The Costs and Risks of Poor Cybersecurity in Schools

The importance of maintaining strong cybersecurity in educational institutions is obvious. They have a crucial role in educating society and most often hold sensitive data of younger people and minors. Consequently, the confidentiality, integrity and availability of data and services is vital. 

The costs and risks of poor cybersecurity in schools are varied. They can include loss of data and work, including their exposure online; monetary costs of restoration; loss of service and unavailability of key systems and resources; harm to reputation and also issues with compliance to regulations and duty of care.  

Poor cybersecurity can leave schools vulnerable to attacks such as phishing, malware, ransomware and DDoS. The pandemic saw a rise in cyber-attacks in schools last year to record highs (408, according to the K-12 information exchange), with remote learning creating more access points for intruders.  

The most significant costs and risks associated with poor cybersecurity in schools are described below. 

Loss and exposure of sensitive data 

As a result of dissatisfactory cybersecurity in education, these institutions are putting themselves at risk of confidential data being stolen. Threats such as ransomware attacks can steal data, potentially children’s in this case, and then sell it on the dark web.  

Sensitive data held about students, including their names, birthdays and national insurance numbers can all be stolen, setting up young people for a lifetime of potential identity theft. 

Loss of work 

Not only can personal information be lost in a cyber attack, but also school work and valuable data at higher educational organisations.  

There are examples of student's work being unrecoverable after breaches, such as after a cyber-attack at a school in Bedfordshire earlier this year which resulted in the loss of coursework after the school servers were left unreadable.  

Higher education institutes, on the other hand, will often conduct research and hold valuable intellectual property which criminals may wish to get their hands on. This could be in the form of scientific or medical research. 

Monetary costs 

There can be significant financial costs that result from a successful cyber-attack on a school. 

First-of-all affected systems may need to be replaced and the purchase of additional clean-up services will possibly be required to remove any harmful programs from a network. 

As well as this, with the increasing prominence of ransomware attacks since August 2020, if you are susceptible to such an attack you may be required to pay up to 8-figure sums for the release of data. A report by Comparitech stated that ransomware attacks on US schools and colleges cost over $6.5 billion in 2020. 

Unavailability of services 

Cyber attacks can also render services used in educational institutes useless.  

DDoS attacks can stop teaching for a day or potentially more harmful attacks such as malware have the chance to grind learning to a halt for even longer. For example, a school in California, US had to shut down virtual learning for a whole week last year after a malware infection.  

A UK Government report published in March stated that, of those involved in a survey of the past 12 months, 74 percent of further-education colleges were negatively impacted by a cyber-attack. Additionally, 56 percent of these institutions said that staff resources were diverted to deal with the breach, and over a quarter stated that wider staff were unable to carry out their work activities.  

Reputational harm 

Being the subject of a cyber attack has the chance to cause damage to an organisation’s reputation. For private schools and other educational institutions this can have a bigger impact, as they are competing with one another to secure the applications of students. 

If a school is seen to be unable to adequately protect important data and maintain good cybersecurity practices, this will reflect poorly upon them. 

Compliance 

Schools and other educational institutions have a requirement and duty of care to protect their student’s data. This is particularly relevant in relation to the Data Protection Act 2018 which requires schools to protect data.  

Breaches of this act and the General Data Protection Regulations (GDPR) can potentially result in sanctions and fines. Therefore, keeping data secure and preventing cyber attacks is of paramount importance. A toolkit for schools provided by the Department of Education can be found here. 

Don’t leave your school vulnerable 

As described in this article, the costs and risks which result from poor cybersecurity and schools can be severe. By signing up for a service like Securiwiser, you can begin to protect your institution from avoidable threats by identifying the most significant vulnerabilities.