February 8, 2022
(This article was originally published in September of 2021)
Microsoft’s latest “global threat activity” report breaks down 30 days’ worth of cyberattacks by industry. And you may be surprised to learn which sector led the pack. Healthcare? Nope. It’s not finance or retail, either. The big winner, with, as of February 7, 2022, 82.5% of reports is education.
COVID-19 and School Cybersecurity
Nearly 2 years ago, when abrupt school closures spurred a sudden shift to online and hybrid learning, Ed Tech Magazine reported, schools “found themselves more exposed than ever.” But even now, after kids have returned to in-person classes, the problem remains extremely serious for a variety of reasons — including, most prominently, insufficient cyber preparedness.
As a result, educators and other school officials are far more vulnerable to phishing attacks, social engineering and more, the FBI says. Just as worrying, the systems on which they work — and which store a wealth of sensitive student data — are woefully under-protected from increasingly frequent and sophisticated cyber incursions that have for years been successfully deployed against businesses.
Between August 14 and September 12 of 2021, Govtech.com reported (based on statistics from Microsoft and edscoop.com), “educational organizations were the target of over 5.8 million malware attacks, or 63% of all such attacks. Ransomware attacks alone impacted 1,681 U.S. schools, colleges and universities in 2020. Globally 44% of educational institutions were targeted by such attacks.” A 2021 IBM report concluded that about 25 percent of U.S. cyberattacks against schools involve ransomware — with a total annual price tag north of $120 million. In 2020, according to Edscoop.com, that amounted to an average of $2.73 million per incident — $300,000 more than the next biggest losers: distributors and transportation companies.
“Schools are soft targets that hold personal valuable data that can easily be used for identity theft,” says Mindsight Cybersecurity Leader and Certified Ethical Hacker Mishaal Khan. “And they always struggle with budget for cybersecurity safeguards, as they see it more as an inconvenience.”
According to CSO Online “Education and research were the top targets for cyberattackers in 2021, with an average of 1605 attacks per organization per week, a 75% increase from 2020”. Simply, for most of 2020 and 2021, opened up their environments to huge numbers of non-employees so that students and caregivers could access online assignments or other resource materials. Though classes are back in-person, many schools have opted for eLearning in the event of inclement weather. All a hacker needs to do is wait for a major storm or other act of nature to wreak havoc on an entire school district.
What Can Happen?
A good example of what can and does happen was reported by CBS News earlier this year. Jeff Pelzel, superintendent of the Newhall School District in Southern California’s Santa Clarita Valley, had recently transitioned 6,000 teachers to virtual learning — no small victory. But as he walked to his office one day, trouble began:
“Pelzel checked his phone and noticed something strange. His email app, which was usually brimming with fresh messages, was empty. He tapped the browser and navigated to the school’s webmail. Nothing. His palms began to sweat as he powered on his PC. The warning that flashed across his screen was terrifying. In bold letters the message bluntly stated that his entire school district was locked up and offline. Pelzel shot a text message to IT, but he didn’t need to wait for a response to know what was happening.”
It’s no wonder, then, that insurance companies are requiring their education sector clients to have a cybersecurity plan in place as a prerequisite to providing insurance. According to Khan, “the plan must include a risk assessment, a roadmap of how they plan to remediate the identified gaps, regular vulnerability scanning and management, periodic system testing, and a certain number of minimum controls in place like MFA and password policies.”
And though the plans aren’t enforced by insurers, Khan adds, they directly affect premiums. Organizations can be totally non-compliant and completely ignore all cybersecurity advice and still obtain insurance — albeit at a high price. Also, he explains, insurance won’t cover a lot of breach or loss of revenue cases if some of the prerequisites aren’t met.
The biggest upside of these insurance requirements, Khan says, is that they’ve “at least caused these institutes to start taking security seriously and have introduced that conversation outside of IT for a change.”
Of course, taking security seriously requires pinpointing gaps and implementing mitigation measures. Both of those things require a trusted expert. Whether it’s an in-house team or a managed services provider (like Mindsight), trained specialists can perform a network scan to locate vulnerabilities in servers, network devices, firewalls, virtual machines, and applications, as well as anything else that’s connected to the network.
Khan works with clients daily to help identify vulnerabilities, utilizing scans and more robust assessments. Vulnerabilities, once identified, are ranked based on severity levels and detailed scan data and remediation guidelines and/or recommendations are provided. Khan meets with IT and other stakeholders outside of IT – like finance, operations, school boards – taking every opportunity to better educate clients about the implications and costs of cyberattacks as well as outlining specific steps that can be immediately taken to improve security strategies and plans.
Does all of this require time and money? Of course. But ultimately, as education professionals and others who’ve been caught in the cybercrime crosshairs will tell you, it’s time and money well-spent.
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving emerging to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com.
About The Expert
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.