Category: Cybersecurity

Phishing attacks have become an increasingly common threat to individuals and organizations worldwide, and educational institutions are no exception. Ineffective and outdated security practices, undetected vulnerabilities, and increased sophistication of attacks combine to make educational institutions a potential target for attackers. This article discusses the new-age phishing attacks and tips for educational institutions to stay safe.

With widespread online learning and remote work after the COVID-19 pandemic, educational institutions are becoming a prime target for malicious actors looking to steal confidential and sensitive information or install malicious software on school and student information systems. As more educational institutions rely on technology to provide their services, it is essential to understand the risks associated with phishing threats and take proactive steps to safeguard against them to protect the confidentiality, integrity, and availability of valuable educational information systems.

This article will explore the nature of phishing attacks against educational institutions and how the attack vector is getting more advanced, leveraging technologies like AI (Artificial Intelligence) and Machine Learning (ML). It examines the potential impact of such attacks and how institutions can protect themselves against them. Examining real-world examples of successful phishing attempts against educational institutions can provide valuable lessons in preventing similar incidents. By being aware of the threats and implementing effective security measures, academic institutions can protect themselves and their students from the potentially devastating consequences of a phishing attack.

Statistics: Phishing Against Educational Institutions

Education is the third most targeted industry by phishing attempts worldwide after Finance and Healthcare. There were almost 3.2 million phishing attempts against institutions in the education sector in 2021-2022. Some statistics and trends on phishing against educational institutions based on available data are as follows:

• Education saw a 44% increase in cyberattacks in 2022 compared to 2021.
• There are around 2000 attacks per week per organization against educational institutions, or a 114% increase compared to 2020.
• Educational institutions are the least competent in preventing data from getting encrypted in a cyber attack. Higher education reported the data encryption rates at 74%, and lower education was only a little behind at 72%.
• Six out of ten (62%) educational institutions in the UK reported facing cyberattacks like phishing at least once a week. By contrast, primary schools (12%), secondary schools (23%), and further education colleges (20%) faced fewer breaches. (Official Government Data)

Phishing Attacks – The Tip of the Iceberg

Human-created or mass-spam-type phishing attacks are merely the tip of the iceberg, considering the phishing problems faced by educational organizations. AI-based spear phishing attacks can cause catastrophic consequences in the rapidly changing modern threat landscape.

Adversaries combine data from breaches with Artificial Intelligence to target education end users with highly sophisticated phishing and ransomware attacks. Following are some ways malicious actors can misuse AI and target educational institutions:

• Human Impersonation on social networking platforms.
• AI-based texts, images, and videos to target teachers and students.
• AI and ML to improve algorithms for guessing users’ passwords.

Critical Risks Related to Phishing in the Post-Pandemic Digital World

Following are the key risks educational institutions are facing in the post-COVID digital world:

1. AI-Based phishing: Threat actors are now taking in every bit of breached data available on the internet and combining it with AI to target and attack users. As phishing attempts’ sophistication grows, it worries some of the most prominent organizations worldwide. The latest Zscaler ThreatLabz Phishing Report states that global phishing attacks rose 29% over the past year to a record 873.9 million attacks.
2. Poor detection of polymorphic malware: Polymorphic malware uses polymorphic code that changes rapidly – every 15-20 seconds! Most educational institutions deploy anti-malware with traditional signature-based detection techniques to detect and block malicious code. However, with polymorphic malware code, the malware would have changed into something new when the software identifies the new signature. Most security solutions can’t keep up with such evolving malware and cannot detect the threats.
3. Account takeover fraud: Account takeover (ATO) fraud is an identity theft type common today. In ATO attacks, the bad actor poses as a genuine customer to gain control of an online account, make unauthorized changes and transactions, or sell the verified credentials. Malicious actors carry out ATO fraud in bulk by utilizing credential-stuffing tools and bot attacks. They quickly verify stolen login credentials and make it seem their login attempts originate from multiple IP addresses to bypass security systems. The bots can perform over 100 attacks per second, making it faster and easier for attackers to commit numerous account takeovers.
4. The growing number of IoT devices: The pandemic increased the number of IoT (Internet of Things) devices, with teachers conducting online lessons. The rising number of IoT devices and lack of adequate security measures created opportunities for attackers. Shared Wi-Fi passwords, loose security policies, and inefficiently designed IoT infrastructure led to various vulnerabilities that opened doors for malicious actors to access educational systems networks.
5. Risks in cloud services: While cloud services are flexible and offer various benefits, including cost-saving, scalability, and efficiency, they are the primary target for threat actors. Misconfigured cloud services are backdoors for cyber-attacks, leading to data breaches, unauthorized access, insecure interfaces, and account hijacking.

