Blog

When it comes to education sector cybersecurity statistics, knowledge is power: and, with remote work continually on the rise, it has never been more critical to keep a finger on the pulse of both past trends and emerging threats.

In today’s blog, our team covers over 100 education-related cybersecurity stats regarding K - 12 cybercrime, higher education cybercrime, what cyber challenges the industry faces, and the reasons why understanding these percentages is so valuable to IT decision makers.

Let’s jump right in:

Firstly, Why is the Education Sector a Victim of Cyberattacks? What Makes it a Prime Target?

Out of 17 reported-on industries, the education sector ranked as the least secure (with financial and healthcare ranking closely behind.) This was determined by the education sector having, on average:

• The highest vulnerabilities present in application security

• The weakest endpoint security

• The least likely to keep software updated

What is the reason for this? While much of it is attributed to human error, device standardization (which is common across all industries, but significantly more difficult to achieve in an educational setting due to their wide number of part-time, remote, and interned workers) is rarely enforced, meaning that educational device management policies and authentication protocols for connected devices are a weak link.

Another primary reasoning for why education sector cybersecurity is lacking is that employee awareness training is seldom executed on: with human risk accounting for 82% of security breaches in 2024, organizations open themselves to threat actors by not having robust, periodic awareness training in place.

Cybersecurity Concerns That The Education Sector Faces in 2024 and Beyond

Alongside a lack of general security and periodic lapses in employee awareness training, the education sector faces the following cybersecurity concerns:

Regulatory Compliance

Educational institutions across both K - 12 and higher education must rapidly adapt to new technology in order to prop up their digital learning options for students; however, with each addition, new cybersecurity vulnerabilities will inevitably rear their heads.

Across North America, the majority of higher education-related organizations in the United States and Canada must adhere to the following regulations in order to safeguard the privacy, security, and confidentiality of all used and stored data:

• Gramm-Leach-Bliley Act (GLBA)

• Family Educational Rights and Privacy Act (FERPA)

• Federal Information Security Modernization Act of 2014 (FISMA 2014)

• Student Aid Internet Gateway (SAIG) Enrollment Agreement

• Payment Card Industry Data Security Standard (PCI DSS)

• Cybersecurity Maturity Model Certification (CMMC) Program

• Health Insurance Portability and Accountability Act (HIPAA)

• Higher Education Act

Strained Cyber Budgets

The education sector has been the victim of steep budget cuts since 2019. Due to the COVID-19 pandemic, for example, out of the 2.6 million students who started higher education in 2019 across the United States and Canada, 26.1 %, did not return the following this year. Reasoning for this includes, but is not limited to:

• Dissatisfaction with remote learning

• Financial hurdles

• And health concerns relating to COVID-19

Although the height of the COVID-19 pandemic has passed, North American enrollment in both colleges and universities continues to be on the decline, what with a 4.2% drop in enrollment numbers beginning in 2022. During the pandemic alone, the number of undergraduate students diminished by almost 10%.

Due to a decreasing number of students, some institutions may need to shrink budgets; however, not proactively investing in cybersecurity measures (and, in turn, cyber insurance) can inadvertently cost organizations billions in the long-run.

Large Attack Surfaces

The bulk of attack surfaces in the education sector (and primarily across colleges and universities) is, out of necessity, made up of web-facing assets like domains and sub-domains... all of which link to sensitive internal resources that, while valuable for staff and students alike, make them easy targets for compromising.

When a threat actor successfully exploits a vulnerability in one of these web-facing assets, they subsequently get provided access access to the institution's internal network. This, in turn, is what triggers data breaches.

All security flaws are doorways to internal networks... and an extension of attack surfaces. Because so many higher education institutions have numerous domains, this makes the chances of a data breach skyrocket due to it expanding the institution's attack surface.

