While educational institutions are increasingly being targeted by cybercriminals, the threat posed by cybercrime to the field of education is seriously underestimated by most board members and administrators in the sector.
While educational institutions are increasingly being targeted by cybercriminals, the threat posed by cybercrime to the field of education is seriously underestimated by most board members and administrators in the sector.
This is one of the most striking results of a survey commissioned by ICT specialist Breens Network and conducted by market research agency Kantar among managers and IT professionals in secondary general and vocational education. In fact, the majority of educational institutions involved in the study, spend 5% or less of their IT budgets on computer security, as compared to a typical minimum of 25% in the corporate sector.
According to the Microsoft Security Intelligence division, in more than 60% of all instances of cyber-attacks worldwide, educational institutions are the targets of choice. Among the recent victims of cybercrime in The Netherlands were the Staring College, the NWO, the University of Amsterdam, Hogeschool Inholland, the Radboud University and the University of Maastricht. The evidence of a worrying trend is hard to miss, but just the same, only 20% of the administrators and IT specialists involved in the Kantar study turn out to be aware of the situation’s severity.
Over 40% of the surveyed educational institutions admit to having been faced, over the course of 2020, with problems related to IT security. The three most common threats in the field of education, as mentioned by the respondents, are DDoS attacks (62%), ransomware (50%) and malware (50%). “Hardly a day goes by without a DDoS attack on our systems”, says one of the IT officers involved in the study. Remarkably enough, the risk of phishing is generally underestimated, whereas in reality, phishing is more common than ransomware and malware attacks.
The most mentioned effects of cyber-attacks are loss of time and energy (69%), cost (65%) and reduced accessibility (48%). Among the things educational institutions are most worried about, in terms of the effects of cybercrime, are disruption of the continuity of education, personal data breaches and inappropriate use of computer systems by students and staff. “More and more applications are running at external locations, which means that an external DDoS attack can seriously disrupt the internal education processes”, says one IT specialist, while another highlights the special vulnerabilities in these pandemic-defined times: “An infrastructural shutdown would have disastrous effects, since it would cause all classes to be cancelled, especially the classes that are now being conducted online.”
Breens Network CEO Geert-Jan van der Snoek is not in the least surprised by the interest cybercriminals appear to have in the education industry. “As is true for modern society as a whole, education too has become a deeply digitised discipline, as a direct result of its innovation, the drive for lifelong learning, personalised, more inclusive forms of education and all sorts of hybrid learning environments. With the enormous volumes of digitised information now present in educational IT systems, including personal data, financial data, research results, email addresses and sometimes even medical data, cybercriminals, once inside, must feel like a kid in a candy store,” says Van der Snoek. “Educational institutions are way up there on every cybercriminal’s shortlist of favourite targets, which means that it is high time for cybercrime to feature just as high on the agendas of all parties whose joint responsibility it is to provide sustainable and safe hybrid education – the schools themselves, their boards and the government.”
In spite of the steep increase in the number of cyber-attacks aimed at educational institutions, 63% of the institutions involved in the Kantar study mention an unchanged status of their security policies. Even within the subset of institutions indicating to have stepped up their security, the measures actually taken do not always appear to be sufficiently effective to really keep the risks under control. One of the most striking results of the study is that the majority of educational institutions spend 5% or less of their IT budgets on computer security, as compared to a typical minimum of 25% in the corporate sector, which means that businesses spend – at least – five times as much.
The study shows that, in the field of education, the subject of IT security is a frequent topic of conversation, although the debate is usually confined to the IT departments. What is missing is the commitment, on an administrative level, to really tackle the issue, taking action where necessary, monitoring the situation and reporting on it, openly and transparently. There is a mismatch, a discrepancy between ‘saying’ and ‘doing’, between administrative accountability and the delegation of responsibility.
“Educational institutions that are still underestimating the risk of cybercrime, are living very dangerously,” Van der Snoek points out. “What is true for business, is true for organisations in the field of education as well. If they are found to have been lacking in taking appropriate security measures, they can be held accountable for damages incurred by pupils, students and/or third parties as a result of their negligence. Not to mention the reputational damage the organisation itself suffers as a result of the disruption of educational continuity.”
Providing a sustainable and safe hybrid education environment is not primarily the IT department’s job. The responsibility to do so clearly belongs to the board of the institution principally and to the members of the board personally.
The issue also calls for political involvement. In a letter dated May 25 to Mrs Hamer, who is currently conducting interviews in preparation of the formation of a new Dutch government, van der Snoek advises the next administration to develop a clear vision on better protecting educational institutions and students against cybercriminals and on the facilitation of safe hybrid education. One possible measure might involve the requirement for organisations in the field of education to include a dedicated paragraph on IT in their year reports. This would enhance social transparency and accountability, while also making it easier to monitor actions taken. Another advice would be to explicitly assign responsibility for cybersecurity to the boards of educational institutions.
Breens Network has compiled a (free) white paper (in Dutch) containing a number of considerations to help government agencies, educational institutions and policy makers in contributing to the creation of a sustainable, safe (hybrid) learning environment. You can download the white paper here.
