What Makes Schools So Vulnerable To Cyberattack?
In the last installment of this series on security, we discussed how schools are facing a severe level of cybersecurity risk. Today we look at what makes the educational sector particularly vulnerable to cyberattacks.
On the list of sectors most vulnerable to the attention of cybercriminals, education comes up surprisingly high. According to cybersecurity company Symantec, eduation is in third place, just below healthcare and business services and above insurance, hospitality, and the wholesale trade of goods.
But where’s the gold to be robbed or vital life-supporting infrastructure to be laid lame or the “glory” from publishing the embarrassing details of the rich and famous? Why would cyber criminals want to attack educational establishments such as universities and colleges when there are surely much better targets around?
The answer to that last question is, at least in part, because they can. Vast amounts of effort have been spent on improving the cyber defenses of traditional targets like banks and retailers, making attacks more difficult and time consuming. So it may simply be that hackers are turning their attention to more vulnerable organisations out of pure frustration and laziness.
And there happens to be a number of factors that make universities and colleges more vulnerable than organizations in many other sectors.
Unlike business organisations such as finance houses or automakers, for example, educational institutions need to be “open” to function properly: open to communication, open to everyone and most of all open to ideas. So in general, university computer networks and other IT assets tend to be as unguarded and inviting as university and college campuses themselves. Additionally, the names, e-mail addresses, and many other details of key staff and students are usually easy to find in the public domain, and that also appeals to cybercriminals.
For example, because there is so much information publicly available about the people they employ, universities and colleges make ideal targets for phishing expeditions. Phishing works by getting recipients of the criminals emails to click on links embedded in the baited messages they are sent. But most of us are used to spotting simple phishing emails now—such as those telling us we have won a prize or asking for help in accessing an inheritance. Increasingly, the key to success with phishing is to make emails so credible that recipients really think they are meant for them.
So much information can be gathered about academics and others associated with universities and colleges, that very convincing personalised phishing emails can be created. (This highly targeted customized version of phishing even has its own name—spear phishing.) And because there is so much known about so many people working in educational establishments, a large number of staff can be targeted at once, raising the chances of successful infections with malicious software or malware.
Also, because university and college populations are so transient, the variety of encounters with new devices and networks is immense. Students come and go, bringing all manner of (largely under-protected) networked devices with them, researchers reach out worldwide and visitors pass through from across the globe.
Recent cyber attacks on US universities and colleges include crime rings stealing vast amounts of credit card numbers, foreign governments trying to get into nuclear research databases, and students hacking their way into university administrative computers to change their grades.
There is even one case reported of an institution which having had developed new cryptography technology, had it stolen from them after it was published for open comment. And there have been reports of other cases where research data has been deliberately destroyed.
It looks as though the education sector is beginning to wake up to the threat their institutions face. Universities and colleges are hiring more information security professionals. And the people involved with information security look like they are getting more attention from the people who run educational establishments.
It does seem, however, that it takes a major breach to really get the attention of college elders. How long will it be before some illustrious heads roll, just as has been the case with earlier hackers’ favourites such as retail?
In the next and final installment we will look at what measures universities and other academic institutions can take to better protect themselves while still being able to carry out their daily work.
All Posts In This Series