Why schools are easy targets for ransomware attacks, and what to do about it

Why schools are easy targets for ransomware attacks, and what to do about it

The education sector experienced the highest rate of ransomware attacks in 2022, according to new research from a leading global cybersecurity company.

The State of Ransomware in Education 2023 report, released by Sophos, found 80% of K-12 schools reported they were targets of these types of attacks – a worrying increase from 56% in 2021. Additionally, the education sector reported one of the highest rates of ransom payment with nearly half (47%) of schools paying the ransom.

However, paying the ransom significantly increased recovery costs. The average recovery costs (excluding any ransoms paid) for schools were $2.18m when paying the ransom versus $1.37m when not paying.

Paying the ransom also lengthened recovery times for victims. For schools, 63% of those that used backups recovered within a month versus just 59% of those that paid the ransom.

“Although not a particularly financially rewarding target for cybercriminals, K-12 schools hold a plethora of valuable data such as student addresses, parent emails and bank account details and therefore are becoming increasingly targeted,” Aaron Bugal, Field CTO APJ, at Sophos told The Educator.

“Furthermore, schools will have thousands of dispersed endpoints to protect, often being those of cyber unaware students and even teachers.”

Bugal said this presents a “dream attack surface” for cybercriminals, because if students and staff aren’t being taught how to properly identify threats and be cyber aware, one weak link is all it takes to give hackers the opportunity to secure access to all of school system’s data.

So, what can principals do to respond to this threat?

“Staying ahead of cyber criminals is integral to maintaining a performant educational ecosystem,” Bugal said.

“Schools must focus on both cybersecurity education and implement the right processes and technical controls to effect a positive security outcome.”

With cyberthreats continuing to grow in both volume and complexity, Bugal says most schools shouldn’t be attempting to manage cybersecurity on their own.

“Instead they should consider investing in cybersecurity as a service to ensure that their school is protected 24/7,” he said. “By leaving cybersecurity to experienced professionals, principals are free to do what they do best – educate.”

Bugal said this should include educating students, teachers and parents on how to be cyber aware through regular training and reminders about the dangers studying online.

“Cyber-savvy staff and students know how to identify a phishing attack, use multifactor authentication and not click on suspicious links, which helps to reduce a school’s risk factor.”