Cybersecurity is as indispensable today as electricity and running water. Everyone deserves strong security and the right to feel safe, but some industries and institutions are favored over others. Education is a case in point. Despite the essential role it plays in shaping our future, it doesn’t get the same degree of protection as enterprises and corporate environments. That lack of priority leaves schools exposed, with weak defenses that attackers exploit with ease.
Last week, the University of Michigan disabled internet and Wi-Fi connections for staff and students across campus in response to a cyber-attack. This disruption affected essential cloud services, including Google, Zoom, Dropbox, and Adobe Cloud, impacting the 51,000 enrolled students at the start of a new semester. Though internet access was restored, and students could continue registration for the new semester a day-and-a-half later, the university did not disclose further details of the attack, cost, or expected remediation.
A cyber-attack of this scale is not the first of its kind in the education sector: earlier this year, Mercer University in Georgia fell victim to a ransomware attack that resulted in the theft of Social Security Numbers (SSN) and driver’s license numbers from student records. Over 93,000 students and staff were affected, leading to two lawsuits against the university claiming they failed to administer adequate cybersecurity protections to prevent the breach entirely.
It should come as no surprise that education institutions are a prime target for hackers. From 2020 to 2021, ransomware attacks against college-level, and even K-12 level, education institutions increased significantly as institutions became more reliant on virtual learning according to Verizon’s 2022 Data Breach Investigations report. In 2020 alone, there were over 400 cyberattacks recorded in K-12 schools.
The financial damages sustained by educational institutions can range anywhere from $50,000 to $1 million, and, unsurprisingly, the remediation process typically extends over several months.
A school may not net the bounty a large business would, but it’s still a viable hunting ground: a wide attack surface and deep troves of personally identifiable information (PII). That’s especially disconcerting for K-12 students, too young to understand the risks. An attacker can steal their SSNs and other sensitive data, then use their identity for fraud years before anyone notices.
Cybersecurity experts know that educational institutions are more exposed than large corporations. Businesses have money; schools have student data, an easy bargaining chip an attacker can hold over administrators, and it warrants equally rigorous protection. Schools already run on limited budgets, and they end up far less secure than large private organizations as a result.
The impact of a compromised school system reaches past the immediate financial hit. It jeopardizes our future as a society, because it’s our youth bearing the brunt of the attack. We build initiatives to protect children from every other kind of threat, then leave them exposed to this one.
Schools should not be at a disadvantage in resources or capability. They deserve the same level of investment as any other sector. Failing to invest in their cybersecurity leaves students carrying risks that can follow them for life. This issue demands the urgency and seriousness we give the rest of a child’s safety.
We at OSec are invested in the future of every young person, and we’ve researched the threat actors who would attack them. That research puts us in a strong position to advise educational facilities of any size, public or private.
If your institution is concerned, let’s set up a time to talk and ensure that our tomorrow is protected.
Let’s talk