Cyber security
threats to schools
and how to protect
against them

Author: Mark Stone

Today's new work-from-home norm has changed the way enterprises address school cyber security. In much the same way, a heightened focus on remote learning means that school systems must adapt to new methods of risk management.

In the education sector, security threats to schools are on the rise—predictable given the number of students learning remotely and teachers and school staff working from home. With information technology (IT) infrastructures extending far beyond the safe perimeters of school networks and security systems, the cyber security threat is escalating. In fact, a recent study by Microsoft Security Intelligence reports that education is far and away the most vulnerable industry, accounting for 62% of all malware encounters over the last 30 days.

As remote learning continues into the fall and winter, schools must identify and defend against security threats introduced by personal networks, multiple devices, collaboration tools and more.

Assessing the threats

When safeguarding sensitive data in online education platforms, students' and teachers' private information is the primary asset to protect.

In many cases, security threats to schools are no different from the threats faced by the enterprise. But because the education sector is dealing with children, there are some unique risks. Most critical is the fact that, unlike most adult office workers, students in lower grades lack exposure to and training in school cyber security.

That said, one trending threat that shouldn't be overlooked is attacks launched by students themselves because they don't want to attend classes or exams. "Many schools have migrated to online education market vendors, making systems less vulnerable to DDoS (distributed denial-of-service) attacks," says independent security researcher Rod Soto. However, they can still be affected by easily downloadable attack tools—as in the recent case in Florida that disrupted remote learning for several days.

Most relevant cyber security threats to schools

The following are among the most common threats IT leaders in the education sector need to be aware of and protect against:

  • Data breach: For education, data breaches are a concern as they can involve student records and other private information. Schools are often targeted because their systems hold a significant amount of sensitive and confidential data about students, teachers, staff and even parents.
  • Denial-of-service: A denial-of-service (DoS) attack occurs when a server or network resource is deliberately flooded with too many requests to carry out. Schools tend to lack the security protections used by corporations, and as such, many schools are not as vigilant about connectivity. Facing a DoS attack, school servers that may log information about who is accessing its networks can be turned off, allowing attackers to retrieve the confidential data without a trace. The threat of students initiating DoS attacks, as mentioned above, must be acknowledged.
  • Phishing, malware and ransomware: Phishing is when an attacker sends an email claiming to be a legitimate organization or person with the goal of tricking the recipient into disclosing confidential information. Often, phishing emails contain malware (software that can inflict damage) or ransomware (which locks access to files until a ransom is paid). Schools are particularly vulnerable to these threats, primarily due to the fact that children are less aware of the impact of opening these types of emails and links.
  • Unpatched, outdated software vulnerabilities: When software and hardware are unpatched or outdated, they are much more vulnerable to attackers looking to obtain access to networks and systems. While patching and updating systems are the most straightforward attack prevention methods, schools frequently lack adequate funding and dedicated cyber security staff, making them more prone to leaving some vulnerabilities unpatched.
  • Cyber bullying: Bullying that occurs online through smartphones, tablets or computers may cross the line into behavior that is unlawful or criminal. According to the Cyberbullying Research Center, approximately 37% of students have experienced cyber bullying.
  • Inappropriate content: When acceptable use policies or content filtering are either ignored or circumvented, inappropriate content can find its way onto students' devices.
  • Online predation: With more students learning remotely, online predators are more active than ever, grooming victims by building trust and manipulating emotions.

How to prepare for school cyber security attacks

IT leaders must first recognize that for the foreseeable future, the complexity of software and systems will only multiply. Adding to the struggle is the volume and variety of these tools, as they shift from managing some operating systems, apps and devices to having to manage so much more. Moreover, many schools lack the bandwidth and resources to be properly prepared for a cyber security incident.

Strategies for protecting data and devices from an attack should be both technical and procedural.

As far as technology goes, using two-factor or multi-factor authentication can be effective against unauthorized access or phishing. As a precautionary measure to ensure adherence to internet safety policies, schools should turn on alerts for any suspicious activity or non-compliant devices.

Ultimately, the most fundamental strategy is promoting security awareness and user education. "Students and faculty need to be aware of the risks of being targeted by malicious actors and the risks of using online platforms," says Soto. He strongly advises all schools to create a clear and enforceable acceptable use policy so students know what is acceptable and what is not and faculty members clearly understand the guidelines for what is allowed when using remote learning platforms.

For schools lacking cyber security resources, managed security service providers can play a critical role. With the support and coordination of these vendors, a sustainable, secure and successful remote learning experience is possible. But remember—all vendors are not created equal when it comes to data privacy and security. It's important to do your due diligence when hiring a third party to manage your systems and services.

To learn more about common threats to educational institutions, explore Verizon's Data Breach Investigations Report.