C+ ‘Must try harder: Cybersecurity in Education

September: it’s a heady mix of the crisp autumn air and back-to-school stationery. For many IT and security teams in the education sector, it’s the beginning of a nine-month-long cyber nightmare where staff and students lay waste to a summer of careful cybersecurity planning.

By freshers’ week 2018, The University of Edinburgh, among others, had already been hit by a major cyberattack. The consensus is that its students who will play havoc with the defenses of education networks across the country. So, what’s an IT manager to do until mid-July when the vulnerabilities leave for the summer holiday?

A target-rich classroom

Despite attempts to improve general understanding of online and IT threats, with schools, colleges, and universities all issuing ICT policies to minimize user errors, experts suggest that these institutions are more at risk of attack than ever before. At the beginning of the autumn term, the threat level intensifies with new parents, teaching staff, and students all accessing previously unknown digital materials, and the chances to exploit mistakes, become more readily available. And of course, let’s not forget about the case of one student who managed to cause a denial of service attack on the entire university network by trying to take a fellow gamer out of action.

But of course, it’s not just about the users – public sector IT teams remain stretched with limited budgets and resources, trying to manage expanding lists of security measures and protocols, now with the added task of educating their entire user base about basic IT security. The holy trinity of IT security from just a little over a decade ago – anti-malware, anti-spam, and patch management – no longer cuts the mustard. Today, it’s also about managing risk, detecting vulnerabilities, penetration testing, and GDPR.

GDPR and education

Since GDPR came into force, all organizations have tirelessly looked to tighten their security belts and ensure they’ve taken appropriate measures to avoid an attack for which they could be blamed and, more importantly, fined. Sophisticated malware detection and email gateway protection are a given, but there are also more simple ways to stop some of the most fervent types of attacks that many IT teams are unaware of or neglect.  

A survey by digital infrastructure and services provider for the education sector, Jisc, highlighted how the top cybersecurity risk for universities and colleges was accidental breaches. These breaches come in the form of social engineering and phishing attacks – a type of attack that relies on a lack of awareness and human error. It’s no longer about a user relying on a clever algorithm to detect a threat, it’s time for the user to switch on their threat radar. So, how can a small team, or single IT manager solve this risk?

A for effort

Basic security awareness training is needed from day one – users need to know how not to fall foul of an opportunistic hacker or scammer. One of the most common ways to infiltrate a system is to fool staff and students – it’s as simple as sending emails purporting to come from the admin or finance team looking to get payment for school lunches or more seriously, rent for accommodation or a demand for payment of fees. Recognizing rogue senders is one thing, but how can users be blamed for handing over payment details to a legitimate-looking sender?

And this is where there has to be an interplay between technology solutions and user insight – a spoofed email is almost impossible to detect by a user, and institutions need to have adequate defenses in place to block illegitimate mail so the user never stumbles over it.

The education sector is such a melting pot of different types of users with varying values (freedom of information, expression, exchanges of ideas, etc) compared to organizations that employ adults with a single view of achieving business goals. But the goal of all IT teams is the same – to keep the network and all users secure.

Tell, teach, involve

The saying ‘Tell me and I forget. Teach me and I remember. Involve me and I learn’ is corny but true. A surefire way to capture and maintain interest in IT security is to get staff and students involved. Working in this industry, we take levels of understanding of cyber threats for granted and will no doubt pass on this security-savvy consciousness to our children. But imagine for a moment, you don’t work in tech, have only heard about ‘phishing’ and ‘malware’ on a headline report on the BBC News, and can only do the basics on your Windows 7, outdated PC.

Now imagine you spend 30 minutes every term explaining the simplicity of a phishing attack and how users can spot a rogue sender. Furthermore, you employ DMARC at p=reject, and users can rest assured that a spoofed email address, with a view to stealing data or money, won’t even hit their inbox. Equation solved.

Want to be a real star pupil? Why not check your current email security setup with our free investigate tool? It’ll give you results for the current SPF, DKIM, and DMARC configuration of your domain, and next steps.


PUBLISHED BY

Clare Holmes

28 Sep. 2018

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more
Certificates

Never miss an expiring certificate again with Red Sift Certificates Lite

Francesca Rünger-Field

SSL/TLS certificates are the backbone of secure, uninterrupted digital experiences—but managing them effectively to prevent downtime remains a persistent challenge. With browser and certificate authorities looking to reduce certificate durations to as little as 90 or even 47 days, keeping track of renewals has never been more critical. That’s why we’re excited to introduce…

Read more
DMARC

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail…

Francesca Rünger-Field

Navigating G-Cloud 14 for DMARC solutions: A guide for former NCSC Mail Check users With the NCSC discontinuing key features of its Mail Check service, including DMARC aggregate and TLS reporting, after March 2025, UK public sector organisations must prepare for this change by transitioning to alternative email security solutions. To support this shift,…

Read more