Cyberattacks threaten educational institutions

Industry expertise

The education sector remains a prime target for cyberattacks, and incidents continue to increase, with a 179% rise in year-over-year numbers in just the first six months of 2023.Disclosure 1 Early data from Comparitech’s Ransomware Studies predicted a record-breaking year for the number of ransomware attacks directed at educational institutions.Disclosure 2

Attacks dipped in 2022 as cybercrime groups in Ukraine and Russia left regions impacted by the ongoing war. Now that they’ve relocated, cybercrime operations are escalating again, and most experts expect education-related cyberattacks to continue increasing in 2024.

In addition to the disruption they cause, these attacks have a staggering financial impact. The average ransom demand was $1.5 million between 2018 and mid-2023.Disclosure 2 Each successful attack averaged 12 days of downtime; since 2018, the cost of forced downtime alone exceeds an estimated $53 billion—about $160 per person in the U.S.—but ransom payments and costs for remediation, data replacement, and other associated expenses bring the total costs far higher. 

The education sector attracts cybercriminals.

The education sector appeals to cybercriminals due to its abundance of personal data on students, faculty, and staff, as well as valuable intellectual property developed at research universities and colleges. To compound matters, limited budgets at many educational institutions prevent them from making necessary upgrades to IT infrastructures and cybersecurity defense systems, creating an even more compelling reason for cybercriminals to target these institutions. 

Both K-12 and higher education institutions have broad exposure to cyber threats, with myriad people outside these organizations (students) accessing its systems and networks. The COVID-19 pandemic spurred the proliferation of online learning, and greater online presence translates to greater cyber-attack exposure, particularly with the use of third-party platforms, software, and cloud storage and sharing systems.

Cyber protection defensive measures don’t get the attention or funding that the growing threat warrants. While IT professionals typically understand the high risks of cyber threats, limited financial resources for technology security and compliance are often allocated first to complying with tightening CIPA, COPPA, and FERPA regulations protecting students’ personal information. 

With so much at stake, education leaders need to understand the threats, identify where they’re most vulnerable to attacks, shore up defenses, and develop a response plan for when, not if, a breach occurs. 

The methods and motives driving cyberattacks.

Threat actors are more likely to target the technology that educational institutions rely on than the individuals who use them. Cybercriminals often employ a “spray and pray” campaign, releasing malware across a broad spectrum of industries and organizations, and then counting on the numerous attacks to find a vulnerability that will gain them easy entry.

Hackers then focus on the organizations with the greatest potential for a large payout. For this reason, private colleges with large endowments present a natural target, but larger public institutions can be attractive as well. Attackers often begin looking at an organization’s financial statements and cyber insurance policy coverage limits to uncover sources of funds that could be used to pay ransom. 

While cybercriminals use a variety of methods to achieve their goals, most attacks on schools and higher education organizations tend to fall into a few broad categories: 

  1. Ransomware strikes comprise the largest volume of attacks against education organizations. Hackers gain access to a district or school’s computer network, encrypt data, devices, or systems, and lock staff (and sometimes other users) out until the organization pays a ransom. These attacks can involve the copying or theft of sensitive data, but often the main goal is to severely disrupt operations by holding critically important data or systems hostage to force payment. 
  2. Data breaches pose an increasingly expensive threat, with each incident in education and learning costing an average of $3.7 million in 2023.Disclosure 3 Cybercriminals love social media. They commonly use social engineering tactics like phishing and pretexting to gain access to social security numbers, birth dates, credit card numbers, financial data, intellectual property, and the institution itself—all of which they can ransom or sell for criminal activity.
  3. Miscellaneous errors are a growing vulnerability for the education sector. Employee-related mistakes such as sending emails to the wrong recipients, unintentionally publishing personal or confidential data, and misconfiguring or failing to update network systems with the latest anti-malware software can provide an opening for data breaches, with or without an attack. 

Smaller educational institutions that tend to have more limited IT budgets are sometimes forced to rely on older hardware and software. This “end of life” technology may not be supported by the developer or manufacturer and could lack crucial security patches and updates to fend off attacks. These outdated systems and applications make inviting targets for cybercriminals and could dramatically increase the risk of a successful cyberattack. 

