Year over year, the same industry verticals seem to remain at the top of just about every analyst briefing, industry report, and infographic that are about security, threats, and attacks. Commonly, you repeatedly see Retail, Finance, Healthcare, and Education. But why?
Retail and Finance make sense – those are businesses involved with moving people’s money (or credit cards in the case of retail) around as part of operations. Getting access to even a fraction of all the financial data those two industries utilize is a jackpot to an attacker.
Healthcare is another somewhat obvious target – in the U.S. social security numbers are used to identify individuals, and health data can be sold on the black market for pennies per record.
And then there’s Education. One in three universities face cyber attacks every hour. Why in the world would someone want to attack an Education institution? They probably aren’t interested in Johnnie’s drawings or math test scores. So, why is Education always one of the primary industry targets?
5 reasons that help explain why Education is a target
1. Lots of Valuable Data
While no attacker in the world is interested in stealing 1st grade reading assignments, many Higher Education institutions have research programs that contain valuable data and intellectual property that could be of value to the right competitor. Espionage isn’t out of the question here.
Additionally, Education is a constantly moving business, which means accessing and holding just the right data for ransom could prove lucrative to a criminal organization.
2. A (Potentially) Easy Target
This isn’t to say that IT pros in Education are doing less than their corporate counterparts. On the contrary, the emphasis on security is equal if not more so. But then there’s the weakest link in every organization’s security chain – the user. Regular businesses already struggle to get intelligent, adult users to pay attention and make security a priority by being aware of phishing scams, not using unsanctioned cloud services, etc.
So, given Education’s based of student users that need to explore the vastness of the Internet for the purpose of homework, project research, and fun – and add the fact they’re definitely not thinking about keeping the network secure – it’s what’s known in the military as a target-rich environment.
3. (Sometimes) Not the Most Protected
Particularly smaller primary schools tend to have less focus and budget on security. The assumption of reliance on a few common security solutions, such as antivirus, makes them feel like they’re protected, when nothing could be farther from the truth.
4. Lots of Users
External attackers need user credentials to be successful – in 81% of data breaches, compromised credentials were involved . While attackers definitely want access to privileged accounts, the need for persistence within a network is a foundational requirement – a need that requires having multiple endpoints and multiple credentials (even if they are low level) to be successful.
5. Perimeter-Focused
Very few educational systems are watching the use of their network; most are focused on establishing a virtual security perimeter to keep bad guys and malware out, rather than looking to see whether someone has worked their way past defenses and is inside either rummaging around or wreaking havoc.
So you know your a target, what then?
This is not all doom and gloom, and that your security in place is worthless. In fact a ransomware effectiveness report found 22% of all organizations with layered security including AV, phishing training, etc. were STILL hit with ransomware in the last 12 months!
This is about the need to take a security stance that makes the assumption that a small fraction of a percentage of attackers are going to get in. And should an attacker get in…. what then? How are you going to spot the threat actor?
