It’s easy to see the turmoil that the UK education sector has faced over the last two years. From remote learning to students quickly changing learning paths based on events around them, or even pulling out of courses altogether, it’s all been very uncertain.
Even though life is starting to bear a closer resemblance to what went before the pandemic, many challenges remain, such as how to provide quality education both remote and in person, and managing class sizes after many students opted to delay their studies by a year.
From a technology perspective, we know the scramble to deliver classes and teach remotely prompted a range of different technologies to be adopted at speed. But many don’t appreciate that cybersecurity was often an afterthought amidst this urgent rush, with many institutions now far more exposed to cyber threats than they have ever been.
As we face a new academic year, cyber attackers are expected to take advantage of the confused and highly vulnerable state of institutions, creating an urgent issue which they simply can’t afford to overlook.
Further education institutions make particularly attractive targets due to the sensitive staff and student data they handle, in combination with the breadth of facilities they use.
Equally, attack-related disruption has become even more powerful in the context of remote learning, with the Association of Colleges noting in their e-book, “CREATING A POST-COVID-19 EDTECH STRATEGY WITH NO-ONE LEFT BEHIND” that an anonymous college had to close down completely for a week after a cyber attack.
The NCSC warned that similar ransomware attacks had featured the loss of student coursework, institution financial records, and COVID-19 testing data too, showing that every aspect of an institution’s data footprint is vulnerable.
Out of sight, front of mind
In the context of learning becoming more distributed, security now needs to extend beyond traditional learning environments. Educational resources that would usually be accessed via on-site secured Wi-Fi for example are now facing an unsecure journey from users back to the main network. The chaotic nature of the rapid transition to this model means procedures were often implemented without the requisite security , and many remain vulnerable, despite having installed anti-virus (AV) software and some form of multi-factor authentication (MFA).
Although FE institutions have been investing more in cybersecurity over the last few years, the National Cyber Security Council has shown that attacks against colleges have increased. The motivation for such breaches can vary, with some purely down to human error, but more often than not attackers are seeking either to steal information or products, elicit the payment of a ransom, recruit individuals for espionage, or spread false information for political or other purposes.
These targeted attacks aren’t unique to the UK’s education institutions, either. A recent FBI report over in the US recently ranked higher education as the number one target industry with ransomware. To put this into perspective, this ranked it higher than financial services, which has not only been the market leader historically, but also handles trillions of dollars a day in executing transactions. So attacks on education really are big business.
Stealing credentials is often the first goal of these attacks, with hackers seeking unrestricted access so they can find – and hold to ransom – important data and functions. Colleges present an especially attractive target because so many individuals in their broad leadership teams retain privileged access. Think the Governors, Senior Leadership Team, the Finance Director or the IT Director – all of these positions bring with them a huge range of privileged access. Locking down the privileges associated with such positions should therefore be a cornerstone of any security strategy.
A dynamic threat
Securing privileged access and identities shouldn’t be limited to senior leadership, though. The dynamic nature of means that users’ access privileges at all levels, from visiting tutor requesting access to specialist software to students working and studying simultaneously, need to not only be secured, but managed consistently, in the event they should change.
For example, a visiting tutor may be granted a staff login and access to privileged resources on the college network. If nobody monitors closely when they leave, their ‘leftover’ credentials become an easy way in for an attacker. The institution therefore has to keep a close eye on active and dormant accounts to make sure they can be secured when somebody leaves.
Vigilance against such attacks is critical, as they can come in various forms. Some attackers might email students to reveal they’ve obtained their personal data, for example, and instruct them to contact college administrators and urge them to pay the ransom. Such a scenario puts the institution in an extremely difficult predicament. Either they pay and take a financial hit, or don’t pay and suffer reputation loss among the student body, which often leads to decreased enrolment and financial hardship.
Laying the foundations of your cybersecurity defences
Adopting the principle of least privilege is a critical starting point for any further education institution’s security strategy, and must be closely followed by a Zero Trust framework. The latter is an essential tool to securing on-site IT systems because it stipulates that no user can be trusted until they have proven their identity on multiple occasions, through differing means.
IT teams at colleges also need to acknowledge that attackers will inevitably succeed in getting in from time to time, particularly given many students will have been exposed to few targeted cyber attacks at this stage of their lives. Thinking like an attacker is critical in this context. Each team must take action to preventing credential theft, and limit the access that stolen credentials can grant any attacker. This can be done through auditing, to find unsecured accounts, and limiting the access that individuals have to only the tools necessary for their role.
Then, they should ensure that those with access to high-value information like sensitive data and administrator privileges are using extra layers of security, such as regularly changing passwords, and using multi-factor authentication for login. The final piece of the puzzle is for security teams to ensure security teams have access to security solutions for every area of campus, at all times, to make sure there are no pathways left unlocked.
It’s a scary world out there. Attackers are just as crafty as students, with the only difference being they want to use their tools for illegitimate purposes. Facing these threats with the help of a well-equipped team, with the right tools to blunt their attacks, is critical to maintaining the UK’s world-class vocational education.
David Higgins, EMEA Technical Director, CyberArk