How Educational Institutions Can Protect Themselves Against New Phishing Threats

Educational institutions hold significant confidential and sensitive information, including students’ and their parents’ personal and financial details. Many universities also collaborate with government agencies on cutting-edge research, drawing the interest of other national threat actors. Thus, it becomes crucial for them to protect against new-age phishing threats. Following are some ways they can do so:

1. Leveraging AI-Based anti-phishing solutions: The application of AI in digital security has several benefits. Detecting vulnerabilities and anomalous patterns within extensive networks is a tedious and complicated task for humans. With AI, educational institutions can analyze data from multiple endpoints faster and more efficiently, quickly detecting threats and vulnerabilities before the malicious actors plan attacks. AI-powered Intrusion Detection Systems (IDS) detect dubious and unusual traffic over regular traffic that enters a network.
2. Eliminating local admin rights and managing global admin rights: Giving admin rights to users who don’t require them is a widespread problem that makes malicious actors’ activities easier. Compromising admin-users’ credentials gives them free rein to move about the network, change configurations, install applications, and encrypt or steal data. Educational institutions must maintain efficient user account management with admin permissions across the network (For example, Domain Admins in a Microsoft domain). It includes monitoring the membership of admin groups and changing their passwords when the institute terminates someone who knows those passwords.
3. Selecting a trusted partner in the cybersecurity journey: Schools, colleges, universities, and other educational institutions need the best cybersecurity solution that learns and evolves after encountering new threats. A trusted partner will build security layers, such as anti-malware, secure gateways, firewalls, patching software, and other measures to build a strong defense. The layered cybersecurity approach is the safest way to protect devices and data in a continually changing environment. If one layer, for example, a firewall, gets compromised, additional layers will be in place to ensure your data remains untouched.
4. Knowing what your network looks like: A practical way to assess your cybersecurity posture is to understand how the attackers view your network. They should only see websites, not admin consoles, file servers, databases, or anything else on an internal network. Institutions must regularly scan the Internet-facing systems to know and limit their exposure. Universities can find various commercial solutions and open-source tools that do an excellent job of assessing network risk factors. Additionally, the US Cybersecurity & Infrastructure Security Agency (CISA) and some state governments offer vulnerability scanning for free.
5. Educating faculty, students, and staff: It is crucial to set a security policy that includes passwords, the internet, email, acceptable use policies, etc. Depending on the technology and processes, the policy will set procedures and rules that everyone on the campus must follow while using school Wi-Fi and devices. Once finalized, institutions must publish the security policy to a few easily accessible locations and forward it to new users as an initial step for setting up accounts and devices. It’s essential to keep your faculty and staff aware and educated by holding monthly or bi-monthly training so that they can learn about new threats and brush up on detecting phishing emails.

Malicious actors are constantly refining their techniques and are increasingly targeting educational institutions due to the wealth of sensitive information they hold. AI-based phishing attacks are a particularly concerning threat to schools, and it is crucial for them to be able to detect, monitor, and prevent such attacks before they can cause harm. Colleges and universities should adhere to basic cyber hygiene to protect themselves in the ever-evolving threat landscape. They must also work with trusted partners who can provide them with efficient and state-of-the-art cybersecurity solutions to help them avoid becoming the next ransomware headline.

