Managed Security Services

Cybercrime in the Education Sector

Digital target over computing design

Guest blog courtesy of CYRISMA.

The Education sector has been relentlessly targeted by cybercriminals over the past 4-5 years. Attacks grew both in frequency and the damage they caused as classes moved online in 2020, (following the beginning of the Covid-19 pandemic) and massive volumes of data were made accessible to students, teachers and administrators over the internet. Cybercrime in the sector continued to increase after the worst phases of the pandemic were over.

Data Breaches and Ransomware in the Education Sector

Verizon’s 2024 Data Breach Investigations Report examined 1780 breaches in the Education sector, and found System Intrusion, Social Engineering and Miscellaneous Errors to be the leading causes in 90 percent of the cases. The MOVEit file transfer vulnerability affected educational services in disproportionately high numbers, with the CL0P ransomware gang exploiting the zero-day to steal millions of student records in 2023.

The average Cost of a Data Breach in the sector stood at 3.5 million USD in 2023-24. An interesting ransomware factoid was that unlike in most sectors where the initial ransom demand was eventually negotiated down, in the education sector, ransomware actors managed to extract higher ransom amounts than were initially demanded. The Sophos State of Ransomware study found that higher education was “most likely to pay more than the original ransom demand (67% paid more), and least likely to pay less than the original demand (20% paid less).”

Why the Education Sector is an Attractive Target for Cybercriminals

So what makes education an attractive and easy target for cybercriminals?

  • Massive datasets – Educational institutes are attacked frequently because of the massive volumes of data that pass through their networks. This includes students’ personal, financial and health information; data about employees; applications and enrollment forms; information related to financial aid, its recipients, and donors; research papers; coursework and study material, and a lot more. A successful attack could mean control over all this data and opportunities to hold it to ransom, sell it or use it in future attacks.
  • Larger attack surface due to increased digitization – The Covid-19 pandemic necessitated moving classes online almost overnight. Universities, schools and colleges had to create and enable a whole digital infrastructure to make this possible, at the cost of vastly increased exposure to cyber attacks.
  • Low security budgets in schools and colleges – While the transition to online classes was managed by all institutions, this was not accompanied by a corresponding increase in security controls to protect exposed data. School IT departments continue to struggle with cybersecurity due to its high costs and because many institutions don’t have the budgets and the expertise to build strong cyber defenses.
  • Large number of unmonitored devices – What’s also a problem is that the students accessing school services and course material online often don’t prioritize security, and don’t have sufficient information and awareness about secure remote access, leaving their devices and their institutions vulnerable to intrusion.
  • Unpatched, buggy, or end-of-life software – Education sector organizations with low cybersecurity budgets may not have a solid patch management program or rely on end-of-life software that is no longer supported by vendors, leaving huge security gaps and creating easy entry points for criminals. They may also use software not built with security in mind (like some remote communication and video conferencing tools) exposing them to new attack vectors that they can’t control.

What are the main cyber threats and risks in the sector?

  • Phishing and social engineering – Many threat groups carry out organized phishing campaigns targeting higher education institutions, using email addresses that may have been exposed in earlier breaches or scraped from publicly accessible sources. Phishing is often the initial access method used in larger attacks, and because of the interconnected and open networks in campuses, even a tiny percentage of students or employees taking the bait can have dire consequences.
  • Exploitation of remote access services – Threat actors can also gain access to institution networks by exploiting vulnerabilities in remote access software, which is often essential to the functioning of higher ed institutions. Once a connection is made, attackers can employ a range of techniques to elevate privileges, move laterally across the network and get access to protected data.
  • Ransomware attacks – In May 2022, Lincoln College in Illinois became the first higher-ed institution in the US that had to shut down because of the debilitating effects of a ransomware attack. In 2022-23, education was the most targeted sector by ransomware actors. While the sector no longer reported the highest rate of ransomware attacks in 2023-24, it continued to pay massive ransom amounts to criminals, the median ransom paid being 6.6 million USD. Sixty three percent lower education and 66 percent highest education institutions were targeted in 2023-24 according to the 2024 Sophos State of Ransomware survey.
  • Data breaches – One of the biggest reasons educational institutes are so attractive to criminals is the rich datasets that they store. Inadequately protected data and weak defenses can lead to massive breaches, with school and university data ending up for sale on the dark web or exposed online. The FBI even issued an advisory about credentials and network access information about a large number of higher ed institutions being sold in cybercriminal marketplaces.
  • Extended network shut-downs – Successful attacks can lead to network shut-downs that may last several days or weeks. For higher-ed institutes, successful recovery from attacks may even take months, disrupting operations, delaying course completion and interfering with enrollment processes, depending on the timing of the attack.

How can K-12 institutions and Universities stay protected?

  • Timely patching – An effective patch management program that ensures timely patching of all software is one of the most cost-effective ways to prevent attacks. Known exploited vulnerabilities must be patched on priority.
  • Sensitive data discovery and protection – Institutions must leverage solutions that help discover unprotected/unencrypted sensitive data stored on their systems and take appropriate measures to secure this data.
  • Secure configuration – All systems and applications must be securely configured based on best practice standards and frameworks. Configuration drift can be avoided by scheduling regular scans.
  • Phishing simulation and security awareness – Instituting engaging cyber awareness programs and phishing simulation exercises is another simple way to build a security-first culture and prevent bad security practices.
  • Strong passwords and MFA – Not just IT and security teams but students and faculty across the board should know the importance of strong, unique passwords. Multi-Factor Authentication (MFA) must also be enabled on all systems and services, and mandated by policy.
  • Strong access control policies – Access control must be strictly monitored and designed based on the principle of least privilege.
  • Network segmentation – Campus networks must be segmented, and micro-segments implemented to prevent lateral movement of attackers if they manage to access a part of the network.
  • Monitoring, detection and response – Institutions must also leverage modern detection and response tools to find anomalous activity patterns in real time and neutralize attacks before they can cause major damage.

How CYRISMA can help

CYRISMA’s multi-feature SaaS platform enables MSSPs and MSPs serving educational institutions to manage risk in a holistic and cost-effective manner. By combining essential cyber risk management tools like vulnerability scanning, sensitive data discovery, secure configuration scanning, and dark web monitoring in a single platform, CYRISMA lets you simplify cybersecurity service delivery, reduce costs and increase effectiveness.

With CYRISMA, you can:

  • Find, classify and secure sensitive data that may be left unprotected on institution systems, Google Workspace apps, and Office 365 without the knowledge of data owners (students, staff) and IT
  • Discover and mitigate system vulnerabilities before they can be found and exploited by cybercriminals. Get to the root cause of vulnerabilities to address them effectively.
  • Monitor Active Directory and Azure AD without any specialized knowledge
  • Scan for and fix Operating System configuration weaknesses, mitigate risk, and help clients meet regulatory compliance requirements.
  • Conduct Compliance and Cybersecurity Assessments to evaluate the security posture of the institution and easily communicate the risk level to auditors and the board
  • Meet tactical compliance requirements using CYRISMA’s vulnerability and security baseline scans!

Request a demo today to for a deep dive into CYRISMA’s complete feature-set!

You can skip this ad in 5 seconds