In the last 30-days, the education industry accounts for 63% of all enterprise malware reports. In 2020, the education industry faced the highest ransomware attacks, with the average payout costing $150,080.
The threat to the education industry
Failure to internally recognise the value of the data the industry holds costs individual facilities money, productivity and reputation. This mindset is welcoming in attackers to access banks of personal data and intellectual property.
This year alone, we have witnessed several large-scale attacks have devastating impacts on schools, universities and learning facilities. We take a look at a few of the top breaches that have occurred only this year.
Case 1: NSW Education Attack 2021
Attack: In July, the NSW Department of Education was a victim of a cyber attack. Coming just days before students were to return to the virtual classroom, the system went dark. NSW Teachers Federation president Angelo Gavrielatos said, “this has caused a state of paralysis across the NSW education sector”.
Cost: Occurring on July 7, staff and students could only begin reaccessing specific programs like Zoom, Microsoft Office and Google Classrooms three days later. The department revealed the attack might have compromised sensitive information, including contact details. While a financial loss figure is unknown, the attack resulted in teachers being unable to access tools to create lessons, resources, and administration of children returning to online learning only days after the attack.
Outcome: The department immediately reported the attack and took all systems offline as a precautionary measure. They were able to isolate the issue and remediate it. The state’s cyber agency even admitted that the NSW government had a low cybersecurity maturity level earlier this year.
Case 2: Melbourne RMIT University Attack 2021
Attack: In February, RMIT University suspended all in-person learning and online systems for several days following a suspected phishing attack. The ABC reported it a phishing email was sent to staff at the university, causing the IT outrage.
Cost: New enrollments were suspended, some wages could not be processed, and staff can not return to the campus in the lead up to semester one.
Outcome: It took close to a week for all to resume as usual, and the university was criticised for its mild language used to inform staff and students, highlighting a lack of a crisis response plan. It has still not been reported what, if any data, was compromised.
Case 3: Kaseya Attack 2021
Attack: Kaseya is an IT management software for Managed Service Providers and small to mid-sized businesses. The majority of the users are schools and kindergartens. The attack hit over 100 kindergartens, over ten schools across New Zealand, and over 1000 worldwide. The FBI described it as a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers”. It was suspected Russian-based groups were behind the attack.
Cost: Kindergartens and schools impacted across New Zealand were unable to use their systems for several days. They all had to wait for Kaseya to recover any encrypted data safely affected by the attack.
Outcome: Kaseya could access a tool to unlock data targeted by hackers, noting the decryptor came from a trusted third party and confirmed no ransom was paid. It was reported the group behind the attack (REvil) demanded $70 million for the tool.
What We Have Learned
Attackers focus on industries with rich data banks, and the education industry ticks all these boxes. In 2020, the Australian Government flagged a need for universities to improve their cybersecurity to limit the effects of foreign interference. The State of Ransomware in Education 2021 report found 58% of organisations hit with an attack successfully had their data encrypted. The data is telling us attacks are increasing, and the industry is not prepared.
It first starts with education. Many attacks result from phishing emails (like in the RMIT case); ensuring your team is upskilled on email security is key.
Next, as education has shifted to online, the security systems have failed to keep up. A Zero Trust framework is the only way forward for an industry with such expansive landscapes of users and data files.
Finally, as many operators within the education space utilise more SaaS products to mobilise, ensuring visibility across all products in one dashboard is vital for threat management. The ability to gain insights into threats and risks and respond faster with automation is the action needed for the industry to remain protected.
The threats to the education industry are not slowing down; the only way forward is a strategic cybersecurity framework and crisis response model.