In addition to basic cybersecurity hygiene, educational institutions should implement multi-factor authentication, regularly backup data, and provide training to staff and students to raise awareness of potential threats. They should also conduct regular security assessments and audits to identify and address vulnerabilities promptly. By taking these proactive steps, educational institutions can protect their sensitive data and prevent costly and damaging cyber attacks.

References

1. (2019, August 27). 5 tips for schools battling a rise in cybercrime. Retrieved February 21, 2023, from Avast.com website: https://blog.avast.com/cybersecurity-tips-for-schools
2. Rathnayake, D. (2022, November 10). Artificial Intelligence, a new chapter for Cybersecurity? Retrieved February 21, 2023, from Tripwire.com website: https://www.tripwire.com/state-of-security/artificial-intelligence-new-chapter-cybersecurity
3. Crumbaugh, J. (2022, October 10). How AI and machine learning are changing the phishing game. Retrieved February 21, 2023, from VentureBeat website: https://venturebeat.com/ai/how-ai-machine-learning-changing-phishing-game/
4. (2020, November 23). How cybercriminals misuse and abuse AI & ML: Report trend micro. Retrieved February 21, 2023, from Dynamicciso.com website: https://dynamicciso.com/how-cybercriminals-misuse-and-abuse-ai-ml-report-trend-micro/
5. Kyrouz, W. (2023, January 17). 5 cybersecurity tips for higher education institutions. Retrieved February 21, 2023, from Dark Reading website: https://www.darkreading.com/vulnerabilities-threats/5-cybersecurity-tips-for-higher-education-institutions
6. Lee, J. (n.d.). What will the post-Covid fraud landscape look like? Retrieved February 21, 2023, from Persona website: https://withpersona.com/blog/what-will-the-post-pandemic-fraud-landscape-look-like
7. Marozas, L. (2020, August 13). We need to rethink cybersecurity for a post-pandemic world. Here’s How. Retrieved February 21, 2023, from World Economic Forum website: https://www.weforum.org/agenda/2020/08/rethink-cybersecurity-post-pandemic-world/
8. Mascellino, A. (2022, October 14). Education sector experienced 44% increase in cyber-attacks over last year. Retrieved February 21, 2023, from Infosecurity Magazine website: https://www.infosecurity-magazine.com/news/education-experienced-44-increase/
9. (2021, March 25). Polymorphic Malware and Metamorphic Malware: What You Need to Know. Retrieved February 21, 2023, from Hashedout website: https://www.thesslstore.com/blog/polymorphic-malware-and-metamorphic-malware-what-you-need-to-know/

In the digital age, educational institutions face the increasing risk of phishing attacks which can compromise students’ sensitive information. This article provides insight into how educational institutions can choose the right AI-Powered anti-phishing solution to strengthen their security controls against such threats.

Phishing attacks have become an increasingly prevalent and persistent threat to organizations of all sizes, and educational institutes are no exception. As institutions of higher learning become more dependent on digital systems and online communication, the likelihood of falling victim to phishing attacks also increases.

Educational institutions can use AI (Artificial Intelligence) to power anti-phishing solutions. However, with numerous options on the market, it can be difficult and confusing to determine which solution will best meet their needs. This text will explore the essential characteristics to look for in an AI-powered anti-phishing technology solution to help educational institutes protect their sensitive information and maintain the trust of their stakeholders. The right solution can always ensure the confidentiality, integrity, and availability of sensitive and confidential data of the institutions.

Statistics: Phishing in the Education Sphere

The following are some alarming statistics concerning phishing and other cyber attacks targeting the educational sector.

• According to the 2021 Netwrix Cloud Data Security Report, most educational organizations encountered phishing attacks (60%) and account compromise (33%) in 2020.
• The K-12 Cybersecurity Center reported a record-breaking 408 cybersecurity incidents across 377 school districts in 40 states.
• Cyberattacks targeting educational institutions increased by 75% in 2023.
• In 2021, the education sector ranked as the third-largest industry targeted by spam and credential phishing attempts, numbering over 2 million.

