Cyberattacks against government institutions and for-profit companies attract loads of eyeballs. But attacks against educational institutions – and the subject of cybersecurity for schools – are often ignored. This is problematic because schools and universities are equally vulnerable to cyberattacks. Such attacks have serious implications for the institutions themselves, and their employees, researchers, academics and students.
Since 2005, U.S. educational institutions have experienced over 1,300 data breaches exposing almost 25 million records. But the problem of cyberattacks in education is not limited to the U.S. alone. Canadian institutions have also been the victims of such attacks.
In 2016, the University of Calgary paid a $20,000 ransom following a ransomware attack that caused mass disruption. Many government agencies discourage making ransomware payments, but Calgary ignored the advice because they quickly wanted to recover their world-class research.
In 2017, MacEwan University was the target of a clever phishing scam and ended up losing nearly $11.8 million. In the same year, the Canadian Internet Registration Authority (CIRA) found that Canadian school boards experienced an average of 50 attempted malware and ransomware attacks per week.
More recently, in January 2021, one of Canada’s biggest public school boards was hit by a malware attack that paralyzed many databases, files, and systems, and its website and many online user-facing applications.
Why Attackers Target Educational Institutions
Threat Actors target colleges and universities because they’re treasure troves of valuable student data, research data, and proprietary information. Research data, in particular, supports a lot of real-world scientific and commercial innovation. This data is invaluable to cyberattackers, rogue nation-states, and even terrorist organizations due to the value of the research itself and because it can garner big bucks on underground black markets. That’s why in 2020, the average cost of a data breach in education was a staggering $3.9 million.
Ransomware and Phishing in the Educational Sector
In 2019, over 1000 U.S. schools were hit by ransomware. The average ransom demand was $115,123. In 2020, this demand more than doubled to $312,493. In Canada, the University of Calgary is not an isolated case in Canada, but rather an indicator of a broader ransomware problem. Phishing is also an ongoing threat, more so because 90% of top universities cannot protect their students, faculty, and data from such attacks.
Schools are also vulnerable to data breaches. In 2021, ransomware gangs stole a large quantity of data from 1,200 U.S. schools, including minor students’ names, dates of birth, and social security numbers.
Why Canada Should Care About Cybersecurity for Schools
Although many studies about cybersecurity for schools focus on U.S. institutions, Canadian schools should also be cognizant of the problem, because such attacks could also happen to them.
Many Canadian universities produce valuable research data
They collect and manage personal data whose loss can make these individuals vulnerable to cyber extortion and identity theft.
The shift to remote learning, and the adoption of cloud-based learning and communications tools makes Canadian schools and universities highly vulnerable to cyberattacks. Other risks stem from careless users, and from outdated technology. Poor communication between researchers and information security teams also creates cybersecurity gaps, and increases the risk of cyberattacks.
Cyberattacks can impact the operations of educational institutions, and prevent users from accessing critical learning and financial systems. Data breaches can also erode trust in them, hinder research funding and cause reputational damage, financial losses, and compliance problems.
Best Practices to Strengthen Cybersecurity for Schools
To start with, educational institutions should stop thinking of cybersecurity for schools as a “nice to have”.
They should also implement robust security tools and practices, such as:
Intrusion Detection Systems (IDS)
Endpoint Detection and Response (EDR) systems
Firewalls, antivirus and antimalware
Regular software patches
Multifactor Authentication (MFA), and Single Sign-on (SSO)
They must also perform regular compliance audits, deploy strong data protection controls, and educate users on cybersecurity hygiene practices. Lastly, they should adopt a proactive stance to cybersecurity with penetration testing, which is one of the most effective ways to win the cybersecurity fight against the bad guys.