In an increasingly digital world, educational organizations are facing more sophisticated cybersecurity threats, and these institutions must rely on collecting and maintaining sensitive data to effectively carry out their core missions. Safeguarding this data must remain a top priority, especially as schools continue to digitally transform to bring new innovation and capabilities to their students, educators, and sponsors.
Known ransomware attacks increased by 68% in 2023, a study by MalwareBytes found in its annual 2024 State of Malware Report, and last year there was a 70% increase in the education sector, making 2023 “the worst ransomware year on record for education.” “Cybersecurity as a core competency” was again selected as the top priority by in the EduCause Top-10 List, which identifies the most critical issues affecting colleges and universities each year. It is imperative that education organizations have robust cybersecurity measures in place to help mitigate cyberthreats.
Below are five top tips for all education organizations to follow in enhancing their day-to-day cybersecurity:
1. Create a documented security policy—To help ensure all employees are on the same page and have a clear reference point for any queries, the best starting point for education organizations is to draw up a simple cybersecurity policy. This should clearly outline the expectations and duty of all employees to adhere to the collective standards required to enhance cybersecurity. The policy should be clearly communicated throughout an organisation and made easily accessible across internal systems. The policy should include the following four tips as actions for all employees.
2. Require unique credentials for all login requirements—This is something we all take for granted in our personal lives but is imperative in keeping potential bad actors at bay, particularly when dealing with sensitive or confidential data. Employees must be required to use unique credentials for all work-related login functions with set rules that help ensure that passwords are strong, both in length and complexity. This means bad actors cannot unlock multiple doors across an organisation through accessing one set of credentials.
3. Tighten admin rights, permissions, and privileges— It is obviously important to have the necessary IT system rights in place for your employees to work effectively. Organizations must remember, however, that granting many rights or privileges to many employees increases cybersecurity risk. Best practice is to ensure that all employees only receive privileges that are necessary for their business role. To start, organizations should audit existing privileges, establish a system for documenting any new permissions, and perform regular access reviews. Educational institutions can use cloud services such as IAM and Cognito to easily manage and monitor access rights.
4. Back up your systems on the cloud—Using a cloud backup is a crucial step towards making sure data across an organisation is secured, recoverable, and easily accessible should bad actors compromise locally-held information. Cloud backups provide greater resiliency, so that that data cannot be deleted easily by bad actors. AWS Backup provides cloud-native back up services for education organizations’ key data stores, such as buckets, volumes, databases, and file systems, across AWS services. A cloud backup is a necessity for all education organizations.
5. Foster a blame-free culture—Underpinning all these recommendations is culture. An organisation’s cybersecurity culture must be driven by inclusion and safe space, avoiding any blame on the part of employees when things go wrong. Phish-testing and more traditional security training methods are increasingly outdated, ineffective, and potentially problematic for employee relations and morale. Organizations should concentrate on driving greater awareness and improving behavioural training to encourage positive changes among their employee base and to help enhance collective cybersecurity.
Strong cybersecurity is no longer a “nice to have” for education organizations. Learning is increasingly taking place online, with technology facilitating communications and interaction between educators and students. This is opening the door for bad actors. In January 2023, for example, confidential data from 14 schools in the UK was leaked online after the organizations refused to meet hackers’ ransom demands following attacks that occurred during 2022. The leaked information included children’s SEN information, pupil passport scans, staff pay scales, and contract details.
Organizations can help mitigate many of these risks by following the five guiding principles above. Putting these into action, in combination with strong leadership buy-in for cybersecurity investment and a well-understood, widely adopted “security culture” among employees will help any educational institution enhance its cybersecurity capabilities against future threats.
“If you really want to drive change, look to your leadership. Cybersecurity isn’t just about technology: it starts at the top,” says Orlando Scott-Cowley, public sector tech and business development manager at AWS. “Leadership must own and foster a culture which supports cybersecurity.”