What Makes Educational Institutions a Lucrative Phishing Target?

Educational institutions have become a lucrative target for malicious actors for several reasons, as listed below. It shows how vital the need for advanced phishing prevention methods for educational institutions is.

• Research Material, Patents, IP: Innovation and patenting are crucial aspects upon which universities rely heavily for economic growth. Threat actors seek to disrupt these critical activities and the associated benefits they provide, making them a prime target for cyberattacks. The institutions store valuable intellectual property, including research material, patents, and other sensitive information that threat actors can monetize for their gain.
• Lack of Expert and Experienced Security Personnel: Many educational institutes lack expert and experienced security personnel to monitor and protect their digital infrastructure, making them an easy target for cyberattacks. Additionally, the lack of experienced personnel implies that universities may need help implementing adequate security measures.
• Changing Phishing Tactics: Another reason educational institutes are a prime target for malicious actors is the constantly evolving nature of phishing tactics. Such attacks often employ sophisticated techniques that can trick even the most tech-savvy individuals into giving away their personal information. As remote learning and digital communication practices become widespread, phishing tactics are becoming more sophisticated, making it more challenging for educational institutes to protect their staff and students.

Two Main Ways Through Which Threat Actors Target Educational Institutions

The following points show how threat actors can infiltrate restricted databases of educational institutions and what attack vector vectors they use to carry out their malicious operations.

• Outdated or Unpatched Systems: Threat actors can infiltrate obsolete or unpatched systems of educational institutions by exploiting known vulnerabilities in software, operating systems, or applications that haven’t been updated or patched. They can use tools like port scanners to find open ports and identify vulnerable services. Once they gain access to the system, they can install malware, steal data, or use the system to launch further cyberattacks.
• Variety of Phishing Techniques: Phishing is a tried-and-true method for malicious actors, and they often use it to camouflage malware as a message from a reliable and trustworthy source. These threat actors often deploy social engineering tactics through email, phone calls, or text messages (smishing), with email being the most favored method. The threat actors request access to privileged information or provide links to malicious attachments to deceive the recipient into downloading malware.

What Educational Institutions Can Do to Keep Their Students Safe and Information Assets Secure

As is evident from the above sections, the cyber threat to universities, colleges, and schools is here to stay, and strict and immediate action is vital for all educational institutions. The following security measures and approaches will help them go a long way in protecting their critical data assets.

• Endpoint Security: The concept of endpoint security may take time to capture one’s attention, but it is critical in the digital age. Endpoints, such as laptops, phones, and other devices, are vulnerable to cyber attacks, which may take the form of phishing incidents or other direct and indirect attempts. Endpoint-focused cybersecurity solutions are necessary to identify and address malware issues that traditional email and phishing defenses may overlook, especially for educational institutions.
• Cybersecurity Expertise: Educational institutions and universities must work with IT administrators possessing expert cybersecurity knowledge. Increasingly sophisticated cyber-attacks necessitate more than a traditional IT team with limited cybersecurity expertise. Several public sector groups have established new cybersecurity roles to address this critical need. Educational institutions on tighter budgets can also go for vCISOs (Virtual Chief Information Security Officers) or the CSaaS (Cybersecurity-as-a-Service) models.
• Use of AI as a Predictive Tool: One practical approach is to leverage AI technology to detect and prevent phishing attempts before they can cause any harm. AI can analyze factors such as email metadata, sender reputation, and message content to identify suspicious emails and flag them for review or automatically block them. Such a proactive approach can help reduce the risk of successful phishing attacks, especially as threat actors become more sophisticated in their tactics.
• Selecting a Trusted Solution Provider: A trusted solution provider is critical to protecting educational institutions from phishing. The process of selecting one involves choosing a security vendor that has a proven track record of providing reliable and effective cybersecurity solutions and one that is up-to-date with the latest threats and trends in the cybersecurity landscape. By working with a reputable vendor, educational institutions can ensure they have access to the best tools and expertise to help mitigate the risk of phishing attacks.

