can go a long way to educating your wider employee base about the risks and how to avoid a cybersecurity incident.