The education sector is a lucrative target for cybercriminals due to the abundance of sensitive data in its possession combined with lacking the relevant resources to combat such attacks. Achi Lewis, Area VP EMEA for Absolute Software, discusses the dangers posed to the education sector and how to prevent and respond to cyberattacks.
It came to light recently that 14 UK schools became the victim of a major cyberattack, resulting in confidential documents, including children’s passport scans and staff contracts, being leaked.
The data was leaked online after schools failed to pay the ransom demands.
The documents contained data such as children’s SEN information, staff contract details, including the headmaster’s salary, bursary fund receipts and children’s passport scans which had been used for school trips.
“The education sector is a lucrative target for malicious cybercriminals due to the large volume of sensitive data stored on school and university systems,” said Achi Lewis, Area VP EMEA for Absolute Software. “As a result, ransomware attacks are a case of when, not if, which demands educational institutions to ensure they are prepared to both prevent and respond to these attacks, else they risk having documents stolen and leaked.”
I caught up with Achi Lewis, Area VP EMEA for Absolute Software, to pick his brains about the education sector’s wider threat landscape when it comes to these types of attacks, and how it can become more cyber-resilient.
What makes the education sector such an appealing target for cybercriminals?
In education, cybersecurity is rarely top-of-mind — until a major incident occurs. Yet, according to the Federal Bureau of Investigation, schools are top targets for cybercriminals, resulting in ransomware attacks, data theft and the disruption of online learning. Cyberattacks are particularly challenging for primary and secondary schools, as they often face resource limitations and cannot attract the necessary talent to implement enterprise-grade defence strategies.
With 1:1 programmes the new norm; devices are used more frequently — and from more locations — than ever before. New applications, delays in patching and failing security controls added complexity and vulnerabilities to the environment. These environmental factors together with the type and amount of personal data maintained in education systems make primary and secondary schools and colleges a prime target for ransomware and placing student and school safety at risk.
What attack methods are typically used to attack schools’ cyber defences and what can be done to prevent or mitigate these types of attacks?
The attack methods used by threat actors don’t differ much for other vertical markets. Most of today’s cyberattacks are front-ended by credential harvesting campaigns that use social engineering techniques, password sniffers, phishing campaigns, digital scanners, malware attacks, or any combination of these. Cybercriminals also take advantage of millions of stolen credentials being sold on the Dark Web.
The following fundamental measures can help education institutions minimise their exposure to cyberattacks:
- Implement cybersecurity awareness training to educate staff and students on how to recognise and avoid spear-phishing attacks.
- Patch operating systems, software and firmware as soon as manufacturers release updates. This applies to both endpoints and servers.
- Implement application and remote access controls to only allow systems to execute programs known and permitted by the established security policy.
- Regularly update antivirus and anti-malware with the latest signatures and perform regular scans. Leverage application resilience technology to assure that those security tools are always functioning as intended.
- Back up data regularly to a non-connected environment and verify the integrity of those backups.
- Establish cyber-resiliency across endpoints, applications and your network.
How do these sorts of attacks impact the wider threat landscape?
Unfortunately, those organisations that fall victim to a cyberattack always serve as a reminder to their peers that there is no ‘100% protection’. To make a real difference to the impact of cybersecurity incidents, cybersecurity priorities must shift from defensive strategies to the management of disruption through cyber-resilience.
On the other hand, successful cyberattacks in a specific vertical such as the education market often embolden other cybercriminals to target similar organisations. This typically leads to a spike of cyberattacks in the same vertical. In turn, more sophisticated organisations join so-called Information Sharing and Analysis Centers (ISACs). These are non-profit organisations that provide a central resource for gathering information on cyberthreats as well as allow two-way sharing of information between the private and the public sector about root causes, incidents and threats, as well as sharing experience, knowledge and analysis. If they learn about cyberattacks on one of their peers early, they might still have a chance to prepare for the worst-case scenario – falling victim to an attack.
Why is having a resilient Zero Trust approach in place necessary in instances such as these?
The growing threat of cyberattacks has underscored that organisations can no longer depend on conventional perimeter-based defences to protect critical systems and data.
New regulations and industry standards are aimed at shifting the cybersecurity paradigm – away from the old mantra of ‘trust but verify’ and instead towards a Zero Trust approach, whereby access to applications and data is denied by default. Threat prevention is achieved by only granting access to networks and workloads utilising policy informed by continuous, contextual, risk-based verification across users and their associated devices.
There are many starting points on the path to Zero Trust. However, one driving principle to determine your priority of implementation should be the knowledge that the easiest way for cyberattackers to gain access to sensitive data is by compromising a user’s identity. In fact, 80% of security breaches involve privileged credentials, according to Forrester Research. Furthermore, post-mortem analysis has repeatedly found that compromised credentials are subsequently used to establish a beachhead on an end-user endpoint (e.g., desktop, laptop, or mobile device), which typically serve as the main point of access to an enterprise network. A recent Ponemon Institute survey revealed that 68% of organisations suffered a successful endpoint attack within the last 12 months.
To limit an organisation’s cyber-risk exposure to tactics, techniques and procedures that target an organisation’s weakest link – the anywhere workforce – consider the following best practices:
- Maintain a trusted connection with endpoints to detect unsafe behaviours or conditions that could put sensitive data at risk. This includes maintaining granular visibility and control over endpoint hardware, operating systems, applications and data gathered on the device; and implementing self-healing capabilities for the device, mission-critical security controls and productivity applications.
- Ensure that endpoint misconfigurations are automatically repaired when possible, as organisations cannot assume that the health of their IT controls or security tools installed on their employees’ endpoints will remain stable over time.
- Monitor network connectivity status, security posture and potential threat exposure to enforce acceptable use via dynamic web filtering.
- Enforce dynamic, contextual network access policies to grant access for people, devices, or applications. This entails analysing device postures, application health, network connection security, as well as user activity to subsequently enforce pre-defined policies at the endpoint rather than via a centralised proxy.
Another point to keep in mind is that resilient Zero Trust is better than just Zero Trust. Zero Trust technology, and the range of threats to which those tools are susceptible, varies depending on the context in which cyber-resilience is sought.
What can other sectors learn from these attacks?
It’s no longer a matter of ‘if’ but ‘when’ an organisation will suffer a data breach. This means that instead of primarily focusing efforts on keeping threat actors out of the network, it’s equally important to develop a strategy to reduce the impact. In turn, many organisations have started adopting a new strategy to cope with today’s increased cyberthreats, which is called cyber-resilience.
Cybersecurity applies technology, processes and measures that are designed to protect systems (e.g., servers, endpoints, networks, and data) from cyberattacks. In contrast, cyber-resilience focuses on detective and reactive controls in an organisastion’s IT environment to assess gaps and drive enhancements to the overall security posture. Most cyber-resilience initiatives leverage or enhance a variety of cybersecurity measures. Both are most effective when applied in concert.
Click below to share this article