One in 10 UK educational institutions are subject to more than 250 attacks each year
Just one in five consider their organisation ‘very well prepared’ in the face of cyberattacks
Almost half (48%) believe they are lacking in either skills, solutions, or both, to deal with cyberattacks
LONDON, UK, 22nd DECEMBER, 2022 – Across the education sector, technology is now at the heart of learning. During the pandemic, technology offered a lifeline for the sector, empowering educators to continue learning programs remotely. However, the 2022 Education Cybersecurity Census Report from Keeper Security, has revealed that the increasing technologisation of education is also escalating the sector’s vulnerability to cyberattacks, with one in 10 reporting 251 attacks or more each year.
Not only do these attacks put high-volumes of sensitive data—from pupil records, to qualifications—at risk, they also carry the risk of serious organisational harm. Over a fifth (21%) of education establishments report that cyberattacks have limited their ability to carry out business operations, 19 percent highlight reputational damage and 7 percent have experienced theft of money.
Education organisations are also concerned that cyberthreats are growing, with almost two thirds (64%) believing the overall number of cyberattacks will increase in the next year. More concerningly are the one in 10 (11%) who feel unable to gauge whether or not threats will rise, as they are not even tracking the number of cyberattacks they experience
Investment is Needed to Mitigate Risk
To prepare for future threats, the education sector will require investment in both technical skills and a mindset shift to boost cybersecurity. Yet just one in five (20%) consider their organisation ‘very well prepared’ in the face of cyberattacks, compared to 26% across all businesses. Worryingly, only two-thirds (66%) of organisations in the education sector conduct at least monthly threat assessments and 17 percent do not conduct them at all, leaving them extremely vulnerable in the face of rising attacks.
The key to tackling evolving threats will be relevant, up-to-date skills and solutions. Yet almost half (48%) state they are lacking in either skills, solutions or both. Just one in five (19%) offer a highly sophisticated framework to govern access to their systems and a quarter (25%) leave it entirely up to employees to set their own passwords—despite password hygiene being listed as a top security concern by a third (33%) of educational institutions.
Credential, password, and secrets management are other areas that require urgent attention in the education sector. Just a third (36%) state they have complete visibility into users, password strength, identities and permissions. Part of this may be due to the lack of the right solutions, with two thirds (66%) highlighting they don’t currently have a secrets manager.
However it seems that certain steps are being taken to improve cybersecurity in some education establishments, with 44 percent increasing cybersecurity training, and more than a third (35%) increasing spend on cybersecurity software.
Cultivating a ‘Security First’ Culture
Encouragingly in education organisations, just seven percent say their C-suite views cybersecurity as unimportant. However, recognition of the need to invest dedicated resources to cybersecurity could go further. 43 percent state that their C-suite is committed to making small investments when required, but only a third (32%) state their C-suite views cybersecurity as an area of significant importance and dedicate resources to security strategies.
There is also a mindset shift required when it comes to being transparent when an attack occurs. One in five (19%) IT professionals in the education sector state they have been aware of a cyberattack and kept it to themselves, but ideally no cyberattack would go unreported. There is also work to be done on building accountability in the sector with 44 percent stating they are concerned about a breach from within their own organisation, further highlighting that trust needs to be strengthened in educational institutions.
A lack of trust and unreported cyberattacks will both cause damage to organisations. Not only do they open the door to cybercriminals, but they limit the ability of organisations to respond and adapt. Cyberthreats are ever-evolving, and staying one step ahead of them requires having total visibility of security breaches.
Likewise, by creating a muddled picture of exposure to cyberthreats, a lack of reporting can lead to lower investment—further fuelling risks. A culture in which IT professionals feel they cannot openly share news of an attack harms everyone.
Darren Guccione, Keeper Co-founder and CEO commented: “With threats growing at an unprecedented rate, cybersecurity must be a top priority for organisations within the education sector. Yet to build defences, IT leaders in education must understand how the threat landscape is evolving, the harm cyberattacks can cause, and the steps necessary to prevent them. Sharing knowledge, learning from challenges, and collaborating to solve problems are key facets of education itself. They are also principles IT teams must embrace if they are to keep educators and their learners safe from the rising tide of cyberthreats.”