K - 12 Education Sector Cybersecurity Statistics

Threat actors target all areas of the education sector. This includes K - 12, which the official K - 12 Cyber Incident Map registers as having had:

• 1,619 publicly-disclosed cyber incidents spanning 2016 - 2022, including, but not limited to: unauthorized disclosures, breaches, or hacks; successful ransomware attacks; phishing campaigns; DDoS attacks; and other cyber incidents, all of which resulted in unauthorized disclosures of personal information or disruptions to the impacted schools' processes

• Over 348 reported attacks in 2019 alone, which was nearly 3x as many reported in 2018

• In 2020, this figure increased to 377 reported incidents, which equated to approximately two incidents per school day

• There has been a 30% quarter-over-quarter increase of attacks against K - 12 since the end of 2022

Other studies have shown that:

• 29% of K - 12 school districts have reported being successfully targeted by cybercriminals

•  12% of districts do not currently allocate funds to proactive cybersecurity, meaning that they are left without the valuable cyber insurance that would have helped them regain costs and recover information post-breach

• Global ransomware attacks against both K - 12 and higher education were estimated to cost over $53 billion in downtime between 2018 and 2023

• 6.7 million personal records were breached via ransomware between 2018 - 2023

• Only 33% of education sector staff feel that they have sufficient cybersecurity measures in place

• 29% of districts publicly disclose successful cyberattacks, although the real percentage is estimated to be much higher

• 66% of school districts do not have full-time cybersecurity staff

• The education sector reportedly made up 13% of all security breaches during the first half of 2017, which resulted in 32 million records being compromised by threat actors

Higher Education Sector Cybersecurity Statistics

• Higher education has some of the strictest regulations globally regarding financial information, academic, clinical, and government research, and personal data for students and staff alike; as such, institutions will face fines and sanctions by federal governments if regulatory noncompliance is unearthed

• There has been a 75% increase in cyberattacks year over year in higher education

• Higher education ranks as having the slowest recovery times post-breach, with 40% of higher education organizations needing more than a month to recover, which is twice the global industry-wide average of 20%

• Half of all targeted higher education organizations admitted to paying the requested ransoms in the wake of a successful ransomware attack; however, only 2% reported having their data returned in full (with 61% reporting only partial data recovery)

• Within a one-month period in 2022 alone, higher education institutions in the education sector were the victims of over 6.1 million malware attacks

• 96% of IT decision-makers in the education sector state that their institutions are susceptible to external cyberattacks; 71% state that they are not prepared to recover lost data if an attack is successful

• Approximately 74% of ransomware attacks on colleges and universities have been successful (in direct comparison to 68% that were successful in the business sector, 61% in healthcare, and 57% in the financial sector)

• The average ransomware attack costs educational institutions $2.73 million ($300,000 more than the next highest sector, healthcare) in 2024

• 30% of data breaches in the industry were attributed to ransomware attacks

• Ransomware attacks on North American colleges increased 100% between 2019 and 2020

• Only 11% of surveyed higher education staff members stated that their organizations had increased spending on security awareness training in the wake of a successful cyberattack

• Two-thirds of colleges reported not having implemented email security measures, with 86% having been the victims of botnet targeting

• In 2019, a minimum of 966 government agencies, healthcare organizations, and higher education institutions were compromised in a wide-scale ransomware attack that costed over $7.5 billion collectively

• Research IPs are deemed to be of high value to threat actors, which is partially why higher education is such a targeted sector

• 73% of higher education institutions report feeling unprepared if an attack were to occur

• Human error is the main reason for data breaches in the higher education sector at 52%

• 45% of all universities were observed with at least one asset running a version of PHP past its ideal end-of-life date

• Among the top-ranked 500 universities in the United States alone, an average of 30 domains were utilizing end-of-life PHP, meaning that the software in question had not been updated for a minimum of two years

How Knowing Education Sector Cybersecurity Statistics Helps Allocate Funding. Lower Cyber Insurance Premiums, and More

By understanding the trends and emerging threats that education sector cybersecurity statistics point to, staff and IT decision makers can better advocate for proactive cybersecurity measures.

