The subject of cybersecurity within the education sector is a key topic at the moment, particularly with the rise in reported ransomware incidences and data breaches.
The National Cyber Security Centre (NCSC), tasked with providing cybersecurity advice and support to the UK public and private sectors, has released a report on The cyber threat to Universities, in which it states that Universities are being targeted by cybercriminals, due to the amount of personal and research data, intellectual property and other assets that have significant value.
Partnering the London Grid for Learning (LGFL), the NCSC has also published the results of an audit into Cybersecurity Maturity in Schools, which shows the current state of cybersecurity in schools across the UK, looking to “improve the UK’s education cybersecurity against growing and sophisticated threats” moving forwards. Key points include:
- Nearly all schools (97%) said losing IT services would cause considerable disruption, and 83% had experienced at least one cybersecurity incident over the last year
- Worryingly less than half of schools (49%) were confident they are adequately prepared in the event of a cyberattack, and only one third of schools give cyber security training to non-ICT staff.
The UK Government Education & Skill Funding Agency have advised Academies (publicly funded independent schools) in a Fraud Risk Notification that they “are aware of a significant increase in incidents of cybercrime against academy trusts in the past year” and these trusts “should address potential weaknesses to reduce further risks”
Why education is an attractive target for cybercriminals
Schools and universities have a large number of stakeholders (students, staff, etc.) who come with Personally Identifiably Information (PII), which when leveraged properly, can be valuable.
Back in April 2019, JISC conducted a pen-test exercise in which they successfully phished every single university they targeted. Within two hours, and in some cases one hour, they were able to reach student and staff personal information, override financial systems and access research databases.
Universities need to be on the lookout for state-backed threats looking to obtain research otherwise unavailable to them. Last year, an Iranian campaign to steal login credentials from Western universities was brought to light. The scam played on the old technique of setting up fake login pages to man-in-the-middle the victims’ credentials for academic repositories.
Schools also run the risk of fines and other punitive action if they have not considered “specific protection” of their children’s data under the GDPR
Education email addresses are very valuable
Most email systems have anti-spam to filter out junk email. However if an email looks to come from a legitimate educational establishment this can improve the chances of the email being delivered.
Parents are more likely to open emails coming from their child’s school, such as fraudulent emails sent to parents of pupils from the William Brookes School in Shropshire when their school email system was hacked
As well as conducting basic spam campaigns, these email addresses can be used for more targeted campaigns, such as a recent attack on cryptocurrency exchange company Coinbase. In this highly targeted, thought out attack, fraudulent emails purporting to be from a Research Grants Administrator at the University of Cambridge were used, along with spear phishing/social engineering tactics and two Firefox zero-day vulnerabilities.
Lax security posture
The education sector often does not have the necessary resources to practice good security hygiene. The combination of numerous operating systems and applications, staff and students, locations, departments and connections mean there are often vulnerabilities, misconfigured systems or accounts with simple passwords.
Attackers are likely to succeed because they exploit the open and outward facing nature of academic institutions. “Using publicly available sources such websites and directories, it is straightforward to identify who to target, how to reach them, and to establish a credible story with which to approach them,” said the NCSC.
A BBC investigation has revealed that two thirds of UK universities have been hacked over the past four years.
Ransomware is rampant and proving to work
In the UK Learn Sheffield and South Yorkshire Police issued an advisory for schools across the region following ransomware attacks that successfully encrypted school networks.
The South West region has been particularly hard hit, where schools in Plympton and Bridport have had GCSE and A-Level exam coursework permanently encrypted with “no chance of recovering the documents”
This is rapidly following the trend in the UK where dozens of school districts and colleges have been hit with ransomware attacks culminating with ransomware attackers demanding $2 million from NYC Monroe College.
How Panda Security assists education clients
Panda Security solutions are ideal for education
- Centralised cloud-based management portal – Provides complete visibility of all endpoints and eases management with alerts and reporting.
- Simplified deployment – Multiple deployment options, automatic uninstallation of common security solutions, single point Windows network discovery and installation.
- Lightweight footprint & bandwidth usage – Does not slow devices, with cloud-based detection, and single endpoint agent providing optimised offline protection.
- Compatibility with legacy OS – including Windows XP, to run on all devices across your network
- Complete portfolio – Endpoint Protection and Endpoint Detection & Response solutions with dedicated Advanced Reporting, Data Control, Encryption and Patch Management modules.
- All our solutions are offered at highly competitive education rates
We have a number of case studies on our website and you can read what our global education clients say about Panda Security on Gartner Peer Insights which helped us achieve Customers’ Choice (Jan 2019)