The table below highlights a few recent, high-profile incidents, to illustrate the breadth and scope of the consequences.

Recent education cybersecurity incidents

MOVEit data breach in May 2023Disclosure 4

  • MOVEit file transfer software is used by roughly 3,500 U.S. schools, colleges and universities. 
  • Hackers infiltrated MOVEit servers and began releasing stolen, sensitive customer data on the dark web.
  • Nearly 900 schools and 51,000 individuals were affected by the breach, including the New York City public schools, the University System of Georgia, and the California State University system.

New Haven Public Schools cyberattacks in May 2023Disclosure 5

  • Hackers gained access to the Connecticut school district COO’s email.
  • They stole over $6 million by impersonating vendors and the head administrator. 
  • The district has recovered $3.6 million of the stolen funds so far.

Colorado Department of Higher Education (CDHE) ransomware attack in June 2023 

  • Cybercriminals accessed and copied data from CDHE systems.
  • Decades of students from Colorado’s higher education public institutions, public high schools, and public K-12 schools may be impacted.
  • Some records included names, social security numbers, student identification numbers, and educational records.
  • The incident is still under investigation.

Identify your vulnerabilities and shore up defenses.

Given the pervasive threat, and the cost and disruption posed by cyberattacks, foresighted educational leaders should adopt a vigilant stance that prioritizes stringent security, along with thorough planning, to minimize their risk. 

Start by identifying the organization’s vulnerabilities. Consider these fundamental questions to help formulate a comprehensive security plan:

  • What type of data do we collect and store?
  • How and where do we store it? (i.e., Cloud-based, on servers, on-premises) 
  • Do we send sensitive data in email attachments? 
  • Do we have a file server containing statements that could require notifying affected parties or risk legal exposure?  
  • How do these same questions apply to our technology and software vendors? How secure are their defenses?

When it comes to cybersecurity, the playing field is unbalanced; the attacker has an inherent advantage. Cybercriminals can use an endless number of approaches to achieve a single success, but to defend against every vulnerability, every time, your security protocols must always operate at 100% effectiveness. 

Actions to defend against cybersecurity threats

Vulnerabilities are plentiful, but you can mount a solid defense against these threats using a layered approach:

  1. Updated and patched software and applications
  2. Strong identity access policies and procedures
  3. Comprehensive network and data monitoring
  4. Required multifactor authentication
  5. Separate systems that insulate sensitive data from the rest of the network
  6. Vigilant scanning to detect and respond to network threats
  7. Current onsite and offsite backups to allow data and system restoration
  8. Segmented network structure that limits lateral movement within the system
  9. Continual network user education and security awareness training
  10.   Robust incident response and operational continuity plans
  11.   Frequent vulnerability and response plan testing
  12.   Specialized solutions to maintain data sets such as HR or health system management
  13.   Third-party providers with awareness of legal and compliance requirements
  14.   Responsible platform providers that assume some of the risk for cyber incidents

Formulate a strategy to mitigate cyber liabilities.

As cyberattacks on educational systems have become more frequent and costly, cyber liability insurance, or cyber risk insurance, has emerged as a key component of comprehensive cyber security plans. This insurance helps protect organizations from the steep financial costs and legal liabilities associated with cyber incidents. A cyber insurance policy can mitigate the risk of loss from data breaches, data theft, ransomware attacks, operational interruptions, and liability resulting from lawsuits, as well as related regulatory fines and penalties.

A company’s outcome from a security assessment, along with the annual policy limits being purchased, will often set the terms for the breadth of coverage, levels of self-insured retentions, waiting periods, and annual premium. Cyber insurers often require dual-factor authentication, up-to-date firewalls, and robust penetration and vulnerability testing. Utilizing best practices can help improve your cyber insurance cost and coverage, in much the same way that homeowner’s insurance offers lower premium costs for installing burglar alarms, sprinklers, and smoke detectors.

Make sure you confirm the firms you plan to engage in your incident response efforts with your insurance provider. Firms not approved by your provider may not be covered for their expenses.

