By Graham Hawkey, privileged access management (PAM) specialist, Osirium

When it comes to cyber security breaches, education and childcare is now the UK’s second hardest-hit sector, according to the Information Commissioner’s Office (ICO), accounting for almost one in seven breaches reported since 2019. Leakage of students’ personal details, or the theft of research data, for example, could have a devastating impact on an education provider – putting individuals at risk, damaging reputation, or resulting in legal action and hefty fines.

The most common cause of data breaches within the sector was down to human error, the ICO findings showed. Employees, students and third party suppliers all present cyber criminals with a potential entry point via which they can access sensitive data or critical IT systems. A significant data breach can begin with something as simple as a member of staff being caught out by a phishing attempt, clicking on a link and inadvertently installing malware.

The ransomware threat is also intensifying in the education sector, as it is across all industries: data from Sophos indicates that almost three quarters of all cyber attacks now involve ransomware.

A fruitful target

Ransomware attackers have also begun to change their approach in recent months, launching smaller scale attacks that target a much broader base. Higher education organisations are at significant risk here, as they have thousands of staff and students in multiple locations, using a variety of devices to access resources. In many cases, the IT infrastructure will have grown organically, as organisations have integrated with each other, and added new technologies to existing legacy systems.

This doesn’t mean that schools will be off the attackers’ hit list, however. Every school in the UK is being asked to join a multi-academy trust, and this will result in the formation of connected ‘networks’ that could be extremely vulnerable to ransomware and other types of attack.

The insider threat

As in any sector, it’s the human user that’s most likely to expose an education provider to a cyber breach. They are the ‘open doors’ criminals are seeking to compromise in order to access information. Once a hacker has a foothold in one network or system, they will be able to move laterally into others.

In many academic settings, staff and students move between roles and departments, often retaining access to systems they no longer need. In addition, education institutions tend to depend on an extended network of suppliers and partners, each of which need access to their IT environment.

The result is a complex, diverse IT estate that creates visibility challenges for security teams, and which is very difficult to control.

By focusing on protecting the vulnerable endpoints in their IT environments, schools, colleges and universities can defend against data breaches, and the rising ransomware threat. The most effective approach involves a combination of training, policy, and technology that tightly controls who has access to which applications and systems.

Ongoing training for staff and students

Investing in a comprehensive cyber security training programme will ensure that all users understand the risks to data, the specific threats to watch out for, and the best practice they must follow to avoid breaches. The aim is to build a culture of security, where everyone understands their role and responsibilities around safeguarding information.

Best practice should be enshrined in a set of policies that cover everything from basic security hygiene, to instructions on how to safely carry out specific processes, and rules on which devices are allowed to be used to access the network. Policies must be clear and straightforward, or users won’t follow them.

Training should be delivered on an ongoing basis, and updated regularly as the threat landscape and technology environment evolve.

Even the most experienced and well-trained user can make mistakes. This is why it’s important to bolster education programmes with security measures that control access to network resources.

Control of privileged access 

These days, most cyber criminals prefer logging in to hacking in. Ideally, they want to get their hands on admin credentials that allow them to get into and make changes to critical systems, services and applications. From there, they can steal or delete valuable or confidential data as part of a ransomware attack, adjust permissions, or make changes to security settings, for instance. Everyone who has these admin rights represents a significant security risk.

Organisations can prevent this happening by ensuring that users only have the rights to access the systems they need to do their work, with the very lowest level of privilege, and for the shortest possible period of time.

First of all, you need to identify exactly who holds these privileged admin credentials across the organisation, and what they have access to. Next, determine – on a case by case basis – whether they really need them. Remove rights where they’re not required, and grant users the lowest level of permissions they need to carry out a task, for only as long as they need them.

Securely automating routine tasks that are done with admin rights – such as resetting passwords, or removing logins from staff who have left – will create a further layer of protection. Taking the human out of the equation will avoid errors, and prevent users from having direct access to privileged credentials.

The diverse, disparate and highly connected nature of many education institutions make it largely impossible to know what’s happening at every endpoint in the IT environment. This creates a large, uncontrolled potential attack surface, where the user and device are the frontline. Education providers must make it as difficult as possible for attackers to gain access to systems and networks by compromising individuals. This means implementing education, policy and technology tools to improve their defences against ransomware, and other attacks – and also simple human error.