Across the education sector, technology is now at the heart of learning. During the pandemic, technology offered a lifeline for the sector, empowering educators to continue learning programs remotely. However, the 2022 Education Cybersecurity Census Report from Keeper Security, has revealed that the increasing technologisation of education is also escalating the sector’s vulnerability to cyberattacks, with one in 10 reporting 251 attacks or more each year.
Not only do these attacks put high volumes of sensitive data-from pupil records to qualifications-at risk, but they also carry the risk of serious organizational harm. Over a fifth (21%) of education establishments report that cyberattacks have limited their ability to carry out business operations, 19 percent highlight reputational damage and 7 percent have experienced theft of money.
Education organizations are also concerned that cyber threats are growing, with almost two-thirds (64%) believing the overall number of cyberattacks will increase in the next year. More concerningly one in 10 (11%) feel unable to gauge whether or not threats will rise, as they are not even tracking the number of cyberattacks they experience.
Investment is Needed to Mitigate the Risk
To prepare for future threats, the education sector will require investment in both technical skills and a mindset shift to boost cybersecurity. Yet just one in five (20%) consider their organization ‘very well prepared in the face of cyberattacks, compared to 26% across all businesses. Worryingly, only two-thirds (66%) of organizations in the education sector conduct at least monthly threat assessments, and 17 percent do not conduct them at all, leaving them extremely vulnerable in the face of rising attacks.
The key to tackling evolving threats will be relevant, up-to-date skills and solutions. Yet almost half (48%) state they are lacking in either skills, solutions, or both. Just one in five (19%) offer a highly sophisticated framework to govern access to their systems and a quarter (25%) leave it entirely up to employees to set their own passwords-despite password hygiene being listed as a top security concern by a third (33%) of educational institutions.
Credential, password, and secrets management are other areas that require urgent attention in the education sector. Just a third (36%) state they have complete visibility into users, password strength, identities, and permissions. Part of this may be due to the lack of the right solutions, with two-thirds (66%) highlighting they don’t currently have a secrets manager.
However, it seems that certain steps are being taken to improve cybersecurity in some educational establishments, with 44 percent increasing cybersecurity training, and more than a third (35%) increasing spending on cybersecurity software.
Cultivating a ‘Security First’ Culture
Encouragingly in education organizations, just seven percent say their C-suite views cybersecurity as unimportant. However, recognition of the need to invest dedicated resources in cybersecurity could go further. 43 percent state that their C-suite is committed to making small investments when required, but only a third (32%) state their C-suite views cybersecurity as an area of significant importance and dedicates resources to security strategies.
There is also a mindset shift required when it comes to being transparent when an attack occurs. One in five (19%) IT professionals in the education sector state they have been aware of a cyberattack and kept it to themselves, but ideally, no cyberattack would go unreported. There is also work to be done on building accountability in the sector with 44 percent stating they are concerned about a breach from within their own organization, further highlighting that trust needs to be strengthened in educational institutions.
A lack of trust and unreported cyberattacks will both cause damage to organizations. Not only do they open the door to cybercriminals, but they limit the ability of organizations to respond and adapt. Cyberthreats are ever-evolving, and staying one step ahead of them requires having total visibility of security breaches.
Likewise, by creating a muddled picture of exposure to cyber threats, a lack of reporting can lead to lower investment-further fuelling risks. A culture in which IT professionals feel they cannot openly share news of an attack harms everyone.
Darren Guccione, Keeper Co-founder, and CEO commented: “With threats growing at an unprecedented rate, cybersecurity must be a top priority for organizations within the education sector. Yet to build defenses, IT leaders in education must understand how the threat landscape is evolving, the harm cyberattacks can cause, and the steps necessary to prevent them. Sharing knowledge, learning from challenges, and collaborating to solve problems are key facets of education itself. They are also principles IT teams must embrace if they are to keep educators and their learners safe from the rising tide of cyber threats.”