Key Characteristics to Look For in an AI-Powered Anti-Phishing Solution

Here are key characteristics and aspects that educational institutions should look for and consider while selecting AI-powered anti-phishing solutions:

1. Ease of Implementation: By prioritizing ease of implementation, academic institutions can simplify the deployment process, reduce the risk of errors, and ensure quick performance. Therefore, an ideal anti-phishing solution should be cloud-based and platform-agnostic, allowing it to be installed and operated seamlessly across multiple devices. It should work quietly in the background without disrupting the educational institutions’ productivity or daily activities.
2. The MSP/MSSP’s Reputation and Support:  A reputable MSP (Managed Service Provider) or MSSP (Managed Security Service Provider) with a history of providing high-quality anti-phishing solutions can instill confidence in an educational institution, indicating that they are partnering with a trustworthy and reliable provider. Moreover, a robust support system provided by the MSP/MSSP can offer a safety net for educational institutions, as they can seek expert guidance and support in addressing any issues that may arise. It can be crucial for institutions with limited IT staff or cybersecurity knowledge.
3. Quality of Service: Educational institutions should prioritize the quality of service offered by an AI-powered anti-phishing solution. Quality of service is essential to maintain the security and integrity of the institution’s network and data and to ensure the safety of its students, faculty, and staff. The solution should be designed to provide reliable and efficient protection against phishing attacks while guaranteeing minimal disruption to daily activities and should be regularly updated.
4. IT Environment Setup: The efficacy of any anti-phishing solution also depends on the specific IT environment in which it is deployed. By assessing the IT environment, educational institutions can identify unique characteristics or requirements that must be considered in selecting an anti-phishing solution. Evaluating the IT environment can also help them determine the scope of the anti-phishing solution, ensuring that it is tailored to meet their specific needs and providing the essential features and capabilities to detect and mitigate phishing attacks effectively.

Phishing attacks are a significant threat to educational institutions as they target students and faculty members, compromising sensitive information and damaging institutional reputation. AI-powered anti-phishing solutions can help prevent these attacks by detecting and mitigating phishing attempts in real-time.

With an AI-powered anti-phishing technology solution, educational institutions can enhance their cybersecurity posture and protect their sensitive data and resources from the growing threat of advanced phishing attacks. As the threat landscape continues to evolve, investing in state-of-the-art anti-phishing technology is essential for educational institutions to secure their digital infrastructure and protect their staff, students, and other stakeholders.

References

1. Daly, A. (2021, August 24). 6 characteristics of the ideal phishing software solution. Retrieved February 16, 2023, from Inky.com website: https://www.inky.com/en/blog/6-characteristics-of-the-ideal-phishing-software-solution-2021
2. Goled, S. (2020, October 4). AI is A double-edged sword in phishing. Retrieved February 16, 2023, from Analytics India Magazine website: https://analyticsindiamag.com/ai-is-a-double-edged-sword-in-phishing/
3. Landau, S. (2021, July 9). 7 phishing awareness and anti-phishing tips for the education sector. Retrieved February 16, 2023, from eLearning Industry website: https://elearningindustry.com/anti-phishing-awareness-tips-for-education-sector
4. The top 5 cyber threats within the education sector. (2022, June 7). Retrieved February 16, 2023, from Avertium.com website: https://www.avertium.com/resources/threat-reports/top-5-cyber-threats-within-education
5. Bresnick, P. (2021, March 8). 4 Reasons Cyber Criminals Are Targeting Higher Education: Part 1 Retrieved February 16, 2023, from Fierceeducation.com website: https://www.fierceeducation.com/best-practices/4-reasons-cyber-criminals-are-targeting-higher-education-part-1

Educational institutions are always considered soft targets for cyber attacks because they contain massive volumes of data, and many of them are often not adequately secure. Here is a look at their vulnerabilities and ways to prevent cyber attacks from compromising their information assets.

