Attackers Don’t Go on Summer Vacation: Cyberthreat is Growing in the Education Sector

By Aby David Weinberg
image May 26, 2023 image 5 MIN READ

As teachers wind down the academic year and students start to prepare longingly for summer vacation, many opportunistic attackers are hoping to take advantage of schools letting down their guards. Almost two thirds of CISOs who work in the U.S. education sector believe they are likely to experience a cyber attack within a year, and 62% say they have already suffered a data breach during the past 12 months. In the UK, 9 out of 10 higher education systems report a cyberattack during the same period of time. It’s never been more important for educators to stay informed and aware.

Teachers have an incredible amount of responsibility to contend with. As well as looking after their students, they handle huge amounts of sensitive data — often pertaining to children — they juggle various online platforms and credentials for managing reports, grades, attendance, and teaching materials, and communicate with both internal and external stakeholders from government and local councils to parents. Today, phishing is one of the greatest threats to the education sector, and even the most advanced cybersecurity technologies cannot stop more than 99% of malicious emails from making it through to your educators’ inboxes. It only takes a single click on the wrong link or attachment, and an entire school district can be affected. 

This threat is a growing one. Global attacks have increased by 38% according to the latest data from Checkpoint Research, with Education the hardest hit industry by some margin. 

Attackers Don't Go on Summer Vacation

“Many education institutions have been ill-prepared for the unexpected shift to online learning, creating ample opportunity for hackers to infiltrate networks through any means necessary,” commented Omer Dembinsky, Data Group Manager at CPR. ”Schools and universities also have the unique challenge of dealing with children or young adults, many of which use their own devices, work from shared locations, and often connect to public WiFi without thinking of the security implications.”There is no doubt that this reality calls for more effective awareness training solutions. 

Phishing attacks in particular are up 50%, with Education the most targeted sector.  “AI tools like ChatGPT and phishing kits have significantly contributed to the growth of phishing, reducing the technical barriers for criminals and saving them time and resources.”

As cybersecurity and tech professionals, it’s sometimes difficult even for us to spot these malicious messages. Our educators are not able to have the same level of awareness, especially when their day jobs already demand so much of their attention and professional development. To combat this, teachers deserve to be given the right resources and tools, and intelligent training that has been proven to make a difference. 

Training the Trainers: What Do Teachers Need? 

The problem with traditional security awareness training (SAT) is in part its rigid structure. Automated training sessions are often cookie-cutter and scheduled ahead of time to be completed during a set period of time. Teachers need to set aside an hour outside of the school day and complete the assessment, which is then repeated once or twice a year. This doesn’t really help teachers to see how they would fare in a real-world phishing scenario.  

In terms of phishing or business email compromise attacks, IT decision-makers already know that current solutions are grossly ineffective. According to the 2023 Cyber Workforce Resilience Report, while 86% of organizations have a cyber resilience program, more than half (52%) of respondents say their organization lacks a comprehensive approach to assessing cyber resilience. 

For effectively training educators, phishing simulations are proven to be a smarter way to train against cyber security threats. This is because they allow staff to experience what a phishing attack is really like. Simulations need to be continuous throughout the school year and even during the holidays, as this gives teachers enough practice to recognize and report these kinds of threats. 

This doesn’t mean that simulations should be appearing in Mrs. Jones’ mailbox every other day. However, our research has shown that monthly training at a minimum is necessary to see optimum impact from cybersecurity awareness training, without overwhelming staff. If employees are seen to be at higher risk — for example, those who are new to the school, or who are identified as serial clickers, a higher-intensity program is recommended. 

As a critical part of effective SAT, educators should be taught what to look out for. Examples include:

Don’t Forget to Bring Students into the Conversation 

While educators and school administrators are usually the top targets in education, students can also be a target for hackers.  During the summer, when students are waiting to hear back on loans and payment status, or even when they are refreshing their inbox waiting for exam results is a prime time for phishing scams. These could be packaged as emails from the bank or from university officials, and will often catch students unawares. Especially during the vacation period, when institutions are likely to be resourced by a skeleton staff, a cyber attack can be tough to detect and prevent unless it’s caught before it begins. 

As anything from being distracted or tired, to an impulsive reply can cause serious risk, everyone from students to educators and administrators needs to be trained to spot potential cyber-attacks – specifically phishing attacks, which account for the majority of data breaches. 

The simple truth is that most users still do not receive enough training, or the right kind of training to protect their organizations. Nearly one-third of users are given training one time each year or not at all, and an additional 29% just two or three times a year. This doesn’t even consider ineffective training. To see results, training should be:  

1. Continuous: With training given at least once each month, when the student or member of staff isn’t expecting it. 

2. Data-driven: Using industry-wide statistical analysis to create the program, and then your own data to iterate and improve. 

3. Adaptive: Honed to your institution and users, including the creation of high-risk groups and both repeat and diverse situations for simulation. 

4. Specific: Content localization improves engagement by up to 30%, and makes learning more memorable, impactful, and relevant. 

Making Cybersecurity Vigilance Second Nature for Today’s Educators

Educators should be able to focus on their students, and not constantly worry about data breaches. But to effectively achieve their goals, educational institutions also need to secure and retain control over their sensitive information and resources. By implementing a training program that makes cybersecurity vigilance second nature, educational institutions can meet both of these goals, staying out of the wrong headlines by encouraging employees to incorporate anti-phishing techniques into their regular, habitual processes.  

Ready to implement effective training and build cyber readiness? Request a demo with our experts at CybeReady to discover the perfect fit for your educational institute.