Once insured, you and your insurance carrier share an interest in reducing the risk of loss. Some carriers offer valuable prevention and preparedness programs and tools to help you defend against cyber-attacks. Some may also offer premium reductions to organizations that utilize approved third-party providers or specified platforms and solutions to reduce risk.

Establish your game plan before an attack happens.

Even the strongest defenses aren’t impenetrable, so it’s important to prepare. How should you respond if you are attacked? Knowing what to do ahead of time will help you limit the damage and recover more quickly.

Begin by establishing a cross-functional incident response team to develop and maintain a comprehensive response plan. Your incident response team should include internal personnel, with representation from information security staff and executive management, as well as external members, such as a cyber incident response firm, data forensics experts, data privacy legal counsel, the organization’s cyber insurance broker, and both internal and external communications/public relations professionals.

The team’s first task is to choose an individual to lead the response efforts and develop an incident response plan. The team should then test the plan periodically under various incident scenarios. It’s also important to revisit and update your plan regularly to reflect emerging, real-world threats and evolving industry best practices. Also, take the key step of making your plan available offline, as a cyberattack may lock you out of your systems.

The next step is conducting a cyber-attack drill that provides team members an opportunity to practice their response steps, identifying potential problems and improving familiarity with how the response unfolds. This kind of “dry run” can improve the speed and performance of implementing your plan and help reduce stress levels after an actual incident. Avoid responding on the fly, which often results in higher incident costs, excessive legal liability, and additional reputational harm.

Understand your incident to-do list.

After a cyber incident, immediate action is imperative. Your plan will reflect unique organizational factors and the nature of the incident, but should include most or all these key actions:Disclosure 7

  • If your experts suspect your company is undergoing a significant cyberattack, consult your insurance broker to discuss insurance policy incident notice requirements. Your insurance broker can work with your cyber insurance carrier to outline the proper first steps and the optimal process to engage carrier-approved vendors who have the proper expertise and charge pre-approved rates. This step ensures that you’re adhering to policy terms and conditions and that you receive your full policy benefits.
  • Activate your incident response team and make sure that the persons designated with oversight duties are onboard.  Plan for back-up personnel for key positions, as key parties may be on vacation or otherwise unavailable when an event happens.
  • Most companies prefer to appoint approved breach counsel at the onset to determine appropriate actions that fulfill legal obligations, manage potential liabilities, and prepare for the possibility of future litigation or regulatory investigation. Breach counsel can also negotiate terms on vendor engagements and instruct vendors in how to prepare reports and invoices for carrier reimbursement and preserve attorney/client privilege in anticipation of potential litigation.
  • Identify the threat and try to isolate affected systems to prevent further damage.
  • Immediately resolve the vulnerability that allowed the incident, if possible. Do not discard evidence which could be used in prosecution of threat actors and/or contributors to the incident.
  • Conduct a thorough damage assessment. Implement the appropriate response plan.
  • Formulate an action plan that addresses the most urgent priorities: mitigating the impact of the incident, repairing systems, restoring data, and strengthening security.
  • Work closely with your forensic investigation firm and other incident response experts to assist with the negotiation process and prepare for secure and lawful extortion payment (if necessary) along with assistance in restoring full operational status across the organization.
  • Preserve and document evidence related to the incident so it will be available for future prosecution or law enforcement purposes. In your haste to restore data, take care not to destroy evidence that could help identify the attackers.
  • Report the incident to all appropriate law enforcement agencies. They may be able to assist in the investigation.
  • Engage an insurer-approved public relations and communications team to communicate the incident to internal and public-facing audiences. Offer as much transparency as experts advise and provide updates as you learn more about the incident and its impact.
  • Communicate with regulatory compliance authorities as applicable.
  • Verify and comply with legal requirements to notify those affected by the incident and offer credit monitoring and/or identity theft restoration services as approved by your insurer and advised by your breach counsel.

Rely on a strong partner to help you prevent—and survive—a cyberattack.

Manage your risk of attack. Cybersecurity requires significant planning and attention, but you don’t have to face it alone. Truist’s education industry consultants can help you assemble the resources to prepare for cybersecurity threats. Talk to your Truist relationship manager about how we can help. Visit us at