Securing the Future of Education

A smiling student looking at her laptop in a classroom

Securing the Future of Education

Co-Authored By: Alvaro Vitta, Microsoft’s Worldwide Cybersecurity Lead for Public Sector and Serena Sacks-Mandel, Microsoft’s Global CTO for Education.

Accelerated by the pandemic, educational organizations are increasingly applying technology to make learning more equitable and accessible, while also helping students develop their technology skills to be ready for the workforce. As our schools adopt more technology, and cyber threats increase, it’s vital that educational organizations implement critical safeguards to protect their students and ensure they don’t fall victim to cyberattacks.

In recent years Schools, Colleges and Universities around the world are facing a significant increase in cybersecurity attacks, far more than other industries. The chart below shows that Education is attacked through malware far more than other industries. While this is a snapshot of a live site showing malware encounters in the past 30 days, the proportions remain consistent.   

Graph showing that of the over nine million devices that reported malware encounters in the last 30 days, the vast majority have attacked education organizations.
Figure 1: Most Affected Industries Graph from Microsoft Security Intelligence website showing education as the most affected industry as it relates to malware encounters in the last 30 days. This graph is from March 2023.  

Education organizations have become an attractive target for cyber security attackers because of the valuable data they store and the perceived weaknesses in their security systems. Top reasons these organizations have become an attractive target for cybercriminals, include:    

  • Valuable data: Education organizations typically store a large amount of sensitive and valuable data, including personal information of students, faculty, and staff, financial information, research data, and intellectual property. This data can be sold on the dark web or used for various malicious purposes, such as identity theft or financial fraud.
  • Weak security: Education organizations are often perceived as having weaker security compared to other industries. This is due to limited IT budgets, lack of technical expertise, and a decentralized structure. Attackers can exploit vulnerabilities in the system and gain access to sensitive information.
  • Open networks: Education organizations often have open networks that allow easy access to the internet, which can make them vulnerable to malware and phishing attacks.
  • Human error: Education organizations often have a large number of users with varying levels of technical expertise. This can lead to human error, such as weak passwords or clicking on suspicious links, which can compromise the security of the organization.
  • Ransomware: Ransomware attacks are increasingly common in education organizations, where attackers encrypt valuable data and demand payment in exchange for the decryption key. This can cause significant disruption to the organization’s operations and finances.

These threats are also increasing at a time when more technology is being integrated in our schools. 

As the Global Education CTO at Microsoft and former CIO of two large U.S. innovative public-school districts, I regularly work with schools and institutions around the world and discuss their technology transformation strategy. These leaders recognize the value and importance of taking advantage of technology to improve teaching and learning, but often overlook not pairing that with security planning and risk mitigation. As cyberattacks are constantly becoming more sophisticated and hurtful, the technologies that keep data, applications, employees, and students safe continue to evolve. It is critical for technology leaders to continually evaluate their protection and response process and tools and ensure they are sufficient.  

Some common ways these organizations are being impacted include:   

  • Phishing attacks: Phishing attacks are becoming more sophisticated and targeted, with attackers using social engineering tactics to trick users into giving up sensitive information.
  • Ransomware attacks: As mentioned previously, Ransomware attacks are on the rise, with attackers encrypting school data and demanding payment in exchange for a decryption key.
  • Internet of Things (IoT) security: As the number of internet-connected devices in schools increases, there is a greater risk of these devices being hacked and used to gain access to sensitive information.
  • Cloud security: Cloud-based systems and tools are becoming more popular in the education industry. These require appropriate action to mitigate potential security risks that could be introduced with misuse.
  • Employee training: Employee training is becoming increasingly important to prevent cyberattacks, with schools investing in cybersecurity awareness training for staff and students.
  • Data privacy: With the rise of online learning platforms and remote learning, there is a greater risk of data breaches and cyberattacks that compromise sensitive student and staff data.
  • Mobile device security: As more students and teachers use mobile devices for learning, there is a greater risk of these devices being lost or stolen, leading to potential data breaches.

The cost of a cyberattack on an educational organization can vary widely depending on a variety of factors such as the size of the organization, the nature and extent of the attack, and the response of the organization. However, according to a study by the Ponemon Institute, the average cost of a cyberattack in 2022 was $4.35 million (Summarizing the Ponemon Cost of a Data Breach Report 2022). This figure includes the cost of lost productivity, IT and end-user support, regulatory fines, legal fees, public relations efforts, and the cost of implementing security measures to prevent future attacks. This figure is an average, the actual cost of a cyberattack on an educational organization could be much higher or lower depending on the specific circumstances of the attack.

Ultimately, many Education organizations are finding themselves in a costly and risky reactive mode, however increasingly we are starting to see more organizations making investments to proactively work to secure their systems and prepare their people to reduce these risks. We are working with schools and universities around the work reduce these threats. There are three key areas we look to help the Education sector secure its future.  

1. Defend the Education sector against threats such as ransomware, phishing and credential theft by:  

2. Secure identities and access of students and staff across the education sector by:  

3. Protect and govern sensitive data for the educational institution, its staff and students by: Identifying and classifying sensitive data for staff and students; understanding who has access to what data types; and labeling Data based on sensitivity types:   

  Take these important steps to start improving your security posture

  1. Implement Multi-Factor Authentication for all your students and staff.
  2. Take the free Zero Trust assessment to see where your organization is at in is Zero Trust Security Journey and implement a roadmap to improve areas of risk.
  3. Check your Secure Score across your M365 and Azure environment and implement recommendations to reduce your surface attack area.
  4. Modernize legacy systems and protect better against threats such as ransomware by leveraging AI-Powered automation from cloud native security SIEM+XDR systems.

To find out more:

About the Center of Expertise

Microsoft’s Public Sector Center of Expertise brings together thought leadership and research relating to digital transformation in the public sector. The Center of Expertise highlights the efforts and success stories of public servants around the globe, while fostering a community of decision makers with a variety of resources from podcasts and webinars to white papers and new research. Join us as we discover and share the learnings and achievements of public sector communities.

Questions or suggestions?

Follow Microsoft