- How cybercriminals are targeting schools
- Why are educational institutions such attractive targets for hackers?
- The long-term consequences of cyberattacks on schools
- The impact on students
- What can schools do to prevent cyberattacks?
Educational institutions have become increasingly reliant on technology to facilitate learning, manage administrative tasks, and store sensitive data. However, this growing dependence on digital systems has also exposed schools and universities to a new breed of threat: cyberattacks. In recent years, the education sector has witnessed an alarming surge in cyber incidents, with hackers targeting institutions of all sizes, from small rural districts to large urban school systems. The consequences of these attacks can be devastating, including the loss of valuable data and financial resources and the compromise of student and staff privacy.
The escalating frequency and severity of cyberattacks on educational institutions are a cause for grave concern. According to cybersecurity firm Emsisoft, the number of US school districts targeted by hackers has more than doubled year-on-year, from 45 in 2022 to 108 in 2023. This staggering increase highlights the urgent need for schools and universities to prioritise cybersecurity measures and develop robust strategies to protect their digital assets and the personal information of their students and employees. In this article, we will take a closer look at the current state of cybersecurity in the education sector, exploring the various types of attacks, their potential impact on educational institutions, and the steps that can be taken to enhance the sector’s cybersecurity.
“In 2023, 29 per cent of attacks originated from the exploitation of system vulnerabilities, while 30 per cent were attributed to phishing campaigns”.
Cyber Threat Intelligence Report, Critical Start
How cybercriminals are targeting schools
Cybercriminals employ various tactics to infiltrate the networks of educational institutions, with vulnerability exploitation and phishing being the most common methods. In 2023, 29 per cent of attacks originated from system vulnerabilities being exploited, while a further 30 per cent were attributed to phishing campaigns. These malicious actors often target high-profile individuals within the education sector, using social engineering techniques to steal login credentials and gain unauthorised access to sensitive data. Ransomware attacks, in which hackers encrypt a private organisation’s data and demand payment for its release, have also become a pervasive threat, affecting 79 per cent of higher education providers and 80 per cent of lower education providers.
In February 2023, Minneapolis Public Schools fell victim to one of the most severe cyberattacks ever recorded in the education sector. Hackers not only stole district data—including files containing identifiable information about children—but also demanded a ransom payment for its return. When district officials refused to comply, the attackers released the data online, exposing sensitive information such as Social Security numbers, school security details, and records of sexual assaults and psychiatric holds. This breach serves as a stark reminder of the far-reaching and life-altering consequences of cyberattacks, as well as the importance of implementing robust security measures to safeguard the privacy and wellbeing of students and staff.
Why are educational institutions such attractive targets for hackers?
As educational institutions amass vast amounts of sensitive data, such as personal information of staff and students, intellectual property, and cutting-edge research, they become prime targets for cybercriminals seeking to steal valuable assets or hold them at ransom. The misconception that schools only store students’ grades is far from reality, as they collect and retain a wide array of sensitive information, including allergies, disciplinary records, household income, and even court orders. Doug Levin, director of the K12 Security Information eXchange, a nonprofit dedicated to protecting school districts from cybersecurity risks, likens educators to “pack rats”, accumulating extensive data over time and often failing to delete it once it’s served its purpose.
Surprisingly, many cybercriminals consider the identity information of children to be more valuable than that of adults. While it may seem counterintuitive, given their lack of financial resources, the theft of a child’s identity can have far-reaching and long-lasting consequences. The relative lack of credit monitoring for minors allows fraudsters to operate undetected for years, opening fraudulent accounts, amassing debt, and even applying for loans under the guise of the unsuspecting child. This prolonged window of opportunity makes the exploitation of children’s identities a highly profitable endeavour for cybercriminals.
The complexity of educational institutions’ digital infrastructure, which encompasses students, faculty, university networks, research facilities, and more, presents a broad attack surface with numerous potential vulnerabilities for attackers to exploit. The rapid adoption of online learning platforms has only served to expand this surface, introducing new vulnerabilities in the form of additional infrastructure, software, and access points. As a result, schools find themselves grappling with an ever-increasing number of potential entry points for malicious actors, each representing a unique challenge in terms of security and risk management.
