Between 2023 and 2024, the education sector saw a 35 percent increase in cyberattacks. It’s a scary trend, and unfortunately, it’s likely going to continue.
As an IT training school, MyComputerCareer lives at the intersection of education and cybersecurity. It’s part of our mission to improve data safety, and we are concerned that many educational institutions are not prepared to handle cyber attacks. Here’s the truth about why educational institutions are particularly vulnerable, and what they can do to keep themselves safe.
What makes educational institutions easy targets for bad actors
Educational institutions are particularly vulnerable to cyberattacks. One major reason they’re attractive to hackers is the large amount of information educational institutions have access to. If you can access an educational database, you can get personal information, such as social security numbers, names, birth dates, credit card numbers, bank account numbers, and a variety of demographic information. However, there’s also a vast amount of non-personal data that’s extremely valuable. Hackers can hunt for funding information, research data, and more.
Another reason is that educational institutions tend to be a bit behind the times when it comes to updates. Typically, they rely on legacy systems and hardware. Their existing infrastructure isn’t prepared to handle advanced attacks, even if it is always patched and updated, which is unlikely. Too many organizations invest money in flashier programs to try to attract students and often neglect their own infrastructure. As long as organizations in higher education are focused on spending elsewhere throughout the school and not on cyber resilience, the education sector will continue to be an easy target for cybercriminals.
Hackers also know that educational institutions are a gold mine. If they get hit with a ransomware attack, educational institutions are more likely than other organizations to pay the hacker’s demands. In fact, the median ransom payment for universities and colleges over the past year was $4.4 million. Most of that money ends up being taxpayer dollars, too, especially if it’s a state institution.
Warning signs for educational institutions
In 2024, the education sector got hit with an average of 3,574 weekly attacks, a rise of over 75% year over year from 2023. These attacks are increasing in number and sophistication. To help avoid these crafty hackers, here are some red flags to be aware of:
• Be wary of vishing calls. Vishing is a phishing attack over voice, such as a phone call or video call. Calls don’t give you much time to think through what’s happening. Sometimes being put on the spot can make people give away information they otherwise wouldn’t have.
• Avoid smishing. Similarly, SMS phishing — or smishing, for short — is another tactic. Clicking on a smishing link in a text message can install malicious software on your device. About 75% of organizations experienced smishing attacks in 2023.
• Be suspicious of emails. People used to be able to identify phishing emails from their numerous spelling errors, poor grammar, and tacky-sounding content. No more — phishing emails are becoming increasingly slick, especially with the help of generative AI. Emails can sound very natural, and AI can help hackers write convincing content.
• Keep an eye out for unauthorized logins. Especially with more remote students, educational institutions can have people logging into systems from many locations at many times. However, if you notice a sudden surge in logins or if a student notices a login that wasn’t theirs, that’s a sign that something may be compromised.
Best practices to keep your educational institution safe
To help keep your educational institution secure, here are some best practices we recommend:
• Use multi-factor authentication. This provides layers of security to protect data.
• Follow the NIST cyberframework. The National Institute of Standards and Technology has a great framework for keeping your networks safe. Checking your organization’s structure against NIST can help you make sure you have the major security components in place.
• Endpoint protection. With students and employees in many different locations, endpoint protection is especially important in the education industry.
• Regular patching updates. It’s not glamorous, but patching bugs and regularly updating your software is one of the easiest ways to prevent attacks. After all, an ounce of prevention is worth a pound of cure.
• Trust no one. Invest in identity management and zero-trust architecture to keep your institution safe, and always rely on the principle of least privilege when it comes to giving access.
• Have a disaster recovery plan. If a data breach does occur, you’ll need a backup plan. Data breaches already leave your organization in chaos — and it will be even worse if you don’t have a plan in place.
• Train all employees. Security education and cybersecurity awareness is for everyone. All members of the institution are part of the IT team.
• Keep documentation updated. Keep documentation updated, accessible, and encrypted.
“I always tell people this: Make sure that documentation is written on a fifth-grade level,” advised Russ Munisteri, CISSP, Director of Education at MyComputerCareer. “When a cyberattack happens, the first thing people tend to do is panic. The last thing you want is somebody who’s already stressed to be reading technical jargon documentation. That’s not going to work. You want documentation to be simple and step-by-step. I also recommend having backups. You’ll need multiple copies of backups on different types of media. You should store them in multiple places — cloud, off-site, whatever your educational institution policy dictates. It’s important, because without documentation, it’s a free-for-all.”
To learn more cybersecurity tips, you can visit Russ Munisteri’s website.
__________________________________
Author: An information technology professional, speaker, trainer and academic director, Russ Munisteri, CISSP, is committed to fostering positive interpersonal and intercultural communication within the classroom and IT business environments. Russ is the director of education at MyComputerCareer, an accredited online and in-campus technical college.
Join our LinkedIn group Information Security Community!
