Attacks on schools in UK and Europe are on the rise. How serious is the situation? The UK’s National Cyber Security Centre (NCSC) was recently forced to update its guidance for the sector in light of escalating threat activity. But why? Kids generally don’t have credit cards to steal, and teaching materials won’t fetch much on the black market. Plus, no taxpayer-funded education institution is likely to pay-off online extortionists.
However, the picture is more complicated than that. There are potentially lucrative rewards in store for threat actors targeting the sector, and a large and sometimes under-protected attack surface to aim at.
Why schools are a target
While it’s true that school-aged students may not have bank accounts, and are certainly unlikely to have much money in them, there are other options for the opportunistic cyber-criminal. First, children’s identity data is highly sought after on the dark web because kids, unlike adults, are not likely to notice when a fraudster opens a new line of credit in their name. A study from 2018 revealed that twice as many child data breach victims went on to be defrauded, compared to adults.
The value of targeting schools is that they’re a treasure trove of personal and financial information, including names, dates of birth, telephone numbers, home, and email addresses, and healthcare and insurance data. According to the most recent figures from the EU, there are over 72 million kids enrolled in schools and pre-schools across the bloc — which amounts to plenty of potential victims. To this data we can also add teachers’ payroll information and parents’ financial details.
Then there’s ransomware. Schools have been put under tremendous pressure by COVID-19 and enforced student absences. The prospect of losing network access now could set back their efforts even further, as well as imperiling student coursework, important financial records and even crucial COVID testing data. This is the kind of pressure that online extortionists thrive on. Plus, many schools are not taxpayer funded and may have more autonomy over spending. Nearly 10% of the UK’s 33,000 schools are private, for example, although the pandemic has severely impacted their bottom line.
How schools are exposed
Schools are also seen by threat actors as less well-defended than a typical business. At the same time, the pandemic has forced many to expand their digital infrastructure to support home learning. The European edtech market is expected to grow by nearly 15% over the coming years to top $61 billion. So you have a perfect combination, from an attacker’s perspective, of institutions that are under-resourced on cybersecurity but have a large attack surface of staff and student inboxes, online accounts and remote studying and working devices.
The NCSC explains some of the top threat vectors facing schools in its report. These include:
- Phishing emails – sent to staff or students
- RDP endpoints (compromised via brute forced, phished or previously breached credentials)
- VPN vulnerability exploits
- Other unpatched software such as Microsoft Exchange Server
It takes just one unprotected online account or unpatched endpoint to let the attackers in. After gaining access, they’re often able to move laterally inside systems undetected until they find what they’re looking for, the NCSC warns.
Attacks hit home
These are not just theoretical threats. In March 2021 a London-based schools group suffered a serious ransomware attack which it said had a “significant impact” on its 48 primary and secondary academies. Data at a European level is hard to come by, but the UK is a good guide. The annual government Cyber Security Breaches Survey for 2021 revealed that over a third (36%) of primary schools and over half (58%) of secondary schools had suffered a cyber-attack or breach over the previous 12 months.
Of even greater concern is the fact that, of those that suffered an incident, around half (48%) of secondary school and 41% of primaries reported a negative impact, such staff being prevented from working. A third (33%) of secondary schools and colleges and a quarter (24%) of primary schools also reported a “material outcome” such as a loss of control, data or money.
What to do next
So how can school leaders mitigate these risks without impacting teachers’ productivity or learning outcomes? Fortunately, a best practice defense-in-depth approach doesn’t have to cost the earth. Consider steps such as:
- Prompt patching of operating systems and software
- Use of two-factor authentication for RDP and staff/student accounts
- Phishing awareness training for teachers and students
- Installing anti-malware on every device that connects to the network
- Protection at the cloud application, email gateway and network layer
- Disabling macros and scripting environments
- Backing-up frequently according to best practice 3-2-1 rule
Schools in Europe may be playing catch-up for some time thanks to the impact of the pandemic. But by taking proactive steps to bolster cybersecurity, they can ensure their valuable work isn’t disrupted by opportunistic threat actors.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.