It’s ‘hack to school’ for the cyber criminals, security experts warn

The end of the long Labor Day weekend marks the return to school and college for many but it’s not just students who are returning with new backpacks and timetables – it also marks the return of hackers.

As students and teachers enter the ‘hack-to-school’ period (as those in cyber security circle have dubbed it) many will be unaware that their institutions may have been attacked by cybercriminals while class was out.

This year both educational institutions and cyber firms have been warned to be more vigilant, following a spate of attacks that occurred last September.

Targets included Michigan’s South Redford school district, which was hit by a cyberattack that closed schools for two days, including the University of Michigan.

In the UK that same month, a cyberattack hit six schools after a network of a multi-academy trust covering 4,500 pupils was breached.

‘Vultures, not hawks’

According to The White House, in the 2022-23 academic year, at least eight school districts (from kindergarten through to 12^th grade) throughout the US were impacted by cyberattacks – four of which left schools having to cancel classes completely.

Not only have these attacks disrupted school operations, but they also have impacted students, their families, teachers, and administrators.

Sensitive personal information – including, student grades, medical records, documented home issues, behavioural information and financial information – of students and employees were stolen and publicly disclosed.

One reason hackers target schools is because they tend to scan for the most vulnerable machines as standard and, unfortunately, due to limited resources, universities and US public (or UK state) schools have many of these.

Hackers “seem to look for victims they know or assume have weak security measures in place. They are vultures, not hawks, and seek out the weak and vulnerable,” said Don Smith, vice president at cyber sec firm SecureWorks’ Counter Threat Unit.

“School networks, whether that be primary schools or universities, tend to be open more often than they are closed, due to their mission to promote learning, but unfortunately often find themselves subject to these attacks,” he noted.

Another reason education establishments are vulnerable is because students take devices home over the summer, using them for personal tasks and bringing infected devices back to school or university.

“Compounding the issue is technology left on school premises unmonitored over the summer holidays,” Smith added.

Cyber drills

Pre-empting the return of the hackers, and to ensure that school isn’t out forever, earlier last month the Biden Administration launched a $600m three year campaign to fund a series of cyber sec measures – including encouraging schools to start cyber drills – to combat attackers and make schools more secure.

As part of this campaign, several tech vendors – including AWS, Cloudflare, Google and learning platform company D2L – pledged to provide free and low-cost cyber resources to school districts.

According to Smith, there are also a few practical steps that all schools can take.

“The first step is to patch any networks that face the internet so that vulnerabilities are addressed on a regular basis,” he said.

“Secondly, it’s crucial that schools add a layer of multifactor authentication to make it harder for bad actors to break through.

“By implementing these two strategies, it’s likely that schools and other educational institutions will become less prone to attacks and have better cyber health overall.”

For schools aiming for top marks, Smith added that they must also prioritise lifecycle management to mitigate threats.

“Maintaining inventories of devices and software while regularly scheduling security updates and replacements is essential.

“If systems are outdated and unpatched, they leave networks vulnerable to exploitation. In short, robust lifecycle management lets IT teams address weaknesses before cybercriminals infiltrate.”

The recommendation of cyber drills in schools by the US government could be an effective way of ensuring the entire school community advocates for the importance of cyber security. This, Smith adds, is an action that can be easily duplicated in other jurisdictions.

“IT teams should instigate education programmes that teach strong password habits, identify phishing attempts, avoid suspicious downloads, and how to report issues promptly. Informed students can become a vital defence against threats,” Smith advised.

To read more about cyber security click here.