Institutions urged to add cyber education to syllabus

The education sector has become a prime target for cyber-attacks, with the UK’s National Cyber Security Centre (NCSC) becoming the latest to issue a warning to universities about the many threats posed to their networks.

A lack of protections typically implemented on systems, coupled with an ever-changing student base, are among the main reasons as to why education institutions have found themselves ill-prepared to defend against attackers, with phishing often the main tactic used by criminals and state-sponsored actors in exfiltrating valuable data.

According to the report published last week by the NCSC, intellectual property and financial gain are the main factors that have turned universities into a gold mine for attackers looking for ready access to commercially-sensitive information. Often, however, a security incident may be wrongly attributed to a cybersecurity student looking to show off their newly acquired skills.

“Many university networks contain a collection of smaller, private networks, providing close-knit services for faculties, laboratories and other functions,” the report explains.

“The freedom this offers is balanced by the challenge it presents to protecting the data and information within.”

Ivory towers under attack

A fluid security policy, constant monitoring, and continued cyber education are some of the ways higher education organizations can mitigate risks associated with their institutions. In the case of state-sponsored actors, universities ought to be aware about collaboration with commercial partners and educational institutions overseas, as well, since this may present an easier way to infiltrate a network.

“When maintained with minimal central oversight or adherence to security policy, private networks are likely more vulnerable to persistent infection or unauthorised access,” the NCSC said.

“However, this same segregation offers an opportunity to separate high-value or sensitive data and information, and apply a higher level of protection, without impacting the openness of the wider network.”

Least privilege

Cyber safety awareness remains an overriding necessity in improving the current environment, with education falling behind in its willingness to train staff when compared to other sectors in the UK, possibly due to financial pressures and tight budgets, suggests Matt Lock, technical director at data security firm Varonis.

“Funding is one factor, but so is managing data in a collaborative academic environment in which information must be shared, turnover is steady, and attackers have countless tools and tricks up their sleeves to compromise systems,” Lock said.

“Some universities will struggle to change outdated systems, gain control of digital files that are everywhere and open to everyone, and update information access to a least-privilege model,” he added.

Money’s too tight

A 2019 Cyber Security Breaches Survey by the UK’s Department for Digital, Culture, Media and Sport (DCMS) speaks to this theme, finding that senior management in education are 42% likely to commit to staff training, whereas those heading finance organizations are 56% inclined.

That being said, the same report found that the education sector in the UK, on average, had invested £7,220 ($8,967) in cybersecurity over the last financial year, citing the EU’s General Data Protection Regulation (GDPR) as a key driver for building up cybersecurity budgets.

Over in the US, education institutions of all levels have been caught up in the ransomware resurgence that has spread throughout the country since the beginning of the year – a 365% increase from Q2 2018 to Q2 2019, according to researchers at Malwarebytes.

The reason is simply because they make easy targets, says Wendy Zamora of Malwarebytes Labs, who detected adware (43%), trojans (25%), and backdoors (3%) as the three most common threats facing the education sector during the 2018-2019 school year.

“Schools should be limiting access to devices and the school network on an as-needed basis, especially access to sensitive student information,” Zamora told The Daily Swig.

“Personally identifiable information should be stored in separate databases protected with end-to-end encryption and multi-factor authentication.

“Finally, schools should be using password-protected devices and platforms as much as possible, and install remote wiping capabilities on school-assigned devices,” she added.

While things sound grim, this year’s Cost of a Data Breach report from the Ponemon Institute found that the education sector had seen a significant decrease (15.6%) in financial losses for compromised records, when compared to more affluent industries such as research, pharmaceuticals, and technology.

However, the average total cost of a data breach was $3.92 million – or $150 per compromised record – across industry, with educational institutions placing just above the standard with a $4.77 million overall impact and $142 cost per record, respectively.

“It’s not just the job of the IT guy to protect students’ data,” Zamora said, adding how schools needed to practice cyber safety as they would a fire drill.

“It could prevent any further damage from occurring if a student does receive malspam or ransomware attempts an attack.”

YOU MAY ALSO LIKE Back to school: How universities can learn from the Iran cyber-attack