The National Cyber Security Centre in the United Kingdom last month put out an alert to schools, colleges and universities warning of a rise in ransomware attacks. But what is driving the attacks and how can educational establishments respond? GRC World Forums finds out.


Who would be a headteacher or school governor in the current climate? Having spent several months trying to keep the remote learning show on the road, schoolteachers and staff are now managing the resumption of face-to-face teaching and are facing pressure from parents and politicians to help pupils catch up with lost learning (not to mention dealing with mental health and behavioural issues as pupils re-adjust).

There is however another major issue that those in schools would be advised to keep an eye on.

Recent months have seen a surge in cyber-attacks on schools, colleges and universities,to the extent that the National Cyber Security Centre (NCSC) in March put out an alert to the educational sector about the issue.

The NCSC warned that “ransomware has led to the loss of student coursework, school financial records, as well as data relating to Covid-19 testing”.

The point was hammered home just a few days later when the Harris Federation, a non-profit chain of 50 academy schools, was hit by a major ransomware attack. Cyber criminals accessed Harris’ IT systems and encrypted their contents, forcing the federation to disable its email and phone systems and bring in a specialised cyber security firm.

So what is behind the recent surge in attacks on schools, universities and colleges?

Ed Macnair, Chief Executive of cloud security provider Censornet, says it is “no surprise” that hackers are targeting schools as they are soft targets.

He says: “These institutions hold a lot of valuable data about staff and pupils that can be highly sensitive,” he adds.

“Cybercriminals hope organisations will panic and pay up if they threaten to lock down the data or release it on the dark web.”

Unlike large private businesses, schools often do not have a full-time IT security presence, says Macnair.

“Schools and nurseries have a lot of people accessing the networks and there are likely to be a large number of opportunities for attackers to sneak ransomware into their systems,” he warns.

Burak Agca, a security engineer at security company Lookout says that more students are using devices such as Chromebooks, tablets and smartphones to access cloud-based services for classes and school work, and this “presents an entirely different challenge from phishing on traditional endpoints.” Agca adds that native apps like Hangouts and iMessage are commonly used by threat actors to deliver phishing campaigns that kick off ransomware attacks.

He says, “Threat actors have more ways of hiding the true intent of a phishing attack on mobile, and for that reason use it as the primary way to kick off bigger infrastructure attacks.”

Problems may also arise, Agca suggests, where administrators use traditional laptops and on-premise data storage, making schools more vulnerable to ransomware attacks where data is not backed up.

The drive towards using a greater number of devices has been rapidly accelerated by remote learning under Covid-19, where there has been pressure to ensure no child is left behind in being able to access online classes.

Martin Lethbridge, UK and Ireland Senior Sales Engineer at Watchguard Technologies says: “While schools, colleges and universities have been returning to on-site teaching, the COVID-19 pandemic has driven the move to remote learning and extended the traditional network perimeter to connect thousands of remote devices not under the control of the IT department.

“This has radically changed the threat landscape for education and presents new challenges for IT managers facing a radically different future of learning.”

“It is all too easy for hackers to compromise Wi-Fi and even set up their own rogue hotspots that look genuine,” Martin Lethbridge, Watchguard Technologies

When it comes to specific threats to educational establishments, the NCSC listed attacks via remote desktop protocol, virtual private networks (VPNs), phishing, and taking advantage of unpatched or insecure devices, weak passwords or a lack of multi-factor authentication.

Agca says: ““Most ransomware attacks start with phishing, which targets users on any device and within any messaging application (email, SMS, and social media) that allows cybercriminals to send malicious links to unsuspecting users.

“A successful phishing campaign can open the door to a threat actor by stealing login credentials or delivering malware to the device itself.”

Countering the threat

So what is the solution?

Given the emphasis on phishing, educating children, and teachers, on the risks is widely considered to be a crucial tool in any school’s cyber security strategy.

Lethbridge says: “Humans – both young and old - are often the weakest link and pose one of the biggest threats to security, whether through error, or for something more sinister. That’s why security awareness and education must be at the heart of any cyber security prevention policy - educating the educators, as well as their pupils and students.

“Lesson one is learning about the risks of clicking on suspicious links. Many of us still cannot spot the nuance of clever phishing scams, so one of the best times to learn about phishing is when an error has just been made.”

Children also need to be aware of the significance of password security, says Martin Jartelius at Outpost24, who says children often share credentials.

He says: “Teach them that passwords and identities are like underwear, you should use them at all times, but not show them to others, not give the ones you use to other kids and preferably change them on a somewhat regular basis.”

However education and awareness can only take you so far. The NCSC recommends educational establishments adopt a ‘defence in depth’ strategy to security.

Lethbridge agrees. He says: “A layered approach to cybersecurity is vital. While every network needs a strong network firewall, they also need a full arsenal of scanning engines to provide visibility, threat intelligence and protection against spyware and viruses, malicious apps, data leakage and unknown zero-day threats.”

“Then there is the problem of stolen or weak passwords. As we all struggle with remembering a multitude of long, complex and secure passwords, the use of multi-factor authentication (MFA) is compelling. MFA is simply a security system that requires more than one method of authentication to verify the user’s identity for a login or other transaction such as a one-time-password sent to a mobile phone.”

Lethbridge also recommends using tools to block connections to malicious websites.

Wi-fi is also a consideration, given how using unsecured wi-fi can create risks.

He said: “It is all too easy for hackers to compromise Wi-Fi and even set up their own rogue hotspots that look genuine. That’s why schools, colleges and universities need to provide a Trusted Wireless Environment (TWE), that is fast, easy to manage and, most importantly, secure.”

The overall message is clear, as school staff get back into the swing of face-to-face learning it is vital they don’t neglect the cyber security threat, and there is no single, simple solution.

Lethbridge says: “The bottom line is there is no silver bullet when it comes to defeating cybercrime – in our education institutions or anywhere else. The best way to combat the growing threat landscape is through education and by implementing a layered approach to security.” 

Recent cyber attacks on UK educational trusts

31 March: The Harris Federation, which runs 50 schools, is hit by a ransomware attack, prompting it to bringing a cyber-security firm.

16 March: Castle School Education Trust was hit by a “highly sophisticated” ransomware attack which left 23 schools without access to an IT system.

12 March: A total of 17 schools in the Cambridge Meridian Academies Trust faced disruption due to a ransomware attack.

3 March: Nova Education Trust in Nottingham disabled IT systems at 15 schools as a precaution following an attack. 

 Register to receive the latest cyber security news and analysis straight to your inbox