Critical Threats Facing Educational Institutions in 2023

Educational institutions have a massive amount of data in their databases. Besides, many do not employ the most robust cybersecurity strategies to protect their information assets due to budgetary constraints and other reasons. In addition, the pandemic forced almost all institutions to conduct their classes online, and most were ill-equipped to do so. Thus, malicious actors got the opportunity to exploit their digital vulnerabilities and launch cyber attacks on their network systems. Here are some critical cyber threats facing the educational sector in 2023.

1. Phishing: Statistically, educational institutions have the maximum number of social media users, making it attractive for malicious actors to launch social engineering attacks through phishing. The Verizon Report underscores phishing as the most critical threat to educational institutions.
2.  Malware/ Ransomware: The FBI has stated in its alert that ransomware activity continues to plague the educational sector, including many colleges and K12 schools in the US.
3.  Data Breaches: Since educational institutions contain significant volumes of confidential data but do not necessarily have robust cybersecurity measures, data breaches are a critical threat. IBM’s DBIR 2022 estimates the cost of a data breach in the educational sector to be around $3.86 million.
4. Unpatched and outdated software: The Verizon Report shows that unpatched and outdated software systems rank amongst the primary causes of cyber attacks on educational institution information network systems.
5. Cyberbullying: With almost every student having access to smartphones and the internet, instances of cyberbullying are on the rise. The Cyberbullying Research Center report states that about 37% of students have experienced cyberbullying.

Phishing and Malware Attacks Against Educational Institutions: Statistics

As evident from above, educational institutions are popular soft targets for malicious actors. The following statistics show a snapshot of the cyberattack landscape of the educational sector.

• CISCO 2021 Report states that the educational sector is the second-highest targeted sector for phishing and malware attacks after financial institutions.
• According to Emsisoft’s year-end report, 1981 schools were hit by ransomware attacks in 2022, almost double the number from 2021.
• Educational institutions witnessed a steep increase of 75% in cyber attacks in 2022.

Why Are Educational Institutions a Soft Target For Phishing And Malware Attacks?

Cyber threat actors relish uncertainties, and the pandemic presented them with many on a platter, especially from the education sector, because a significant part of education switched to online, and most institutions were ill-equipped to handle the change. Moreover, educational institutions have been a perennial soft target for phishing and malware attacks. Here are some reasons for it.

Large volumes of research and confidential data

Educational institutions contain massive volumes of data, including student credentials, financial information, valuable intellectual property, and vast research data. Therefore, threat actors can access highly credible information if they infiltrate the educational institution’s information network systems, which makes schools, colleges, universities, and research centers lucrative targets for malicious actors.

Multiple people accessing educational network information systems

University campuses usually offer accessible Wi-Fi facilities to their students and users. Threat actors can use such networks and compromise Wi-Fi connections to launch ‘evil-twin’ attacks to exfiltrate confidential information from unsuspecting and insecure users. Since multiple people access the institution’s information network systems, it can be challenging to identify such attacks.

Perimeter focused environment

Usually, educational institutions focus on establishing a security perimeter to prevent malicious actors from accessing their networks. In the process, they concentrate less on insider threats and ignore the possibility that someone might have already accessed their information network system and already be creating mischief. Unfortunately, this myopic approach makes educational institutions vulnerable to advanced malicious actors.

Comparatively fewer security measures

Though university campuses and schools aim to secure their information network systems and prevent malware and phishing attacks, many have less stringent security measures, like in the financial and other business sectors, due to budgetary constraints and other reasons. Employing comparatively fewer security safeguards puts these institutions at a higher risk of a cyber attack.

Supposedly less awareness among users

While educational institutions are highly vulnerable, all of them do not usually employ top-level cybersecurity professionals to oversee their security strategies. As a result, there needs to be more awareness among their employees and vendors who access their systems. Besides, the steady stream of fresh students annually flowing into these institutions results in more users with lower awareness levels accessing various data. As a result, it widens the scope of the cyber attack vector for malicious actors to launch phishing and malware attacks.