The education sector’s slow adoption of modern cybersecurity solutions is exacerbating the issue even further, with inadequate funding often to blame. This lack of resources leads to outdated technology being used and insufficient investment in cyber protection measures. According to cybersecurity expert Brett Callow, many school districts still lack basic prevention protocols. However, the tight budgets of educational institutions make it challenging for leaders to justify spending on cyber safety, especially when such expenditures may not be politically popular. Moreover, schools often lack the expertise to effectively allocate their limited funds to address cybersecurity concerns.
“The cumulative global cost of ransomware attacks on schools, measured solely in terms of downtime, has skyrocketed to over $53 billion between 2018 and 2023”.
Comparitech
The long-term consequences of cyberattacks on schools
The consequences of cyberattacks on schools and universities extend far beyond the initial disruption, often leading to numerous financial, operational, and reputational repercussions that linger long after the initial breach. The monetary costs alone can be devastating, forcing schools to reckon with a barrage of expenses related to investigating the incident, implementing remedial measures, providing support services to affected individuals, and potentially defending against legal action. The cumulative global cost of ransomware attacks on schools, measured solely in terms of downtime, has skyrocketed to over $53 billion as of 2023, according to a recent report published by tech research website Comparitech.
The impact of these attacks on the day-to-day functioning of schools cannot be overstated. The disruption to teaching and learning activities, administrative processes, and extracurricular programs can be severe, with some institutions requiring weeks or even months to recover fully. The toll on productivity and the interruption of critical services can have far-reaching effects on the entire educational community. Moreover, the loss of sensitive data, including the personal information of students and staff, can leave individuals vulnerable to identity theft, financial fraud, and other forms of exploitation.
Beyond the immediate financial and operational challenges, cyberattacks can also inflict lasting damage to a school’s reputation and credibility. The erosion of trust among students, parents, and the wider community can have profound consequences, potentially leading to decreased enrollment, loss of funding, and difficulty attracting and retaining top talent. Schools may also find themselves subject to regulatory scrutiny and potential penalties for failing to adequately safeguard sensitive information, adding to the already substantial burden of recovery.
In extreme cases, the aftermath of a cyberattack can be downright catastrophic, as illustrated by the closure of Lincoln College in Illinois following a devastating ransomware incident in December 2021. The institution, already grappling with the financial challenges posed by the pandemic, ultimately succumbed to the combined pressures and closed its doors for good in May 2022, highlighting the existential threat that cyber threats can pose to educational establishments.
The impact on students
The impact of cyberattacks on educational institutions extends beyond the schools themselves, often casting a long shadow over the lives of the students whose sensitive information is compromised. The theft of student records can have a haunting effect, resurfacing years later at pivotal moments in an individual’s life, such as during the college admissions process, job interviews, or even in the courtroom. Information that should have been sealed or erased, like a past struggle with substance abuse or disciplinary infractions, can take on a profoundly harmful second life if exposed, with the potential to sway opinions and alter outcomes.
The depth and breadth of data collected on students, ranging from their living situations and family dynamics to their eligibility for free meals, can exponentially increase their vulnerability in the event of a breach. The more pieces of the puzzle that are available, the easier it becomes for malicious actors to exploit that information for their own gain. Moreover, the exposure of sensitive or embarrassing details can subject students to stigma, discrimination, and social isolation, with long-lasting effects on their mental health and wellbeing. In the wake of the Minneapolis breach, for example, some students whose sexual assault records were made public experienced doxxing and bullying from their peers. The disproportionate impact of data breaches on students from marginalised communities also cannot be overlooked. Black and brown students, who already face higher rates of disciplinary action, may find themselves at even greater risk when their information is compromised. The over-representation of these students in disciplinary databases means they are more likely to have their personal details exposed, compounding the challenges they already face.
