The latest report from cybersecurity company KnowBe4 begins with the staggering revelation that ‘Some schools endure over 2,500 attempted cyberattacks a day’ – and the learning doesn’t stop there for the education sector.
The report, entitled ‘From Primary Schools to Universities, the Global Education Sector is Unprepared for Escalating Cyber Attacks,’ follows up its opening statement by examining risks and vulnerabilities across the sector. It draws from several sources to chart the scale of attacks in 2024 and lists some of the most significant attacks from 2024. It also takes a closer look at the most prominent attack methods.
Vulnerable Students
Both primary and higher education have vulnerabilities and risks that are specific to each, as well as some common factors that apply to both.
Primary Education
Although there are some variations, globally, primary education applies to children between the ages of 6 and 11. The main vulnerability is undoubtedly the age of the children. Targeting young children for their personal data or for predatory reasons elicits an emotional response from parents, teachers, and society at large. Malicious actors leverage this as they are aware institutions are keen to avoid reputational damage while parents and caregivers are predisposed to protect children in their care. Away from the emotive angle, schools are often underfunded institutions that are operating on legacy systems that hackers can more easily infiltrate.
Higher Education
Higher education encompasses schools for children between the ages of 11 and 18 and colleges and universities for adults over 18. The main vulnerability here is the amount of sensitive data institutions hold on a mix of legacy and modern systems. This data is often shared across different networks or accessed via remote learning, making it vulnerable if unsecured. Students in the younger age range of this spectrum also lack a developed understanding of security awareness.
Common Factors
Some of the common factors for both are balancing open access for collaboration and a reliance on third-party vendors providing software-as-a-service, cloud storage, and other IT services.
Register of Attacks
The report cites the Verizon 2024 Data Breach Investigation Report (DBIR), which examined 30,458 security incidents. Out of these recorded incidents, 10,626 were classified as data breaches, with 1,780 incidents of attacks targeting the education system, of which 1,537 had confirmed data disclosure. These statistics placed education in the top five of all industries breached globally.
A different study highlighted in the report from Check Point Research found that education was the most targeted industry in terms of the global average of weekly attacks per organization by sector. They identified that educational institutions suffered, on average, 3,574 weekly attacks, a 75% increase from the previous year.
Some of the largest attacks recorded in 2024 that were listed in the report included:
- The Toronto District School Board which was targeted by LockBit ransomware. A ransomware attack that compromised personal data, including names, email addresses, student numbers, dates of birth, and more.
- An attack on thirty-four schools in the Highline Public School district in Washington State which saw them forced to close and cancel activities due to a ransomware attack.
- Global digital classroom management platform Mobile Guardian, which was breached by a malicious actor in an attack that saw data from over 13,000 students wiped.
Repeatable Methods
The report states that “Ransomware attacks are easily the most prominent form of attack in the education sector,” with Phishing being identified as the “most commonly exploited method for gaining an initial foothold in an organization.” According to the report, phishing attacks have three main objectives: inserting malware by getting users to interact with documents containing attachments, stealing credentials through emails or forms containing malicious executables, or obtaining personal information by duping applicants for courses/jobs through social engineering techniques.
Lessons to be Learned
Stu Sjouwerman, the KnowBe4 CEO, believes that some important lessons can be derived from the report. “Educational institutions have inadvertently become prime targets for sophisticated threat actors due to an overall lack of resources. The most concrete, effective step that an educational institution can take to secure vital and sensitive data is to ensure that all individuals who access IT systems are equipped with the proper tools, education, and awareness to protect against cyber threats and reduce human risk.”
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.