When I mention the terms “ransomware attack” or “data breach,” what’s the first sector or business you think of?
Most likely your answer was a corporation like Toyota, or the SolarWinds data breach of 2021. Or maybe, if you’re up on your geopolitics, you thought of ongoing campaigns of state-sponsored attacks on government entities. Right?
But what if I told you that one of the fastest growing targets of ransomware gangs is…education?
Threat actors are increasingly targeting both K-12 school districts and institutions of higher ed (colleges and universities) for ransomware attacks. According to their recently released The State of Ransomware 2023 report, Sophos found that education was the number one sector for most increased attacks.
Numbers Don’t Lie
That same report stated that 80% of lower education (K-12) and 79% of higher education were victimized over the past year.
As of May 1, over 20 K-12 school districts (covering 500 schools) in the United States have already suffered a ransomware attack. And one of the biggest ransomware attacks of 2022 was launched against the Los Angeles Unified School District in July 2022, with repercussions lasting months into 2023.
Most K-12 schools now require online accounts for everything from teacher classroom communications to meal accounts, and each student needs a separate account. What do parents do to keep it simple? They use the same password on each of them—which is often the same password they use for other accounts in their life.
That means that once hackers can get into one account, they can get into multiple accounts, expanding their threat surface—potentially including non-school accounts. That’s disturbing.
Higher Education as a Backdoor
However, what might be more disturbing is the increase of attacks on colleges and universities. In May, at least four were attacked:
- Bluefield University in Virginia
- BridgeValley Community & Technical College in West Virginia
- Chattanooga State University in Tennessee
- Mercer University in Georgia
Underfunded Cybersecurity Measures
Colleges and universities have traditionally been behind the times when it comes to updating technology. Large, state-funded universities have to share budget allocations with other state schools. Smaller private universities have stricter budgets.
Not unlike some Small-Medium Businesses (SMBs), these entities need to figure out how to provide cybersecurity across multiple areas including (but not limited to) building access, school-issued technology like iPads, emails, campus-wide systems like CCTV, automated fire suppression and emergency alert notifications.
Those are a lot of entry points. And each system has its own pressure points. And when cybersecurity has to compete with Student Affairs or Athletics for funding—and both of those departments are money generators for other programs – guess which measures get the smaller budgets?
Lax Personal Attitudes
Today’s college-age students fall squarely into Gen Z (born from 1997-early 2000s). They are the first truly digital generation, yet they are among the most nonchalant about cybersecurity measures—which makes for a strange dichotomy.
An Ernst & Young survey published in October 2022 found that Gen Z workers are more likely to ignore mandatory cybersecurity protocols. For example, 58 percent of Gen Z employees were more likely to ignore “mandatory IT updates for as long as possible.”
Given that many data breaches can be traced to human error or an individual’s compromised account, it isn’t hard to see that these attitudes make it easy for threat actors to gain access.
One of the most common methods of credential stealing is socially engineered phishing scams. Many members of Gen Z put everything online; their entire lives are documented. Add in the consideration that many college students are 18-20 years old, away from parental restrictions for the first time, learning new things…again, it’s easy to see how simple it is for a scam to spread rapidly.
What It All Means
If you have a college-aged student, they need to be reminded of the importance of protecting personal information and adhering to cybersecurity measures as set forth by the campus.
However, as we saw with the massive LastPass data breach earlier this year, hackers gained access to corporate and consumer data via outdated software on a DevOps employee’s personal computer. It’s not a reach to think about how easy it could be for a hacker to get access to all of a student’s accounts.
It’s worth remembering that college students have access to some of the nation’s top science labs and infrastructure, and that other students work their way through college or hold summer internships, meaning that they may have professional accounts outside the academic footprint in the broader economy.
If you consider that Ernst and Young also found that 30 percent of Gen Zers were more likely to use the same password for professional and personal accounts, well, you don’t have to be Sherlock Holmes to connect those dots. And remember those K-12 parents who use the same password for all of their kids? Same problem applies.
Gen Alpha is now rising. Start teaching your kids the importance of basic cybersecurity measures now, just as you would other personal safety measures.
Their future personal information may depend on it. ■
