The Verizon 2022 Data Breach Investigations Report (DBIR) recorded 1,241 incidents against educational institutions, including 282 incidents with confirmed stolen data. Although threats against schools vary, a few risks are more common than others when it comes to education. System intrusion, social engineering attacks and denial-of-service (DoS) attacks are the top cybersecurity threats to universities. Most cybersecurity threats to universities come from external actors, and their motives are what you might expect: 95% of attacks are motivated by financial gain, while the other 5% are related to espionage.
A closer look at the data reveals the specific types of threats most commonly faced by colleges and universities:
Stolen credentials
In May 2022, the FBI released an advisory warning higher education that U.S. college and university credentials were being advertised for sale on online criminal marketplaces and other forums. The information—much of which was offered for sale on Russian cybercriminal forums—included network credentials and virtual private network (VPN) accesses for several universities and colleges across the U.S. Unfortunately, this sort of credential theft is a common problem for higher education. The DBIR lists stolen credentials as the most common cause of incidents in educational breaches, with 40% of attacks including some form of stolen credentials.
Ransomware
Ransomware affects most industries, though the education sector is particularly targeted, second only to government, according to Statista. Ransomware incidents cost schools $4 billion just for the downtime resulting from attacks and the number of school ransomware attacks almost doubled in 2022 compared to 2021, according to the Verizon Threat Research Advisory Center (VTRAC). Meanwhile, almost two-thirds of higher education institutions reported being hit by ransomware in a 2022 Sophos survey.
Phishing
Phishing scams have long been a favorite tool of social engineers and other cybercriminals attempting to gain access to data or deliver malware to a network. Education is no exception. The DBIR lists phishing as the fourth most common threat to schools. One recent and extremely targeted campaign took place in the fall of 2022 when students at a college began receiving messages from a sender claiming to be the college president. The messages were an attempt to solicit personal financial information from the students.
Human error
One of the most common threats against schools isn't malicious at all. More than four-fifths of breaches involved the human element, according to the DBIR. While the rate of cybersecurity errors in schools is not quite as high as it was in 2019, the education sector is still more error-prone than other industries.