Steps Educational Institutions Can Take to Prevent Malicious Attacks

As educational institutions are highly vulnerable to cyber attacks, securing their cybersecurity infrastructure becomes a top priority. The education sector can employ the following strategies to prevent malicious attacks and protect its information assets from data breaches and ransomware incidents.

Strengthen the Wi-Fi security using WPA3 connections and compatible devices

Every internet device must be WPA3 compliant today, as cybersecurity professionals globally consider this connection standard the most secure. Furthermore, since educational institutions usually offer free Wi-Fi to their students, employees, and other users within the campus, it becomes imperative to strengthen the Wi-Fi connections by using WPA3 protocols.

Improve incident detection and response, and data monitoring systems.

Traditionally, human error is a primary vulnerability that educational institutions and other organizations encounter. Therefore, they should improve their network and data monitoring systems to prevent malicious activities. It can help quarantine the affected assets if identified on time. Secondly, there should be an increased focus on incident response strategies because time is crucial when an incident takes place. The longer the delay in responding to an incident, the greater the damage.

Keep network systems and devices up-to-date with vulnerability scanning and effective patch management.

Cyber attackers keep looking for new vulnerabilities and innovative ways to infiltrate information network systems. Therefore, educational institutions should ensure efficient vulnerability scanning and deploy appropriate patch management strategies to address cyber threats. The standard protective control measures include application firewalls, anti-virus software, intrusion prevention systems (IPS), data loss prevention (DLP), URL filtering, and email security.

Ensure effective IAM and PAM systems are in place.

Insider threats are challenging to detect because malicious actors, in that case, are people who know the systems and their vulnerabilities better than external attackers. Therefore, educational institutions should have proper network segmentation to prevent lateral and horizontal movement. In addition, they should employ effective IAM (Identity and Access Management) and PAM (Privileged Access Management) systems to ensure that authorized users get only activity-based access to the information network system following principles like ‘least privilege’ and ‘need to know.’

Improve user education and ensure proper user control measures.

Proper user education can help stop cyberattacks before they occur. Therefore, every educational institution should disseminate quality information on cyber hygiene and ensure suitable user control measures. For example, maintaining password hygiene can prevent data breaches and IoT attacks. In addition, proper cyber hygiene can help users identify phishing and social engineering attacks before they occur.

Hiring the right managed security service provider (MSSP) and advisors.

While encouraging users to maintain self-cyber hygiene is critical, educational institutions should also focus on hiring qualified managed security service providers (MSSPs) and advisors. It helps the system to remain updated with the latest and most robust security measures to prevent cyber attacks. In addition, quality cybersecurity staff ensure excellent backup support during emergencies.

Leverage specialized services.

Traditional anti-phishing software and tools can help deal with regular attacks. However, malicious actors employ advanced AI-based techniques to launch innovative attacks, prompting educational institutions to use specific AI-based tools for anti-phishing and state-of-the-art endpoint security. Specialized vendors provide these services that help prevent phishing and malware attacks.

Parting Thoughts

References

1. Quorum. Why Higher Education Institutions are a prime target for cyber-attacks? (2021, August 31). Quorum Cyber; Quorum Cyber Security Limited. https://www.quorumcyber.com/insights/why-higher-education-institutions-are-a-prime-target-for-cyber-attacks/
2. Morgan, C. Why is the Education Sector a Target for Cyberattacks? Enterprise Network Security Blog from IS Decisions. https://www.isdecisions.com/blog/it-security/why-is-education-a-target-for-cyberattack/
3. Critical Insight. (n.d.). Top 10 cybersecurity priorities for schools. Criticalinsight.com. Retrieved February 19, 2023, from https://www.criticalinsight.com/resources/news/article/top-10-cybersecurity-priorities-for-schools
4. Muravyova, E., Utkin, A., & Valiullin, B. (2020, November). Determining the vulnerability of educational institutions in terms of the requirements of the program “My city to prepare.” Researchgate.net. Retrieved February 19, 2023, from https://www.researchgate.net/publication/347036020_Determining_the_vulnerability_of_educational_institutions_in_terms_of_the_requirements_of_the_program_My_city_to_prepare
5. Jalbout, M. (2019, July 17). Educating the most vulnerable: Universities’ greatest impact. Brookings. https://www.brookings.edu/opinions/educating-the-most-vulnerable-universities-greatest-impact/
6. Taylor, H. (2019, September 26). Ransomware and phishing issues in educational institutions. Preyproject.com. https://preyproject.com/blog/ransomware-phishing-educational-institutions Avertium. (2022, June 7). The top 5 cyber threats within the education sector. (n.d.). Avertium.com. Retrieved February 19, 2023, from https://www.avertium.com/resources/threat-reports/top-5-cyber-threats-within-education

