Back to School Security: Cyber Attacks on Education

It’s back to school season, and students and teachers across the world are hitting the books and heading back to campus. And yet, despite being institutions of learning and growth, the education sector from local school districts to university research facilities is woefully lagging in cyber-maturity. And this security gap makes the sector an easy target for hackers interested in stealing data, blocking systems, and causing mayhem.

In recent years, hackers have targeted entire school districts and dozens of major universities from North American to Europe to Asia. In 2020, the University of California, San Francisco was forced to pay a $1.14 million ransom after its medical school was shut down following a cyberattack. In the midst of a pandemic-induced transition to online learning platforms, educators found themselves locked out of district-wide systems, with hackers having encrypted all network data and stolen sensitive records including staff social security numbers, student grades, and addresses. The hackers and ransomware artists demand extortionate ransoms and threaten to expose the data to potential identity theft and more.

Educational institutions don’t just hold data on classic literature and world geography. They hold the personal address, phone, and even financial or social security data of students, staff, and parents; highly-sensitive scientific research data; digital and connected medical equipment; and online platforms to connect and engage with professors and students. The sector’s data is incredibly valuable – and incredibly vulnerable.

Cybersecurity 101: Access & Identity Basics

Ransomware and other cyber attacks have been increasingly sharply in recent years, affecting all sectors, including education. Even local school districts haven’t been spared from ransomware and other cyber threats, in addition to large international universities. And yet, 84% of sector leaders don’t perceive any cyber threats as high risk!

When it comes to cybersecurity in the education sector, many institutions are starting from scratch with the very basics. According to the recent EDTECH Leadership Survey Report from CoSN, IT leaders in education see cybersecurity and data security at their top tech priority, but less than a quarter of them (23%) have a full-time employee dedicated to IT security.

Securing data and IT infrastructure begins with locking down access. Who has access to what data? Which platforms? Do they need that access? How are user identities being traced and protected? And what’s more, How is data accessed? Are users connecting from within the network or, more likely in the last year, are they connecting remotely? How are these entry points being protected?

The basics of access and identity security begin from the inside, out:

  1. Protect the “crown jewels” – sensitive assets like servers and student data – that require elevated permissions and traceability to access. Enter, privileged access management (PAM), to secure remote and on-site connections, monitor privileged activities, and enforce password security to mitigate risks of privileged credentials and excessive access privileges.
  2. Defend against ransomware, malware, and cryptoviruses circulating and targeting the education sector. Add a layer of endpoint privilege management (EPM) to eliminate the need for local admin rights and defend IT infrastructure and workstations against attacks that leverage exposed privilege escalation to run processes, execute programs, and encrypt data.
  3. Centralize governance of user identities and the applications they access to simplify user experience in an increasingly abundant work of digital platforms and logins. Identity federation, single sign-on (SSO), and multi-factor authentication (MFA) organize user identities, the platforms they access, and the passwords they use to simplify secure access.

Higher Education: Mastering Access Privileges

These building blocks of access security and identity management are the foundation of a robust cybersecurity posture for a sector under siege by bad actors looking to take advantage of the accelerated digital transformation. With those cornerstone solutions in place, educational institutions can advance their security maturity into concepts of Zero Trust, Least Privilege, and beyond.

  • Zero Trust is a framework or approach to cybersecurity which essentially states that no user or access is assumed to be trustworthy by default. It implies that, through security policy that limits access privileges, centralizes and secures credentials and access points, and authenticates identities to ensure users are who they say they are and have the proper authority to be there, organizations can effectively secure their IT infrastructure. In effect, Zero Trust security means that trust is proven and earned, not granted automatically for clearer visibility over network security.
  • The Principle of Least Privilege, or PoLP, is a security concept in which any given user is only granted the strict minimum of access privileges needed at any time. Through this principle, users may request elevated privileges to carry out a task or perform certain duties, but the privilege elevation is limited to a specific resource, for a designated task, and for a specific duration of time. Privileges are granted through a Just-in-Time access security model, and revoked once the need expires. This also enables what is known as Zero Standing Privileges and eliminates the risk of privilege creep.

Both of these advanced security concepts aim to reduce the attack surface, mitigating cybersecurity risks and eliminating excessive entry points, vulnerabilities, and opportunities for exploitation that hackers use to gain access to IT systems.

A New Lesson Plan: Securing the Education Sector

The education sector has been taught a difficult lesson over the past year or so, with the rapid shift to hybrid or distance learning forcing many institutions to transition far more quickly into digital systems than they were prepared for. This has left schools, districts, and universities highly vulnerable to cyber threats from small-time hackers to out-for-cash ransomware.