The consequences of identity theft resulting from a data breach can be far-reaching for students, with victims potentially facing years of financial and legal turmoil as they attempt to reclaim their stolen identities. The emotional toll of this privacy violation can be immense, manifesting as anxiety, stress, and a pervasive sense of vulnerability. This psychological burden can take a heavy toll on academic performance and overall wellbeing as students grapple with the knowledge that their most intimate and sensitive personal information has been laid bare for all to see. The erosion of trust between students and their educational institutions is another casualty of these cyberattacks. When schools fail to safeguard the personal information entrusted to them, students may grow wary of sharing any details about their lives, erecting barriers that can hinder their academic and personal growth. This breakdown in trust can ripple outward, affecting families who may question the school’s commitment to their children’s safety and privacy.
What can schools do to prevent cyberattacks?
In the face of escalating cyber threats, educational institutions must adopt a proactive and multi-faceted approach to safeguarding sensitive student data and preserving the trust of their communities. The key to ensuring uninterrupted learning lies in fostering a culture of cybersecurity awareness that permeates every level of the organisation, from the classroom to the administrative offices. At the core of this cultural shift lie three essential practices: the use of complex passwords, the implementation of multifactor authentication, and the diligent maintenance of up-to-date software. While these measures may seem simple, their collective impact on an institution’s defensive posture cannot be overstated. By encouraging the adoption of these practices across the board, schools can erect a formidable barrier against potential intruders.
However, technology alone cannot combat the ever-evolving landscape of cyber threats. It is crucial to invest in comprehensive training programmes that empower every member of the educational community to become a vigilant guardian of digital security. From teachers and staff to students themselves, everyone must be equipped with the knowledge and skills to identify and respond to potential risks, such as phishing emails or suspicious online activity. Cultivating a culture of cybersecurity requires a fundamental shift in mindset, one that recognises the shared responsibility of every individual in protecting the institution’s digital assets. It demands a willingness to challenge long-held assumptions and embrace new ways of thinking and working in the digital age. Only by weaving cybersecurity into the very fabric of the organisation can schools hope to mount an effective defence against the relentless onslaught of cyber attacks.
In addition to cultural change, schools must also fortify their technological defences by investing in robust network security measures, such as firewalls, intrusion detection systems, and antivirus software. Securing all devices used by students and staff, from library computers to personal tablets, is equally critical in preventing potential breaches. For smaller institutions with limited resources, partnering with specialised IT security firms can provide access to cutting-edge defences and expertise, levelling the playing field in the face of increasingly sophisticated threats. Moreover, regular external audits serve as an invaluable tool in identifying and addressing vulnerabilities within an institution’s digital infrastructure. By subjecting their systems to rigorous scrutiny, schools can pinpoint weaknesses and take proactive steps to bolster their defences, ensuring that they remain resilient in the face of ever-evolving threats.
Closing thoughts
In conclusion, the escalating frequency and severity of cyberattacks on educational institutions pose a grave threat to the security and wellbeing of students, staff, and the broader academic community. As schools and universities continue to amass vast amounts of sensitive data, they have become prime targets for cybercriminals seeking to exploit vulnerabilities in their digital infrastructure. The consequences of these attacks can be devastating, ranging from the theft of personal information and financial resources to the erosion of trust and the disruption of critical educational services.
To combat this growing menace, educational institutions must adopt a proactive and multi-faceted approach to cybersecurity. This requires a fundamental shift in mindset that recognises the shared responsibility of every member of the educational community in safeguarding digital assets. By fostering a culture of cybersecurity awareness, investing in robust technological defences, and regularly auditing their systems for vulnerabilities, schools can mount an effective defence against the relentless onslaught of cyber threats.
However, the road ahead is not without challenges. The rapid evolution of cyber threats, coupled with the resource constraints many educational institutions face, means that the battle for digital security will be ongoing. It is only through sustained effort, collaboration, and an unwavering commitment to protecting the privacy and wellbeing of students and staff that schools can hope to prevail in this critical fight.
