The educational system and many of its elements are targets for cybercriminals on a regular basis. While education is a fundamental human right recognized by the United Nations, the financial means of many schools and other entities in the global educational system are often limited.
These limited budgets often result in weak or less-than-adequate protection against cyberthreats. Unfortunately, organizations in this industry are forced to economize and cut the costs of security.
Schools by nature have a lot of personal data on record—not only about their students, but in most cases, they also have records of the parents, legal guardians, and other caretakers of the children they educate. And the nature of the data—grades, health information, and social security numbers, for example—makes them extremely valuable for phishing and other social engineering attacks.
Ransomware can also have a devastating effect on educational institutions, as some of the information, like grades for example, may not be recorded anywhere else. If they are destroyed or held for ransom without the availability of backups, the results can be disastrous.
Organizations in the education industry have some special circumstances to deal with when trying to protect their data and networks:
The sensitive nature of the data and having an open platform for students at the same time creates a difficult situation for many educational institutions. After all, it is easy to kick in a door that is already half open— especially if there is a wealth of personally identifiable Information (PII) behind it.
An analysis in December 2018 by SecurityScorecard ranked education as the worst in cybersecurity of 17 major industries. According to the study, the main areas of cybersecurity weaknesses in education are application security, endpoint security, patching cadence, and network security.
In our 2019 State of Malware report, we found education to be consistently in the top 10 industries targeted by cybercriminals. Looking only at Trojans and more sophisticated ransomware attacks, schools were even higher on the list, ranking as number one and number two, respectively.
So, it shouldn’t come as a surprise that according to a 2016 study entitled: The Rising Face of Cyber Crime: Ransomware, 13 percent of education organizations fall victim to ransomware attacks.
Like many other organizations, educational institutions are under attack by the most active malware families, such as Emotet, TrickBot, and Ryuk, which wreaked havoc on organizations for the better part of the 2018–2019 school year.
Last May, the Coventry school district in Ohio had to send home its 2,000 students and close its doors for the duration of one day. The cause was probably a TrickBot infection, but the FBI is still busy with an ongoing investigation.
In February 2019, the Sylvan Union School District in California discovered a malware attack that made staff and teachers lose their connection to cloud-based data, networks, and educational platforms. Reportedly, they had to spend US$475,700 to clean up their networks.
On May 13, 2019, attackers infected the computer network of Oklahoma City Public Schools with ransomware, forcing the school district to shut down its network.
But it’s not just malware that educational institutions need to worry about. Scott County Schools in Kentucky paid US$3.7 million out to a phishing scam that posed as one of their vendors.
Unfortunately, that’s money many school districts, especially those in impoverished communities, cannot afford to pay out. So when can they do to get ahead of malware attacks before valuable data and funding fly out the bus window?
Given the complex situation and sensitive data most educational organizations have to deal with, there are a host of measures that should be taken to lower the risk of a costly incident. Recognizing that many schools must divert public funding to core curriculum, our recommendations represent a baseline level of protection districts should strive toward with limited resources.
In fact, all of these measures will cost money and we realize that will need to come out of a tight budget. But funding, or the lack thereof, can not be an excuse for weak security. Cybercrime is one of the biggest chunks of the modern economy. And guess who’s paying for most of that? Those who didn’t invest enough in security.
What a strange paradox that one of the best weapons against cybercrime is education, but that organizations in education have the biggest problems with security. We at Malwarebytes, with the help of educational leaders, aim to change that.
Stay safe, everyone!
The post Compromising vital infrastructure: problems in education security continue appeared first on Malwarebytes Labs.