On February 9, a significant update was issued by the U.S. Department of Education’s Federal Student Aid (FSA) office. The update pertains to compliance with the Safeguards Rule, a component of the Gramm-Leach-Bliley Act (GLBA) that deals with customer records and information security and confidentiality. The GLBA, as described by the Federal Trade Commission (FTC), sets out to provide a robust framework for financial institutions to protect their customers’ personal data.

The GLBA applies to institutions of higher education that engage in financial activities such as providing student loans or banking services. Non-compliance with GLBA regulations may lead to the loss of eligibility for federal funding, potentially impacting the institution’s ability to offer financial aid to students. Non-compliance with GLBA regulations may lead to the loss of eligibility for federal funding, potentially affecting the institution’s ability to provide financial assistance to students.

The notice from the FSA emphasized the FTC’s decision to bring the revised Safeguards Rule into effect from June 9, 2023. The update outlines the major points of the Safeguards Rule following modifications made by the FTC in December 2021, highlighting FSA’s expectations for compliance.

A critical aspect of the announcement lies in how it applies the GLBA-defined term “customer information” to higher education, the domain of FSA’s oversight. “Customer information,” as defined under the GLBA, refers to data obtained during the provision of financial services to a student, whether current or past. The scope of financial assistance can include administering Title III and Title IV programs, offering institutional loans, including income share agreements, or servicing a private education loan for a student.

The FSA notice zeroes in on two main provisions of the revised Safeguards Rule, set to become effective in June:

1. The requirement for institutions to encrypt customer data both at rest within institutional systems and during transmission across external networks.
2. The mandate for multi-factor authentication (MFA) for anyone accessing customer information via institutional systems.

These provisions underscore the FSA’s commitment to enhancing data security and privacy within higher education institutions. However, the notice also alludes to some uncertainties in the enforcement process for Safeguards Rule compliance. It mentions that the FSA will resolve compliance issues linked to the new Safeguards Rule provisions once they come into effect, primarily through institutional Corrective Action Plans (CAPs). It doesn’t clarify what “other means” could lead to a compliance investigation nor provides any framework for the CAPs that institutions need to create and execute.

The reference to “other means” may stir apprehension, echoing a situation years ago when an FSA official sent compliance notices based on media reports of alleged cybersecurity incidents. This necessitates clear communication from the FSA regarding potential triggers for compliance investigations, apart from federal single audit findings.

Concluding the notice, FSA reinforces the importance of institutions adopting the NIST SP 800-171 cybersecurity guidelines concerning federal student financial aid data. The federal government’s controlled unclassified information (CUI) regulations will soon mandate institutional compliance with NIST SP 800-171.

As these changes unfold, CAG is committed to closely collaborating with community members to ensure that FSA’s guidance and enforcement adequately address the regulations and compliance areas.

Where can I find more information? For additional information, see FSA’s electronic announcement: Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements. If you have questions regarding the Department of Education’s enforcement of GLBA, please get in touch with FSA_IHECyberCompliance@ed.gov. More information is also available on the Federal Trade Commission’s website. Updates to the Gramm-Leach-Bliley Act Cybersecurity Requirements | Knowledge Center