Managing Director of Cyber Security Consulting at Verizon.
The education sector’s challenges with cybersecurity started long before the pandemic. Schools, in the very way they’re structured, offer unique opportunities for cybercriminals.
A high turnover of students and teachers, campus culture, valuable research and data collected on campus, and the use of personal technology exacerbated by the pandemic all come together to make a unique landscape differing from other organizations and institutions. It’s pertinent that these factors are taken into account when developing a cybersecurity framework for school districts and universities to better protect themselves from cybercriminals.
Every year, a new crop of students comes in and an existing class of students leaves. Even when they’ve graduated, their data can be tied up in the long term via student loans. But this data transmission and high turnover are not confined to the student body. Like students, each year there are teachers and other faculty that enter and exit the workforce. This represents a massive revolving door of personal identifiable information (PII) data that threat actors can continuously target.
This might sound more nebulous, but another baked-in disadvantage within education, particularly higher education, is culture. Based on my observations from my experience in the cybersecurity industry, higher education is prone to maintain an open, free-flowing stream of information, which manifests in the way students and faculty interact with one another. They tend to be less disciplined about adhering to security protocols, favoring a more casual approach to exchanging information and data protection. Needless to say, this can present a trove of opportunities for probing threat actors.
Some academic institutions conduct research that produces extremely valuable information, including research with government connections, technological innovations and even potential military applications including nuclear research. This kind of data is valuable enough to draw the attention of nation-state threat actors.
This brand of threat actor generally has access to more resources than the run-of-the-mill freelance hacker or organized cybercrime group. They might see an institution of higher learning as an easier way to obtain military research—a sort of back door.
Many universities and institutions receive endowments, collectively totaling hundreds of billions of dollars. At the end of 2020’s fiscal year, the National Center for Education Statistics noted that “the market value of the endowment funds of colleges and universities was $691 billion,” 2% higher than the start of the fiscal year ($675 billion).
With that amount of money floating out there, it’s no surprise that ransomware is one of the prominent patterns utilized against the education sector. A threat actor might hone in on an easier target, like a student, and infect their personal computer. When they return to campus, this could then be used to infect the university network.
At larger universities, threat actors might also target an employee within the finance department or the public relations department, reaching them from the outside world and then using them to spread within the university network. The combination of such high-value data targets, more relaxed standards of cybersecurity and the attention of well-funded actors can be a recipe for incidents and breaches.
As education moves forward and continues utilizing a hybrid model, it’s worth repeating that its unique cybersecurity challenges—high turnover, valuable research and tremendous amounts of valuable data—must be addressed and put into consideration when developing and updating a cybersecurity framework.
Here are a few first steps districts can take to build out a cybersecurity framework:
1. Be proactive. The most simple way to avoid a breach is to train faculty, admin and students—anyone with a login should be taught how to identify and avoid phishing emails and malicious links.
2. Consider the use and implementation of multi-factor authentication.
3. Develop an incident response plan to have in case of an attack. This plan should include steps to contain the attack, recover any lost data and communicate with stakeholders.
Tools and resources are also available to help leaders implement solutions and ultimately help minimize cybersecurity threats. With the right framework, strategy and tools in place, the education sector can better address growing cybersecurity challenges.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here