The education sector, especially institutions of higher education, have been the focus of Information Security Professionals in recent times. It has been observed that the education sector ranks very high in the list of targets for cyber-attacks. Investigations have shown that these institutions are woefully lacking in preparedness to handle cyber threats and attacks.
Why are educational institutions at risk?
Typically, educational institutions’ networks and systems are not as secure as that of commercial enterprises and SMBs, due to several reasons. Some of these are:
- The very openness of the networks and campuses makes them a free-for-all. It is a state desired by the educational community which is traditionally averse to restrictions of any kind.
- Lack of IT security policy monitoring and implementation.
- Users carrying and using their personal devices within institution’s network.
- Open Wi-Fi hotspots and network access.
- The enormous amount of user information which can be easily compromised attracts the cyber criminals. These range from students’ personal information,credit card data or financial aid records. Additionally, educational institutions also generate a lot of intellectual property through research, which is lucrative for cyber criminals.
- Due to wage structures in the sector being relatively unattractive as compared to the corporate sector, educational institutions are unable to attract and retain top-notch security professionals.
All of these render educational institutions extremely vulnerable to information security breaches, data leaks, ransomware attacks, and so on.
Recent Incidents of Cyber-attacks on Educational Institutions
According to a compilation by EY, these are some of the recent cyber security incidents concerning educational institutions:
1. Pennsylvania State University, US, May 2015
Penn State University’s College of Engineering came under two cyber-attacks that compromised servers and led to a breach of the records of more than 18,000 people. The impact of the attack was so severe that the college network was down for three days.
2. University of Maryland, US, March 2o14
A cyber-attack targeted the university’s network, compromising 287,580 records of students, faculty, staff and related personnel. The database breach affected everyone who had been issued a university ID between 1998 and February 2014.
3. Multiple Japanese Universities, July 2015
Not one, but six Japanese Universities came under simultaneous cyber-attacks. One University reported leakage of 360 email addresses. Another one lost some ID numbers of its website admins.
4. University of Delaware, US, July 2013
Hackers exploited a vulnerability to expose identities of more than 72000 people and stole names, addresses, and social security numbers.
5. King Saud University, Saudi Arabia, January 2012
Unknown elements hacked King Saud University’s website and accessed their user database. The contents, which included email addresses, passwords, and mobile numbers, were copied and dumped on a file-sharing site.
6. Concordia University, Canada, March 2016
Some of the workstations in the institution’s library were infected with keyloggers, which is a malware that captures the user’s keystrokes. It went undetected for almost a year.
The frequency and the impunity with which these attacks have been carried out clearly demonstrate the need for better security in educational institutions. They need to take urgent measures to install appropriate security software, including firewalls, intrusion detection and prevention systems, endpoint security solutions and antivirus for all client machines as well as servers. The institutions also need comprehensive security audits and policies, to uncover and block security loopholes. Any delay in adopting stringent cyber security measures by the education sector will only make them more vulnerable to cyber threats and cause them greater damage as they grow.