Expert assessments on the question of whether and why educational institutions are particularly attractive targets for hackers.
Educational institutions are increasingly under attack by cybercriminals. This finding seems to emerge at least from the headlines: For example, in view of an attack on seven schools in the city of Karlsruhe, the Helmholtz Centre in Munich or nationwide attacks on universities in North Rhine-Westphalia. Schools, universities and research institutions are one of the many public sectors – along with hospitals, utilities or public authorities – that hackers increasingly seem to be taking over. But is this also the case? And if so: why?
Spotlight on IT security in educational institutions 1: Are schools, universities and institutes increasingly targeted by attacks?
In the main, most experts do not consider schools, universities and other educational institutions to be priority and particularly attractive targets for hackers. Generally, cyber criminals first look for vulnerabilities and only then for industries. Nevertheless, the experts do see a certain attractiveness of educational institutions – which does not only have to do with a lack of IT resources.
Hackers usually do not even know which institution they are attacking.
For Tom Haak, CEO of Lywand, “hackers usually don’t even know which institutions they are attacking. In Austria alone, we know of a number of educational institutions that have fallen victim to a ransomware attack in recent weeks and months. This is due to the current approach of cyber criminals. They hardly work in a targeted manner, but operate according to the principle of maximising benefit by rolling out their attack campaigns broadly and automatically. Accordingly, they do not specifically seek the way into certain industries, but merely the path of least resistance. For hackers, it is of secondary importance whom they attack, but it is much more important to find a way into foreign infrastructures.”
IT architectures at universities, schools or research institutes are at risk to the same extent as the IT of other small and medium-sized enterprises.
Thomas Krause, Regional Director DACH at ForeNova, comes to a similar conclusion: “IT architectures at universities, schools or research institutes are at risk to the same extent as the IT of other small and medium-sized enterprises. Hackers know that even educational institutions cannot afford a disruption of their operations and, above all, a loss of trust in a sensitive public by disclosing personal data. They can therefore assume a basic willingness to pay for their extortion money. An attempted attack is worthwhile, especially since the threat arsenal is ready anyway. Moreover, hackers see vulnerabilities in IT through opportunistic and automated vulnerability scans. A school may not be very interesting economically for hackers, a university more so.”
The threat level is highly dependent on the type of educational institution.
Similarly, for Ari Albertini, CEO at FTAPI, many hackers do not attack schools and other educational institutions first and foremost “because schools are on their agenda. They’re another victim of phishing emails or viruses that are currently circulating.” However, the attractiveness of educational institutions for cybercriminals cannot be lumped together, Albertini continues: “The threat level is highly dependent on the type of educational institution. In my estimation, primary and secondary schools are not lucrative targets for cybercriminals. However, schools are becoming more and more digital, opening up new attack surfaces and gateways for attacks from outside. The situation is different for universities and colleges: they process critical data from research and development, which can be very lucrative for cybercriminals under certain circumstances. In addition, universities also have significantly more budget. The situation is similar for research institutes: Institutions and organisations that deal with artificial intelligence, for example, promise information that can be capitalised on. Moreover, they have the financial means and also feel the pressure to be able to pay even a high ransom quickly.” For Albertini, hackers definitely target industries as well: “One must not forget that there is still some work behind every cyberattack. The cybercriminals do preliminary work, research, observe and analyse. They acquire knowledge about certain industries and use it to best exploit the vulnerabilities they find along the way.”
Often, success, exposing the educational institution or the possibility of leaving a virtually smeared tooth gap or moustache on the monitors, so to speak, is enough as motivation.
Michael Eder of Concept International GmbH, Business Development Manager and expert for the education sector, sees educational institutions “not in the most popular places for hacker attacks because less business-critical damage is caused than with a multinational corporation”. Nevertheless, there are specific risks and motivations for direct access to hardware: “Educational institutions are usually easy victims. This is due to an often lax approach to security standards. But also because whiteboards, conference facilities, information and contact displays are directly accessible in public or semi-public spaces. Moreover, not every hacker is out to make money. Often, the motivation is simply success, exposing the educational institution or the possibility of leaving a virtually smeared tooth gap or moustache on the monitors, so to speak.”
Our observations of ransomware attacks on businesses see research and education as the second most targeted industry, accounting for 22 per cent.
