Cybercrime on Campus: How Education Became Attackers’ Biggest Target
At the core of educational philosophy is the idea that no two schools (or students) are alike. But regardless of differences in location, revenue or grade level, educational institutions are increasingly facing a common problem: They’re all being targeted by cybercriminals and an arsenal of malware, ransomware and other sophisticated cyberattacks.
In just the past month or so, more than half a dozen K-12 and primary schools, colleges and universities have been hit with ransomware attacks, including two colleges in Dublin, Ireland; a K-12 school district in Fort Lauderdale, Fla., that serves nearly 300,000 students; and a small school system in Basking Ridge, N.J.
But while this wave of attacks is alarming, it’s nothing new. Cyberattacks on schools have been happening for years, but 2020 pushed the number of these attacks to new heights, making 2020 a “record-breaking” year for cyberattacks on American schools.
According to an alert issued by the FBI, in August and September 2020 the percentage of ransomware incidents involving K-12 schools jumped from 28% to 57%. What’s even more concerning is that this figure doesn’t even include colleges and universities, many of which have been at the center of high-profile attacks.
But this isn’t a uniquely American problem. In a statement issued in March, Britain’s National Cyber Security Centre (NCSC) noted spikes in cyberattacks among educational institutions in the UK in August and September 2020, along with another wave of attacks as students were preparing to return to class this past February.
“In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing,” the statement read. “It is therefore vital that organizations have up-to-date and tested online backups.”
SonicWall Capture Labs threat researchers recorded similar trends in the recently released 2021 SonicWall Cyber Threat Report. In 2020, ransomware rose 62% globally, bolstered by disruption from the COVID-19 pandemic, the large-scale shift to remote work and an all-time high in the price of Bitcoin.
Broken down by industry below, our data shows that education is being increasingly targeted. The number of ransomware attempts per education customer remained comparatively low in the first part of 2020. However, in October it skyrocketed. And in December, the number of ransomware attempts per customer in education was higher than in any other industry in any other month.
While non-ransomware cyberattacks don’t tend to make as many headlines, they can also be highly disruptive and costly. Unfortunately, the education industry didn’t fare any better when it came to most other attack vectors.
Education customers were more likely to see cryptojacking and IoT malware attempts, with the latter being particularly concerning. The number of IoT malware attempts per customer in education was higher than for any other industry. Moreover, a significantly higher percentage of education customers was targeted by IoT malware than for any other industry — a trend which held for the entire year.
Unfortunately, with many workers still remote, schools struggling to operate on hybrid models as reopening progresses, and Bitcoin now trading at more than double the record it set at the end of last year, attacks have continued to rise. And cybercriminals, emboldened by prior successes, are getting greedier.
In early March 2021, the Broward County School District in Fort Lauderdale, Fla., found itself on the receiving end of a $40 million ransom demand — the second-highest ever. The average ransom demand now stands at $447,000, an amount that doesn’t even account for remediation or any of the other costs associated with an attack.
But those who opt not to pay the ransom — or who are targeted by another type of malware — may still take a huge financial hit. According to Ponemon Institute, in 2020 the average cost of a data breach in education was $3.9 million. The cost and frequency of these incidents has grown to the point that, in late March 2021, the credit rating agency Moody’s Corp. warned that a continued worsening of attacks could impact the credit ratings of higher-ed institutions, which could compound the difficulties these institutions have had mounting an effective cybercrime defense in the first place.
There may be hope on the horizon, however. With the signing of the American Rescue Plan Act of 2021 (ARP) in March, the existing E-rate program — which provides a source of funding for U.S. public and private K-12 schools and libraries — received a $7.1 billion infusion in the form of the Emergency Connectivity Fund. Unlike with traditional E-rate funds, this additional funding can be used for cybersecurity needs both on and off campus.
The ARP also included a $40 billion increase in the Higher Education Emergency Relief Fund (HEERF), on top of the $14 billion originally approved as part of the CARES Act in March 2020. While some of this money is earmarked for student assistance, the institutional portion can be used to improve campus cybersecurity.
This funding will provide a much-needed boost to cybersecurity efforts in the education sector, but unfortunately it won’t be available immediately. In the meantime, schools should continue following guidance issued by bodies such as CISA and the UK’s National Cyber Security Centre, as well as established best practices.
To learn more about how cyberattacks on education compare to those in other industries, such as healthcare, retail and government, download the 2021 SonicWall Cyber Threat Report.