Educational institutions are highly attractive targets for cybercriminals due to the valuable research, personal data, and financial information they hold.
This is among the findings from a new KnowBe4 report, “From Primary Schools to Universities, The Global Education Sector is Unprepared for Escalating Cyber Attacks”, that underscores education sector challenges in securing an increasingly digital-reliant environment.
Cybercriminals exploit vulnerabilities to gain access and then leverage compromised platforms to launch further attacks.
This is particularly concerning as successful breaches enhance the credibility of the attackers’ control, making subsequent attacks easier.
Key considerations for the South African education sector highlighted in the report include:
* Both primary and higher education institutions rely heavily on third-party vendors for essential services like software, cloud storage, and IT support. This interconnectedness creates potential risks, as vulnerabilities within these third-party systems can impact multiple institutions, often without immediate detection.
* Limited resources and the need for modernisation often lead to a mix of outdated and modern IT systems in schools and universities. This combination can create entry points for attackers to access sensitive personal information stored on vulnerable, older systems. In its 2024 Data Breach Investigation Report (DBIR), Verizon examined 30 458 security incidents in total, of which 10 626 were confirmed data breaches. Of these, 1 780 incidents (17%) were attacks against the education system,1 537 (14%) with confirmed data disclosure; a figure that put education in the top five of all industries breached globally. In 2023, Trustwave researchers monitored 352 ransomware claims against educational institutions. Phishing stood out in the Trustwave study as the most commonly exploited method for gaining an initial foothold in an organisation.
* Globally, phishing is a prevalent method used by cybercriminals to gain initial access to educational institutions. This is a significant concern for South African institutions, where a lack of cybersecurity awareness among staff and students can make them susceptible to such attacks.
While KnowBe4’s report is globally-focused, local experts have noted that the country’s vulnerability to cyberattacks is significant, with a considerable number of organisations experiencing multiple attacks annually.
The report demonstrates the significant impact of security awareness training on reducing human risk in educational institutions. Employee susceptibility to phishing attacks dropped dramatically from 33,4% to 3,9% in small educational institutions after one year or more of sustained training and simulated phishing evaluations.
“Today’s classroom environment is becoming ever more digital, increasing the attack surface of educational institutions and creating an unprecedented level of cyber risk,” says Stu Sjouwerman, CEO of KnowBe4. “Educational institutions have inadvertently become prime targets for sophisticated threat actors due to an overall lack of resources.
“The most concrete, effective step that an educational institution can take to secure vital and sensitive data is to ensure that all individuals who access IT systems are equipped with the proper tools, education and awareness to protect against cyber threats and reduce human risk.”