Bogdan Botezatu, director of threat research and reporting at Bitdefender, says there is no question that educational institutions are popular attack targets, but hackers are not industry-focused: “The advent of malware-as-a-service has increased the natural competition for targets between cybercrime groups. As a result, any industry, regardless of size, is a valuable target for cybercriminals, as they often rely on automated and opportunistic attacks to find their victims and then target them for reconnaissance as well as extortion. Education has therefore always proved to be a popular target for cybercriminals. Masses of personal data that can be shared or sold in underground forums, as well as the immediate and often very easy ways to use ransomware, attract hackers. Our observations on ransomware attacks on companies therefore see research and education in second place among the sectors attacked, with a share of 22 percent. Ahead of that are only – as expected – telecommunication services, which are targeted with 30 per cent of the attacks. Education and research, however, are more in the focus of hackers than government agencies (17 percent) or technology companies (13 percent). And they live more than four times as dangerous as the retail sector with four percent. Educational institutions have a larger attack surface that spans endpoints, servers, BYOD and cloud services, which are rarely centrally managed. Small IT security teams, often incorporated into departments with services, are overwhelmed with defending such large attack surfaces. Last but not least, security budgets are small and don’t leave too much room for improvement or much opportunity to fight back. Educational institutions are easy targets.”
Spotlight on IT security in educational institutions 2: What are the particular risks for schools, universities or research institutes?
The attacks of cyber criminals may not necessarily be sector-focused, but the risks and effects of the attacks are of course sector-specific.
In the context of ransomware, the disruption of workflows is the biggest concern.
For Lywand’s Tom Haak, “a generally increased threat level can be noted. It is also a serious phenomenon for the education sector. In the context of ransomware, the disruption of workflows is certainly the biggest concern. Schools in Austria affected by ransomware attacks sometimes had to endure weeks of downtime due to their encrypted workstations. One school was hit particularly hard by the attack, as it occurred a week before the school-leaving exams.”
A minimum level of security is not enough if malware gets into the local system and the responsible persons on site do not feel responsible for it, cannot be responsible for it, or these responsible persons do not even exist.
One area of concern for the experts is the varying IT competence of educational institutions. For Ari Albertini of FTAPI, “the digitalisation of the education sector is still in its infancy, and with it the digital competence of the employees. In addition, educational institutions often act semi-autonomously. This means that digital offerings are often centrally controlled or prescribed – and then it is assumed that IT security is also centrally controlled. But such a minimum level of central security is not enough if malware gets directly into the local system via compromised email attachments or links and those responsible on site do not feel responsible for it, cannot be responsible for it, or these responsible people do not even exist. Many hacker attacks also take place on public holidays, for example, when attackers try to exploit security gaps that can arise due to a reduced workforce that is not on duty at that time. An example from the education sector: In 2020, cybercriminals attacked several schools in the US during the Christmas holidays, including Hartford Public Schools in Connecticut and Fairfax County Public Schools in Virginia. They encrypted the PC systems and made ransom demands.”
Opportunity makes data thieves.
Lack of IT security expertise and resources is the main Achilles heel of systems in this area. Thus, forThomas Krause of ForeNova, “Opportunity creates data thieves. And these first look for the targets that are easiest to attack. From a purely technical point of view, the IT in a school or university is just as at risk as that of a small or medium-sized company. Risks arise from other factors. Besides the healthcare sector, research and education are the sectors most affected by the lack of staff and funds in IT. Universities and schools have a backlog demand in the basics of digitalisation alone. Why should the situation of IT security be any better – when IT often remains or becomes a matter for sponsors, parents, teachers or even institute staff who actually have completely different tasks? Certainly, a basic foundation of IT security is in place, but it is probably not sufficient. Complicated tendering procedures lead to a certain rigidity in the education sector, as new IT technologies cannot simply be tried out, even if they are not immersive and work together with other solutions.”
Vulnerabilities in the internet infrastructure and default passwords are two of the most important causes of successful attacks.
Bogdan Botezatu from Bitdefender sees IT structural risks and the human factor as particular risk factors: “Vulnerabilities in the internet infrastructure and default passwords are two of the most important causes of successful attacks. Often educational institutions use outdated and therefore vulnerable software, which can become a gateway into the infrastructure. Insider threats’ are also not uncommon, as students regularly try to circumvent the defences of firewalls, for example, for various reasons. These include illegal access to grading systems or exam platforms. Insecure network design, lack of access controls and teachers’ limited IT security skills can have a negative impact on the overall security of the institution.”
The first thing you have to do is protect the hardware.
For Michael Eder of Concept, freely accessible hardware poses a particular risk: “So the first thing you have to do is protect the hardware. Quite classically against vandalism and theft with stable housings and lockable holders. But USB ports must also be secured, as must hardware access via Bluetooth and WLAN. Unused ports should be deactivated if not urgently needed. On the software side, security can be increased by restricting user profiles. With the help of anti-malware, firewalls and ideally role-based zero-trust access rules, the appropriate protection for the network behind the DS device should be ensured. A password-protected BIOS, disabled autoplay, a good backup policy and hardware encrypted via TPM go without saying. Last but not least, the network where the end devices are located, such as whiteboards and PCs, should be separated from the main network and operate in a subnet, with monitored access to and from the internet.”