Students readily offer their personal information to schools and colleges, hoping to receive a quality education. Many of these institutions have a thorough selection process that often requires students to share everything from social security numbers to favorite hobbies. Hence, colleges, like hospitals, have loads of information on each student. The problem is that this information, if compromised, can damage a student’s future, making the education sector a goldmine for hackers. Let us examine the reasons for the poor state of cybersecurity in educational institutions and steps to secure the information.
Large data breaches and ransomware attacks can be difficult for schools to defend because only a very small percentage of universities have the funds to pay the ransom. But most of the others cannot, so hackers end up selling this valuable information to identity thieves and cybercriminals.
Why Target the Educational Sector?
Educational institutions, especially schools, run on older equipment and applications. This is one of the many reasons why they make an easy target for hackers. Let us highlight four primary reasons:
- Scale – Each university hosts thousands of students every year. In addition, they also possess records of alumni and every student who has ever applied. A hacker can get hold of tens of thousands of records in a single breach.
- Sensitive Information – Schools, colleges, and universities store a large amount of private and sensitive information of every student. These include Social Security numbers, medical records, financial documents, loan data, and more. In many cases, parent and guardian information are also present.
- Identity- Many of the students are far from having a full-time job and credit report. Reports suggest criminals use social security numbers of school-going kids to open credit accounts. The children may not learn about their identity theft until they become adults and apply for credit themselves. In fact, our search and many others show that kids’ records are valued more and sold at a higher premium than that of adults.
- Patents and IPR – Many universities are part of a race to perform cutting-edge research. They also hold a large number of patents. Hence, they become targets of state-sponsored attacks, competition, and cybercriminals.
Reasons for Poor Cybersecurity in Educational Institutions
Although educational institutions, like many organizations, fail to defend against cyberattacks for several reasons, one of the main vulnerabilities is: race to open cloud infrastructure without proper security measures.
Cloud storage offers an amazing way to increase efficiency, save money, maximize returns, and monetize content for universities. But, the cloud infrastructure of several universities does not have a proper security foundation. Many of them have unrestricted access, with basic to no security measures. Our team performed basic research on Shodan, a search engine, for internet-connected devices, including routers servers and Internet of Things (IoT) devices. The results showed that cloud backup of many universities did not even have security/admin passwords, and quite a few of them were already hacked and encrypted.
In the era where cyberattacks are becoming more sophisticated thanks to Ransomware-as-a-Service, these centers of learning and research are just sitting ducks waiting to be hacked.
The argument from universities is that they deal with many students and staff, including those who come and go, making it a major challenge to incorporate proper security measures.
Other reasons include, universities have flexible Bring Your Own Device (BYOD) policies, open Wi-Fi networks, strangers-friendly policies, and many apps to facilitate collaborations and encourage learning.
Some Immediate Steps
Universities must have a practice of implementing Single Sign-On (SSO) and Multi-Factor Authentication (MFA). The former reduces the number of passwords, and the latter adds an additional layer of security. While open networks are encouraged, social logins, self-registrations, or mobile SSO passwords must be mandatory to promote authenticity and track users.
Eventually, every university should classify, store, and access student personal information, patent, and other personal information, in a separate infrastructure. This infrastructure must have stricter security and be managed by a dedicated service provider.
Final Words on the State of Cybersecurity in Education Institutions
Cyberattacks are on the rise. Cybersecurity is the most imminent need. While several universities build programs and courses to teach students cybersecurity, they rarely take precautions themselves. It is high time that educational institutions incorporate a strong cybersecurity culture.
We believe it is the duty of institutions, the government, and society, in general, to improve the state of cybersecurity in educational institutions and protect the future of students until they can defend it themselves.