School children in classroom sitting in front of male teacher standing in front of interactive whiteboard

Education sector hit by cybercrime – and how one school struck back.

Posted 01 March 2022 by Laura

According to the National Cyber Security Centre, “in recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing.” They have recommended that organisations in the education sector follow their guidance on mitigating malware and ransomware.

Remote access is easy to access.
It doesn’t take Sherlock Holmes to notice the correlation between the increase in more people logging in from home and the huge surge in ransomware. Attackers will target an organisation’s networks via remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN).

The most common ways that a hacker will gain access to an environment are weak passwords and a lack of multi factor authentication (MFA). The list of the 10 most common passwords are eye-wateringly difficult to comprehend in such a complex world. But we also probably all have that one friend or family member who likes to “keep it simple”, opting for a weak password that is used for multiple identities, devices and applications.

But when you’re responsible for managing the identities of multiple members of staff and a student roll of 1,000+ students, there’s bound to be a few “keep it simple” folk in amongst the group. And, unless there are strict rules (and crucially, multi-factor authentication) in place, this is where the fun for hackers really begins.

Remote access
Remote access protocol allows staff and students to access their desktop computers or servers from another device over the internet. Ransomware attackers look for out for remote access configurations that are unsecured – and then gain access to victim’s devices. In organisations where everyone is using a corporate-owned device, this is relatively easy to manage. But put that scenario in an education setting, where the majority of users will be using their own laptops and phones for studying and accessing their email and apps, things suddenly get a lot more serious.

Attack by phishing
In a phishing attack, hackers take on the role of a trusted identity, tricking users into opening emails, texts or instant messages. In a university for example, an email from the Vice Chancellor or Student Union with a catchy or seemingly important subject line is all that’s needed to entice the entire university to open the email. It’s easy to see why the education sector have been suffered such a blow since the start of the pandemic. In fact, a 2021 UK Cyber Security Breaches Survey reported that 91% of breaches in Further Education colleges, 86% of secondary schools, and 84% of primary schools were carried out through phishing attacks.

So, how can you secure your organisation against phishing attacks:

Cyber security breaches in the education sector
A Cyber Security Breaches Survey 2021 spoke to 135 primary schools, 158 secondary schools and 57 further education colleges – and compared the number of identity breaches within those categories to a typical UK business. It’s important to note here that of course, only breaches that have been identified have been included. With the practically overnight switch to remote learning, and the overwhelming list of tasks suddenly put on often small IT teams, it’s anticipated that things like penetration testing, monitoring and reporting were often overlooked – which could skew the data even further.

Percentage of breaches in education settings compared to all UK businesses:
All UK businesses 39%
Primary schools 36%
Secondary schools 58%
Further education colleges 75%

A moral social responsibility
With responsibility for maintaining the cloud security and systems of an educational setting, there is a strong moral obligation. The identities of users (some of whom are children and some of whom are particularly vulnerable), their private data including healthcare records and family history is in the hands of IT managers and cloud specialists. As an industry, it’s up to all of us to ensure this information is securely stored and managed in the cloud.

Interestingly, schools and colleges are more likely than the typical business to have asked for information or guidance around their cyber security posture – with 27% of primary schools, 23% of secondary schools, and 42% of colleges contacting their external IT provider.

UK schools group take on cyber ransomware gang
When The Harris Foundation found itself with a ransom demand of nearly £3 million, school leaders had to decide whether to stump up the cash or suffer the consequences. This Radio 4 programme, File on 4: Held to Ransom episode (perfect if you're trying to tear your eyes away from a screen for half an hour) has "unique access to the negotiations that took place between an Israeli security company and Russian hackers". Now that's resilience against ransomware if ever we saw it. 

The lure of high-profile institutions
It has just been reported by Forbes that hackers have broken in to 'biochemicals systems' at one of the world’s top biology labs. Oxford University have confirmed that it has detected and isolated an incident at the Division of Structural Biology (known as Strubi), which is now being investigated by the NCSC. 

Interpol warned last year that organised criminals will be likely to target organisations involved in Covid-19 research and vaccine development. And although the big pharma companies might be first to spring to mind, research universities it seems, might be just as lucrative in the eyes of cyber criminals.

Playground tactics (no rabbit in a hat tricks)
Whether you’re principle of an education setting, the Head of IT, or you sit as a Governor, there are practical things that you can do. And things that you can encourage your entire organisation to do – from Board and senior management level to students and parents. 

The scope for increasing your security in the cloud is massive. But, small steps will help to get there.

Step 1: Review and remediate passwords.

  • Are there any that are just too glaringly obviously easy to spot? We must note here that password security just isn’t enough anymore…read on for how to back your passwords up).
  • Passphrases, made up of three or more words, are preferred over passwords which are far easier to guess – especially if the hacker’s been stalking you on social media for a few months...
  • Force users to change their password by implementing password policies. Yep, it can cause a stir at first – but as users become more and more used to their friend’s Insta accounts being hacked, they also become more engaged in wanting to prevent it happening to theirs. Sad but true.

Step 2: Enforce multi-factor authentication.
It’s so easy to install and use – in its most simple form, it provides an extra layer of security to user sign in. Everyone who needs to access an application on a device should do it with an authenticator app by their side. Available from all good app stores…and you don’t even have to be a techy to use it (just ask my mum).

Step 3: Hands up, please.
Asking for help from an external cyber security expert is really important. Things change – knowledge and expertise needs to grow at the same rate as the organisation, the technology and the trillion-dollar industry (yep, you read that right) intent on making legitimate businesses (and the people within) suffer. And with knowledge and expertise comes great power – education is key. Y’know the story...


 If you're looking to increase the security of your education setting in the cloud, but you're not sure where to start, put the kettle on and settle down with Azured's guide to identity and access management.

We know that handing over the keys to your school, college or university is a really big deal. To get a better idea of what it's like to work with us, you can watch these two short videos:

Feeling the Love with Edmond at Future Anthem
Shooting the Breeze with Dieter at Wood Thilsted