Online Ed is the New Corporate Threat Vector
Schools became a major hotspot for cyberattacks as students moved to online learning. In the last 30 days, education was the most targeted sector, receiving more than 60% of all malware encounters, or more than 5 million incidents, according to Microsoft Security Intelligence. The Government Accounting Office wants to know what the U.S. Department of Education, Department of Homeland Security and other agencies can do to protect schools from attacks. Some help is coming from the private sector — IBM announced on Feb. 4 a $3 million grant to help protect K-12 schools against ransomware and other attacks. It’s a good start, but more is needed in the way of resources, training and education to truly tackle the problem, especially given the fact that learning from home has increased the threat vector for businesses, too.
Through much of last year schools were crippled by ransomware as attackers aimed to take advantage of beleaguered schools as learning moved online and kids took classes at home. Districts hit by ransomware and other attacks included Fairfax County, Virginia; Connecticut’s Hartford school district; Houston County, Alabama; Fresno, California; Sabine, Morehouse and Ouachita parishes in Louisiana, where the governor declared a state of emergency; Baltimore, Maryland; and Huntsville, Alabama. Moving classes online has created major cybersecurity risks for working parents and their employers as school networks become popular targets. Parents working from home have extended their corporate computing beyond the safe confines of the enterprise and into less-secure home environments, now made even riskier by attacks on school networks accessed by students. This is an overlooked enterprise threat vector that corporate security teams, school administrators, parents and students need to address.
Online Ed Lacking Security Resources, Trained Personnel
Schools are popular targets because they often lack the resources and personnel to focus on strengthening cybersecurity; educational institutions also tend to use older and outdated systems for which patching is difficult.
The major concern with ransomware attacks on schools isn’t just that data is held hostage and systems are shut down until a ransom is paid. Lately, some ransomware attackers have changed their tactics to include the theft of all information encrypted by their ransomware attack. This enables the attacker to effectively blackmail the school; threatening to release stolen data such as student records, emails and passwords, if the ransom is not paid promptly. Unfortunately, many attackers are still posting or selling the information online even after ransoms have been paid.
Some stolen information, such as passwords, can lead to further compromises of school computers down the road. Once school networks have been compromised, malware can end up on laptops that students are using at home on the same WiFi networks their parents are using for work. This is where the problem bleeds into the enterprise.
Teaching Security Culture 101
Most school-issued laptops lack the protection of enterprise systems and district administrators have too much else on their minds to focus adequately on cybersecurity. Many schools lack security professionals on staff. Attackers know students are home and are using the same networks as their parents, a short hop away from sensitive corporate data and access to enterprise networks. In general, students are mostly oblivious to security risks. As a parent and a security professional, I’ve installed security tools on my daughter’s devices and on our networks that actively detect and block malware attempting to compromise my college-aged daughter’s devices. However, no such protection measures are in place on her friend’s devices or networks.
It doesn’t have to be this way. As education becomes ‘critical infrastructure’ for society, we all need to do more to protect it. School administrators need to realize that investing in cybersecurity measures will save them money in the long run; it’s especially a better ROI than not being proactive and having to pay ransoms. Administrators, teachers and students need better awareness and training on cybersecurity issues. Enterprise security teams need to train employees to maintain good cyber hygiene while working from home. Security teams must treat employee home networks as extensions of the enterprise computing environment, and protect them accordingly.
This isn’t a problem that will suddenly go away with the COVID-19 vaccine and students’ return to in-person classrooms. A recent global survey by academic publishing company Pearson Education found that 88% of 7,000 global respondents see online learning as a permanent part of education for all ages moving forward. The longer we wait to address this issue, the more inroads attackers will make into corporate networks via home laptops. This is a teaching moment we all should seize.
