How vulnerable are schools to cyberattacks? A cybersecurity audit conducted in the UK revealed that 83% of schools had experienced a cybersecurity incident.
Are schools easy to attack? They are, in the sense that all organisations are easy to attack because threat actors now provide their attacks as a service for others to use. A 16-year-old student of an American school used an online service to launch Distributed Denial-of-Service (DDoS) attacks that prevented 170,000 users from accessing the county’s online learning platform. Every school which utilises internet connectivity is now vulnerable to cyberthreats.
Why Are Schools Attacked?
Data, Disruption, and Fraud are the 3 main reasons why schools are attacked.
Data is the 21st century’s equivalent of gold or oil and schools have a lot of it, such as
- Personal and academic information of students
- Personal and financial information of their parents
- Administrative and financial records
These form valuable troves of data that a threat actor can monetise through identity theft or by selling the data on the dark web.
There are different types of cyberattackers and they may wish to disrupt the school’s operations for different reasons
- Internal Attackers – These are often students who may wish to disrupt school activities as a prank or to prevent a specific activity, such as an exam, from occurring
- External Attackers
- Ransom Demands – Attackers who launch ransomware attacks on a school, demanding a ransom to restore access to data
- Cyberwarfare – Nation state sponsored hackers who wish to disrupt a country’s education system and affect the capability of future generations
Digitally-enabled fraud is also possible at schools as they are complex organisations with varied funding requirement and have data that impacts the future of many stakeholders.
- Financial Fraud – Both internal and external attackers may try to obtain funds fraudulently by manipulating invoices and other records
- Academic Fraud – Academic records of students and credentials of staff can be manipulated to affect their professional opportunities , or to harm the reputation of the institution
Are All Security Incidents Cyberattacks?
No. Unauthorised use of the school’s IT assets (e.g., accessing a website that should be blocked) may not involve malicious intent. However, such actions do increase the risk of a cyberattack as the website may drop malware through a drive-by-download that the user is not aware of which may then compromise the entire institution. Therefore such actions should be classified as security incidents and prevented.
What Are the Consequences of a Cyberattack for the School?
A cyberattack will be followed by direct and indirect financial costs.
Direct Financial Costs
These are immediate outflows that can be directly linked to the attack.
- Operating Costs – Modifying invoice value, or similar fraudulent activity, will inflate the school’s overheads
- Capital Expenditure – Misappropriation and underutilisation of assets will result in an increase in capital expenditure to maintain the school’s ability to function at the same level as before the attack
- Opportunity Cost – Expenditure to recover from the effects of a cyberattack prevents allocation of funds towards achieving core objectives, resulting in missed opportunities and affecting institutional growth
Indirect Financial Costs
These are costs that may not be incurred immediately, may not be directly linked to the attack, and may manifest as lost revenue rather than as expenditure.
- Reputation Loss – Manipulation or erasure of records, disruption of activities such as exams, and manipulation of school bus routes can destroy your school’s reputation and lead to severe financial hardship
- Compensation – Paying compensation to affected parties may be required to avoid further loss of reputation
Financial Penalties under the Proposed Personal Data Protection Act
India has proposed a Personal Data Protection Act which imposes strict penalties if personal data is not held securely. The act has been introduced but not passed; it is advisable that schools prepare now to avoid penalties under this or other privacy protecting legislation that may emerge in future.
How Can a School Be Cybersafe?
While threat actors have an arsenal of attacks they can launch against your school, the cyber defences you need to protect your institution against them are not difficult to implement. These include
- Prepare a Cybersecurity Policy – Your school should prepare a cybersecurity policy that lays down roles and responsibilities, standards, permitted use, penalties, and provides for a budget to ensure cybersecurity. This school cybersecurity policy can be used as a starting point to develop a policy for your school. The policy should also be circulated amongst all stakeholders and compliance should be made mandatory
- Enforce Password Hygiene – Passwords should not be easy, reused, or recycled, and should be changed regularly. Password sharing should also be discouraged to prevent internal attackers from using another user’s credentials to launch an attack
- Restrict Access – Access to school IT assets should be granted following the principle of least privilege. Access should be revoked when it is no longer required, and all access privileges should be revoked immediately upon staff or student exit to prevent attackers launching attacks by taking over unused user accounts
- Segment Networks – Creating multiple internal networks for different departments prevents malware or an attacker from moving laterally through your institution’s network. For example, your school’s computer lab and administrative office should operate through different network segments to prevent an attack that originates in one department from spreading to the other
- Implement Endpoint Security – Any computer that connects to your institution’s network can be the source of an attack, therefore every computer on your network should be protected with reliable enterprise security like K7 Endpoint Security. This will provide antivirus and hacker protection for each device and enable centralised control over all devices
- Provide Cybersecurity Training – All users should undergo cybersecurity training to be able to spot cyberattacks. This is particularly important for attacks like phishing, where social engineering is used to attack the user rather than the device and mislead them into overriding security measures
K7 Security’s cybersecurity solutions have been used to protect educational institutions across the world. Our case study on protecting an American high school takes a closer look at how we create safe computing environments in schools. Contact us for more information on how our endpoint and network security products can cybersecure your institution.