In 2024 and beyond, proactive cybersecurity measures include, but are not limited to, the following:

• Building Funding Narratives: Funding narratives for the education sector demonstrate the potential threats of not investing (or cutting the budget to) cybersecurity. By providing research-backed statistics, decision makers can influence the prioritization of funding to high-risk security areas that can be the difference between a safeguarded institution and losing up to billions in reputational and financial damages

• Being Eligible for Cyber Insurance: In 2024, more institutions than ever before are being denied cyber insurance. Cyber insurance is a type of insurance product that an entity or business purchases as a contract to help minimize the financial risks associated with online businesses or businesses that leverage technology. The policyholder pays a monthly or quarterly fee while transferring the risk to the insurer; in addition, it is important to note that cyber insurance is a new and emerging industry that grew from US$ 9.73 billion in 2021 to US$ 11.75 billion (approx.) in 2022 alone. Partially due to this influx, cyber insurance companies are reluctant to offer claims or accept insurance proposals from companies for a myriad of reasons, including not having proactively invested in anti-cybercrime measures before a breach has occurred

• Employee Awareness Training: By periodically providing cybersecurity training to employees, organizations can lessen the likelihood of human error resulting in data breaches; this is especially effective as a way to counteract social engineering, which utilizes psychology to create successful phishing campaigns against unsuspecting staff and students alike

• Continuous Penetration Testing: Hailed as one of the best ways to safeguard institutions, Continuous Penetration Testing replicates continuous attacks on your web applications and IT infrastructure. Threat actors regularly target enterprises to uncover and exploit new vulnerabilities. By performing Continuous Penetration Tests, vulnerabilities can be detected and remedied more proactively than point-in-time security assessments, and by leveraging education sector cybersecurity statistics, the importance of periodic pentesting can be emphasized to decision makers

Cybersecurity Solutions For the Education Sector in 2024

In 2024, penetration testing is one of the most valuable ways for education-related organizations to safeguard valuable data and surpass their regulatory compliance commitments.

At Packetlabs, our team's flexible pentesting offerings encapsulate:

• DevSecOps: DevSecOps is integrated early in your development cycle and acts as an extension of your development team to flag vulnerabilities within your existing detected management systems

• Red Teaming: Red Teaming is a full-scope simulated attack designed to get a holistic review of the level of risk and vulnerabilities across people, processes, and tech in an organization

• Purple Teaming: Purple Teaming is our collaborative testing exercise where the Packetlabs red team works with your internal security operations team (or blue team) to bridge the gap between offensive techniques and response efforts

• Cyber Maturity Assessments: A Cyber Maturity Assessment supports the tactical direction of your cybersecurity strategy. As the first step in strengthening your security posture, this assessment generates the roadmap to strengthen your overall security program

• OT Assessments: OT Cybersecurity Assessments simulate the likelihood of an attacker reaching the control centre from an external and internal perspective with production-safe testing

• Ransomware Penetration Testing: A ransomware penetration test evaluates the preparedness and risk of a ransomware attack and identifies gaps in people, processes, and technology, to determine the likelihood and readiness for a ransomware attack

• Cloud Penetration Testing: Multiple perspectives help with strengthening your security posture. These include Cloud Penetration Testing, which simulates an attacker in the environment, and a Cloud Penetration Review, which provides insights into cloud-specific vulnerabilities originating from an insecure configuration. Each of these services can be conducted separately or, for maximum effectiveness, combined as an enhanced cloud security bundle

• Objective-based Penetration Testing: Following a preliminary penetration test, objective-based testing conducts a more advanced simulated cybersecurity attack. The test is conducted by persistent ethical hackers who deploy multiphase attacks to gain access to your organization's data so that you can discover gaps and vulnerabilities unique to your organization and test your ability to detect and respond to threat actor

• Application Security Testing: More targeted in scope than a regular pentest, application security testing uncovers vulnerabilities residing in your web and mobile apps. Application Security Testing actively explores your application from an attacker’s perspective

• Infrastructure Penetration Testing: An infrastructure penetration testing assessment uncovers vulnerabilities in your IT and network systems and provides a tailored approach to each environment

These are in addition to the Packetlabs Portal, which enables teams to quickly view findings, prioritize efforts, request retests after remediation, and monitor progress.

Conclusion

Across North America, the education sector is one of the most valuable to cyberattacks. These alarming percentages are only anticipated to grow in 2024 and beyond.

If you're reading this, your organization is already in the market for a pentest. Contact our team today for your free, zero-obligation quote (or download our Buyer's Guide below to take the next step towards a stronger security posture.)