Expertise Beyond the Numbers

Top 5 IT Risks for School Systems

Information security breaches involving large, public industries dominate many of today’s biggest headlines. In just the past few years alone, well known organizations like Target, Sony, Home Depot, and Equifax were the victims of very public and very damaging security breaches. As large companies like these continue to repair their public image and improve their security, cybersecurity criminals are moving on, and beginning to search for new, even more vulnerable targets to attack. One of the most popular, fastest growing, and susceptible targets for attackers are educational institutions.

In 2017 alone, school systems were attacked more times than any other industry; more than health care, social media, and retail. Despite this, other industries all received more national media coverage than the school systems. From 2005 to 2017, there were 811 breaches at schools systems throughout the United States that potentially disclosed more than 25 million personal records of faculty, students, and donors. These staggering numbers only represent a fraction of the picture. The more than 800 breaches are just the ones formally reported. There are likely hundreds more that have gone unreported, or worse, undetected.

For many hackers, school systems are a treasure trove of valuable and ransomable information. Schools and universities house extensive personal data on faculty, students, and alumni, the type of information cybercriminals dream of capturing. There’s also the added threat, when it comes to research universities, of having sensitive research and intellectual property stolen – the likes of which can be worth millions. With tens of thousands of schools and universities across the United States, there is no shortage of targets for hackers to go after.

As school systems increasingly become the target of cyberattacks, we review the top 5 areas of risk:

  1. Malicious External and Internal Cybersecurity Attacks
    External – According to the 2017 Symantec Internet Security Threat Report, although the number of total breaches in 2015 and 2016 were similar in volume, the number of identities exposed resulting from those attacks almost doubled from 564 million in 2016, to 1.1 billion in 2017. External cybersecurity attacks surface in a variety of ways. An employee or student clicking a malicious hyperlink containing a virus can provide a cybercriminal access to unprotected connections to the Internet. A user opening an attachment sent by a hacker provides them direct access to the user’s terminal. It is important for school systems to understand and consider the potential risk of being attacked by an external entity. One way schools can protect themselves from the external threat is by performing a risk analysis and conducting periodic vulnerability testing.
    Internal – Students are increasingly involved in attacking schools, typically their own, that are not adequately protected. In 2016, a student used a simple mobile app to perform a Distributed Denial of Service (DDOS) attack against their school. A DDOS attack involves targeting the servers that are used to provide a service, and flooding them with requests in order to overwhelm the processing power of the machine. These attacks effectively slow the servers to a crawl. While a majority of these attacks are students trying to delay their online standardized testing or other obligations, DDOS attacks can also have serious implications. In 2015, a student hacker repeatedly ground Internet traffic to a halt at Rutgers University through a series of DDOS attacks. Rutgers University was unable to process financial payments online across the campus throughout the duration of the attacks. Only after the attacks were finished, Rutgers spent $3 million dollars in order to upgrade their systems. To fill in their security gaps, the university was forced to raise student tuition to afford the required security to protect them from further attacks. This could have all been avoided if Rutgers invested proactively and upgraded their network security when they should have. A DDOS attack costs approximately $40,000 per hour to combat, and with many attacks lasting longer than 24 hours, purchasing DDOS protection can be a lifesaver for many educational institutions.
  2. Social Engineering and Phishing Attacks
    Social engineering represents a major IT risk within school systems. This refers to gaining unauthorized access to private information or convincing someone to perform an action through psychological manipulation. This fraudulent technique is known as phishing. An individual pretending to be a member of the school’s IT department or an administrator, requests a student or staff member’s username and password to gain access to a system. These attacks can occur in person, over the phone, or by email. Not everyone falls victim to this approach, which is why the attack is appropriately called phishing, because the attacker will make multiple attempts, but only needs one person to take the bait. They send an email asking for non-public, personal or financial information under the guise they are trying to help you. Email filters and blocking known phone numbers and identities of scammers is a good, proactive first step. The best way to counter social engineering attacks is with effective IT security awareness training. When staff and students know what to expect, they’re less likely to fall for the trap.
  3. Emergence of Mobile Computing
    School systems are taking full advantage of the benefits of mobile devices like phones, tablets, and other devices to make the classroom more interactive and educational. However, with each additional device connected to the Internet, a new avenue of attack is presented for a cybercriminal to exploit. Laptops, mobile phones, and even wireless printers can be hacked and accessed. Any equipment that connects to the Internet has the potential to be monitored and exploited. Mobile devices are easily lost, misplaced, or stolen, which is why it is important to ensure all mobile devices have secured authentication access enabled. If sensitive data and emails are stored on the mobile device, these devices need to have the ability to be cleared of all data remotely.
  4. Funding Issues and Prioritization
    School funding is a constant topic of debate from school officials, politicians, and teachers. Funding issues detail the operational costs of paying teachers and other staff sufficiently, as well as donations and grants. School systems are constantly evaluating the cost and benefit of maintaining their systems. They sometimes struggle to keep pace with new risks and remove vulnerabilities from their IT systems. In 2017, the Department of Education recognized the increase in attacks and advised, “Districts to conduct security audits and patch vulnerable systems, train staff on data security best practices, and review sensitive data to make sure no outside actors can access it.” Even with the advisement, school systems are repeatedly being targets and made victims due to budgets constraints not allowing security measures to be updated as needed. School executives need to take the threats more seriously and evaluate their needs and risks better. The benefits of allocating more resources to update and strengthen the system protecting sensitive information far outweigh the costs.
  5. Value of Information
    If an attacker gains access to an internal system, financial information may be exposed. Most organizations hold extremely profitable data about their employees’ personally identifiable information (PII). This type of information contains addresses, dates of birth, social security numbers, and any other information a criminal would use to steal an identity. What makes school systems particularly ideal is they contain all of this information for staff, but for the students as well.
    An attacker obtains PII for a student without an associated credit card, leaving a student largely unprepared to respond or even be aware that their identity has been stolen. For these reasons, the data of children is 51 times more likely to become the target of identity thieves than that of adults. This information is used by the attacker, sold to another criminal, or even be ransomed back to the school administrators at a high cost. For school systems, it is important to have a plan in place before a breach happens (what to do, who to call). Up-to-date policies around data privacy and the usage of data by staff, students, and the community can stifle an information breach.

What Can You Do

There are significant cybersecurity risks facing school systems. These risks grow more complex every day, and are forcing organizations to develop attainable action plans that address and mitigate security risks. School systems need to be employing security solutions to better effectively prevent and counteract exposure. A good first step for schools is to add cyberattacks to their business continuity plan, allowing them to properly define the risks. Communicating and installing cybersecurity practices across all departments will also help narrow a school’s risk potential. But, the most important piece of any effective cybersecurity strategy is education.

Schools are already institutions of learning, incorporate security education and training into the curriculum – for everyone. Employees need to be knowledgeable of the threats and know how to identify, report, and act on them. Education is just as important for the students as it is for the faculty. Student orientation is great preventative opportunity for schools. Create educational presentations and share them with students during orientation to teach about important security risks. A strong foundation of cybersecurity procedures and a well-informed faculty and student body are the best tools for mitigating breaches in school systems.