The importance of cyber threat intelligence for schools and colleges

Author: A.J. O'Connell

Ransomware attacks against schools are on the rise and cybersecurity threats to universities are increasing. Higher education institutions can no longer afford to wait until an incident occurs to respond to a threat. It's simply too costly to be reactive.

Instead, colleges and universities must get proactive about identifying and preparing for incidents with cyber threat intelligence.

What is cyber threat intelligence?

Cyber threat intelligence is the data that helps organizations identify and analyze their cybersecurity threat profile.

When an organization engages with threat intelligence, they do more than collect information about threats; they analyze it to understand the reliability of their sources better, how relevant the threat is, how likely a potential attack may be, and the impact an attack could have on an organization. In some cases, cyber threat intelligence may include specific information about an attacker or the attacker's methods.

Cyberthreat intelligence is a huge piece of proactive cybersecurity, and by taking the time to examine risks beforehand, organizations can prepare more effectively. Cyberthreat intelligence allows security leaders to prioritize their controls for each threat and develop strategies before an incident occurs.

Cybersecurity threats to universities: Recent trends

The Verizon 2022 Data Breach Investigations Report (DBIR) recorded 1,241 incidents against educational institutions, including 282 incidents with confirmed stolen data. Although threats against schools vary, a few risks are more common than others when it comes to education. System intrusion, social engineering attacks and denial-of-service (DoS) attacks are the top cybersecurity threats to universities. Most cybersecurity threats to universities come from external actors, and their motives are what you might expect: 95% of attacks are motivated by financial gain, while the other 5% are related to espionage.

A closer look at the data reveals the specific types of threats most commonly faced by colleges and universities:

Stolen credentials

In May 2022, the FBI released an advisory warning higher education that U.S. college and university credentials were being advertised for sale on online criminal marketplaces and other forums. The information—much of which was offered for sale on Russian cybercriminal forums—included network credentials and virtual private network (VPN) accesses for several universities and colleges across the U.S. Unfortunately, this sort of credential theft is a common problem for higher education. The DBIR lists stolen credentials as the most common cause of incidents in educational breaches, with 40% of attacks including some form of stolen credentials.


Ransomware affects most industries, though the education sector is particularly targeted, second only to government, according to Statista. Ransomware incidents cost schools $4 billion just for the downtime resulting from attacks and the number of school ransomware attacks almost doubled in 2022 compared to 2021, according to the Verizon Threat Research Advisory Center (VTRAC). Meanwhile, almost two-thirds of higher education institutions reported being hit by ransomware in a 2022 Sophos survey.


Phishing scams have long been a favorite tool of social engineers and other cybercriminals attempting to gain access to data or deliver malware to a network. Education is no exception. The DBIR lists phishing as the fourth most common threat to schools. One recent and extremely targeted campaign took place in the fall of 2022 when students at a college began receiving messages from a sender claiming to be the college president. The messages were an attempt to solicit personal financial information from the students.

Human error

One of the most common threats against schools isn't malicious at all. More than four-fifths of breaches involved the human element, according to the DBIR. While the rate of cybersecurity errors in schools is not quite as high as it was in 2019, the education sector is still more error-prone than other industries.

The role of cyber threat intelligence in security

Knowing what cybersecurity measures to prioritize can be a challenge for leadership. This is particularly true in higher education institutions, where IT budgets represent just 4.2% of a college's total budget.

Chris Novak, director of cyber threat and intelligence for Verizon, recommends schools place a high priority on threat intelligence, although their first and greatest security priority should be good basic cyber hygiene. "Before you do anything else, make sure you have the basic building blocks of cybersecurity in place," he said.

If an organization has laid a strong cybersecurity foundation, said Novak, the next priority should be cyber threat intelligence. "It's about situational awareness," he said. "The more you can know about what's happening, the better you can prepare your defenses, protection and mitigation."

Having information about threats at your fingertips means universities can be ready when a threat occurs.

How can schools get started with cyber threat intelligence?

While cyber threat intelligence may seem aimed at external and global threats, the first step Novak recommends for schools considering cyber threat intelligence is self-awareness.

He suggests that organizations perform a basic cyber risk assessment. By assessing security, colleges and universities can better understand the maturity of their cyber security posture. He also recommends conducting penetration tests to understand the weak spots in the school's security controls. By testing their cyber defenses, schools can gather intelligence about their own weak spots before looking at external threats.

Novak also suggests taking an inventory of their digital assets, identifying the kinds of data an attacker may want to steal as well as the networks that might be breached. By better understanding their assets, a university's team will be more aware of the information that might be targeted and also gain an understanding of how to protect that information.

Lastly, Novak recommends planning an incident response ahead of time. Many organizations, he said, still look at incident response reactively—if an incident occurs, they'll respond to it then. But that's not the best way to plan for a problem, said Novak. He recommends IT teams and college administrators work together to create plans for possible events, such as ransomware attacks or data theft. Those plans should also be tested in tabletop exercises that simulate a breach.

It's important that leadership be included in these exercises, said Novak, because in many cases deans, university presidents and provosts are called upon to make announcements and administrative decisions when a cyberattack takes place.

When should schools call in cyber threat intelligence experts?

While all of the above steps are important, schools should be willing to seek out help, so they are as prepared as possible for an incident. Having a strong source of intelligence about external threats is a key part of cybersecurity. The cyber threat landscape is constantly shifting and changing, so having experts on call with the latest information about relevant threats is important when planning security controls.

The Verizon Threat Research Advisory Center (VTRAC) has investigated thousands of data breaches worldwide and has the expertise in investigations, forensics and discovery to help guide education institutions.

With an ongoing shortage of cybersecurity experts and an increasing scope and complexity of challenges, utilizing the experience, technology and skills of a managed services provider can also be beneficial to educational institutions. This approach allows them to focus on their core task—education—while security experts work to protect staff and students.

The importance of planning and collaboration

Colleges should also consider investing in augmenting their incident response team. Having experts available if a school is the subject of a major data breach or if the school's own team is overwhelmed by multiple incidents is helpful.

"Train their people to be the best they can be, get them all the resources, technology, and tools you can possibly afford to make them successful, but then also have a backup," said Novak. "Having a secondary or tertiary organization on retainer to be able to quickly drop in when you have that need can go a long way."

Information sharing and collaboration with other parties, including governments, can help organizations learn from the experience of others. This is particularly important given threat actors regularly share information on deep and dark web forums.

Learn how Verizon's dedicated team of experts can help educational institutions get proactive incident response customized to your cyber-risk profile and help you prepare for and respond to cyberattacks.

The author of this content is a paid contributor for Verizon.