As invisible threats to education loom, cybersecurity is paramount

The complexities that come with protecting education from cybersecurity threats are vast, and implementing policies comes with challenges

Key points:

As COVID-19 swept the nation beginning in 2019, no one knew just how life-altering the pivot to remote work and education would be. Today, we see more and more students and employees alike who are relying on technology to engage with their work and peers than ever before. As with holidays and other unanticipated events, this pivot drew in some of the biggest minds in security who worked to eliminate cybersecurity challenges stemming from this change – but it also drew in hackers.

Shoring up cybersecurity practices in the education industry is quite the feat. User authorization is extremely challenging, as IT professionals must navigate through different levels of access for each user community. This creates even higher risks because networks must be open to employees, students, and others – an issue most businesses don’t need to manage.

Another major cybersecurity challenge we see frequently with education is outdated technology. Like healthcare, we see devices that need to connect to the network — but the old software poses risks, such as a lack of updated security protocols. This creates vulnerabilities that are ideal for threat actors, many of which are looking for an easy fix they can exploit. Media devices that can be connected to computers–thumb drives, external hard drives, CDs, DVDs–also pose a challenge to MSPs/MSSPs providing cybersecurity to their clients.

As frequently as we see these attacks in the news, not much is changing in terms of recovery time or preparation. As the number of breaches rise, the Government Accountability Office (GAO) found that recovery from these attacks ranges from two to nine months. As educational professionals and MSPs battle singular hackers, sophisticated foreign governments, and crime syndicates to protect employee and student data, it begs the question: What can really be done with this information?

Upon gaining access to critical data, cybercriminals can leverage this sensitive information for an array of attacks, such as: 

  • Phishing scams: Using a fraudulent solicitation over email or website.  
  • Ransomware attacks: Malicious software that blocks access to computer or data systems with a fee to restore access.   
  • Distributed Denial of Service (DDoS): Overwhelms websites, servers, and computers with massive and ongoing attacks to prevent authorized users from accessing networks and system.   
  • Zoom bombing: Perpetrators disrupt video conferences with pornographic or hate/threating language.   

The financial breakdown

The complexities that come with protecting schools and their stakeholders from threats are vast, and implementing cyber policies comes with additional challenges.

Readiness and Emergency Management for Schools (REMS) advises schools and school districts that things like filtering and blocking applications – such as firewalls, encryption, and anti-virus/anti-malware systems – are an important part of that equation. 

However, one of the biggest barriers to this is money. It’s no secret that schools don’t have the means to incorporate major cybersecurity changes into their budget, especially not on a recurring basis. K-12 respondents to the Nationwide Cybersecurity Review (NCSR) reported a lack of money as their top challenge, with nearly one-fifth of schools investing less than one percent of their overall IT budget on cybersecurity. 

That said, the cost of a cyber breach is also hefty. Between recovery time and navigating stolen data, schools may end up spending the same amount in their journey to recovering from an attack as they would to prevent them. As the average cost of a data breach in the U.S. hit $9.4 million in 2022, according to IBM, administrators need to leverage security solutions to minimize their exposure. This means that MSPs need to advise and offer more robust and sustainable cyber defenses to protect these institutions. 

Lesson planning: How to minimize the threat

Planning is a big part of a successful cybersecurity program. With infrastructure being a major concern for IT teams and administrators – especially with an array of devices and operating systems. Universities have huge networks that make it easier for hackers to exploit. Last year, a ransomware group targeted Florida International University with its 48,000 students and swiped personal information that exposed accounting documents, social security numbers, and other sensitive data.

It’s also crucial to understand what is at stake. Schools don’t only have access to academic records. Things like medical records or other sensitive personal information could quickly be accessed and used by threat actors in a matter of minutes. In fact, a class action lawsuit has been filed over an alleged UC San Diego data breach in 2021 in which hackers gained access to 500,000 employee email accounts revealing lab results, diagnoses, and medical records. The lawsuit also names the Regents of the University of California, demonstrating the scope of liability for poor cybersecurity standards. 

All of these risks help to clarify just what’s at stake if cybersecurity isn’t made a priority in the education industry. This is a prime time for MSPs to help leaders in the education space to implement a strong cybersecurity strategy. Opportunities to limit the data employees can access is a good start. Encouraging strong cyber hygiene and offering phishing training would also help from a user perspective. Most of all, however, is modernizing network security with backup systems and integrated protection. 

Education suffers the highest rate of ransomware attacks
If zero trust is good enough for the government, it’s good enough for your school

eSchool Media Contributors