The expansion of the education technology market and increasing digital penetration have driven cybercriminals to gravitate towards entities and institutions in the education sector. Of the total cyberattacks in the Asia Pacific region, as many as 58 per cent targeted education institutes in India.
The primary goal for these criminal organisations is to reap the financial benefits from the treasure troves of personal information, research data and intellectual property that reside within the average academic institution’s environment. The cost of a data breach for educational institutes averaged $3.9 million in 2021, making it an expensive affair and posing a unique challenge to security teams.
Let’s examine three examples of information that are commonly targeted in these academic institutions:
— The first and most obvious is the personal data of students. This can be anything from government identification numbers, medical records, credit card information, bank account information and much more. Not only is this data commonly targeted everywhere because of its value to cybercriminals for conducting fraud, but students are often less vigilant about monitoring and controlling their financial transactions which makes them especially vulnerable to being victims of identity theft and fraud for longer periods of time before taking action to protect themselves.
— Secondly, there is the broader community of employee, alumni and contractor data that is particularly interesting for cybercriminals. The large donations from benefactors, major investment opportunities, large-scale capital projects and other high-value monetary transactions taking place in many universities, offer rich pickings for cybercriminals. The underlying data of these transactions could allow a cybercriminal to compromise and leverage to siphon that funding or potentially identify additional, wealthy targets for spearfishing or launching other targeted cyberattacks.
— Lastly, and perhaps most unique to academic institutions, is a large amount of research and intellectual property being developed by professors, students and other parties. Research projects that drive new discoveries in science, create medical breakthroughs, and build new types of technology that could potentially be monetised in the future, represent a huge revenue generator for most universities.
Being the first to publish and take claim of the research means investors and benefactors alike may funnel millions of dollars to these institutions in order to further drive the research into something usable in real-world scenarios. Researchers and educators, however, in academia come from a culture that supports the open sharing and exchange of information, with security seen as not only an obstacle but an anathema to the spirit of education. This can put incredibly valuable research data and intellectual property at risk of being stolen by competing entities. Protecting this valuable data has to be a critical concern and focus for academic institutions, especially when considering the huge sums of revenue it often represents.
Therefore, what are security teams at these institutions of higher learning to do? For starters, focusing on the basics of strong cyber hygiene, including identifying vulnerabilities and areas of exposure throughout the environment and mitigating as many of them as possible is a key first step. Most cybercriminals still rely on exploiting well-known vulnerabilities that have been around for several years, so prioritizing the remediation of these issues is an excellent starting point.
Additionally, identifying and classifying where your critical data exists in the environment allows security teams to better understand what’s needed to protect that information from outside attackers while still providing the open sharing and access that most educators and researchers require. Least privilege concepts are key here, provided that they don’t impact the ability to work, share and create new data sources related to research efforts.
The rapid adoption of remote learning by academic institutes in India, large-scale digitisation of educational content, and the rise of tertiary online learning platforms catering to the needs of everybody ranging from preschool children to retired professionals have opened up the attack surface. It’s important for security teams to get visibility into the external attack surface their institutions project into the public space. Doing this right will also shine a light on any fraudulent domains with similar-but-not-exact names that cybercriminals may be using to trick end-users or servers and applications that may have been spun up by developers or researchers without going through official IT channels.
While public-facing servers and applications like these could be used to share data for legitimate reasons, they could also be exposing that data to cybercriminals. Once security teams gain visibility into the attack surface, prioritizing risks, removing shadow IT blindspots and conducting penetration tests becomes easier. This will help prevent educational institutes from becoming headline-making victims of data breaches.
— Written by Nathan Wenzler, Chief Security Strategist, Tenable