Cyber crime in schools: Key threats and how to mitigate risk

In this blog, we outline the most common cyber threats facing the education sector and explore key questions like who commits these crimes, what is at risk, where the vulnerabilities lie, and why schools are prime targets. Additionally, we provide practical steps that schools can follow to reduce their risk of falling victim to cyber crime. The information included in this blog is based on 9ine's experience and what our teams commonly see in schools. 

The 3 biggest cyber threats to schools

Schools today face a wide range of cyber threats, but the three most prominent are phishing, denial of service (DDoS) attacks, and ransomware. These threats are more than  just isolated incidents - they often form part of a larger, increasingly sophisticated network of criminal activity targeting schools. 

It's important to recognize the two major types of cyber crime that schools should be aware of: Cyber-enabled crime and cyber-dependent crime. Cyber-enabled crime is traditional crime that is enhanced in scale or reach via the use of technology. This can include online fraud, grooming, malicious communications, and cyber bullying. Cyber-dependent crime involves a criminal element using a digitally enabled device, such as a computer or smartphone, to target another device. In the latter category, technology is both the target of the crime and the tool to commit it. Examples of cyber-dependent crime can include ransomware, malware, remote access tools, and Denial of Service (DDoS) attacks.

Ransomware, in particular, has become one of the most devastating cyber-dependent crimes for schools. Hackers encrypt a school’s data and then demand payment to unlock it, effectively holding the institution hostage. When schools rely heavily on digital infrastructure for learning, administration, and communication, these attacks can bring operations to a standstill.

What does cyber crime really look like?

Many imagine cyber criminals as lone hackers in hoodies, hunched over laptops. In reality, most cyber criminals work in highly organised groups that plan and execute sophisticated attacks over extended periods. Some hackers remain hidden in school systems for months, sometimes even nine months or longer, collecting valuable information before striking.

The financial incentives for cyber criminals are staggering. Consider this: if a hacker gains access to a database containing 500,000 email addresses, and even 1% of the recipients fall victim to a phishing scam resulting in a £200 payout, the hacker walks away with over £1 million. This highlights the substantial profitability that drives these criminals.

Detecting a data breach can take months, with the time varying widely depending on the organisation. For example, the entertainment sector averages 287 days to detect a breach, while healthcare industries detect them in around 103 days. Schools, often operating on limited budgets with outdated systems, typically fall on the slower end of this detection spectrum, which makes them even more vulnerable to prolonged attacks. Schools, like any other organisation, need to allocate resources toward cyber security to minimise the time it takes to detect and mitigate breaches. The level of investment in IT systems and cyber security makes a big difference. Read more about the common characteristics of a data breach in our blog, 'How to plan for a data breach in your school network'.

Where does the risk come from?

While schools often focus on external threats, internal risks can be just as dangerous. In a survey from TeacherTap involving over 5,000 respondents, 28% of teachers admitted they shared a password. This is just one example of how carelessness among staff can create vulnerabilities. Other sources of internal risk includes: 

• Poor systems administration: When staff leave or change roles, failing to update or revoke access can leave the door open for future attack.
• Disgruntled employees: Unhappy or overlooked staff members may exploit their access to school systems for malicious purposes.
• Former employees: Staff who retain access after leaving can still manipulate the school’s network, sometimes enacting revenge or selling access to outsiders.
• Tech-savvy students: Some students are skilled enough to guess or steal staff passwords, creating another point of vulnerability.
• Lack of cyber awareness: Without proper training, teachers and staff may inadvertently invite attacks, such as by clicking on suspicious links or downloading unsafe files.

How social engineering targets schools

Cyber criminals frequently use social engineering tactics to exploit schools. Social engineering refers to manipulating people into performing actions or divulging confidential information. Common tactics include impersonation, creating a sense of urgency, exploiting a sense of obligation, invoking authority, and using flattery or fear to manipulate the victim.

For example, a hacker may impersonate a trusted authority figure, such as a bank or even the school itself, to trick employees into revealing sensitive information. Urgency is another common tactic, where hackers pressure the victim to act quickly before they have time to scrutinise the request. Phrases like "Your account will be locked unless you act immediately" are designed to evoke fear, pushing victims to click on malicious links without a second thought. The hacker may also try to persuade a victim that they are required to do something, either by law or through some contractual obligations.

Authority figures like school administrators are often targeted because they have higher levels of access to sensitive information. Hackers may craft convincing emails or phone calls pretending to be from an official source to gain access to these privileged accounts. By using friendly and flattering language, they may also put victims at ease, making them more likely to comply with requests.

How do hackers gain access to employee information? 

Hackers gather extensive information about a school’s employees through various means, especially by scraping social media profiles. Employees may unknowingly expose information about their job roles, hobbies, and personal details that cyber criminals can use to craft highly targeted attacks.

In addition, hackers can exploit location services to gain insights into a person’s daily routine or whereabouts. Many apps request access to location data, and this information is often shared with third parties. Smart devices, such as Amazon Alexa or Google Home, also collect data, which may be intercepted by cyber criminals. All around us, technology is recording and monitoring our location. All of this information can serve as valuable intel for hackers plotting their next move. It’s important to recognise this and protect our digital footprint. All of this information represents an invaluable cache of information for hackers.

What are the cyber risks associated with bring your own device (BYOD)?

The rise of bring-your-own-device (BYOD) policies has introduced a host of new risks for schools. Teachers and staff often bring personal devices into the school’s network, and these devices may lack proper cyber security protections. Unsecured devices can act as gateways for hackers to access a school’s internal network.

One technique used by hackers is planting USB drives around school premises, hoping that a curious staff member or student will plug it into a school computer. This simple action can give the hacker access to the school’s system. Before disposing of any old hardware like USB sticks or laptops, schools must ensure that all data has been securely erased to avoid leaving residual vulnerabilities. Read more about this in our article, "Cyber Security In Schools; Removable Media Data Loss and Malware".

Minimise your schools' vulnerability

Reducing your school’s vulnerability to cybe rcrime requires a multi-faceted approach. Here are several key steps:

1. Take ownership at a senior level: Senior leadership should make cyber security a priority. Hiring a consultancy like 9ine or exploring resources like the National Cyber Security Centre (NCSC) can help.
2. Understand the risks: Identify the biggest threats in your school, whether from students, staff, or external actors.
3. Establish access control policies: Implement strong access control measures, ensuring that only authorized personnel have access to critical systems.
4. Vet third-party providers: Ensure that any third-party services your school uses have robust cybersecurity measures in place.
5. Use secure configurations and patching: Regularly update systems with the latest patches and security configurations.
6. Promote cyber awareness: Train staff to recognize phishing attempts, and encourage the reporting of any suspicious activity or near misses.
7. Prepare for a Breach: Develop a cyber incident response plan and make sure it is tested regularly.

Ultimately, schools must accept that cyber crime is not a matter of "if," but "when." By staying informed, investing in cyber security, and implementing a proactive approach, schools can minimize the damage when an attack does occur.

How 9ine helps

• Vendor Management - A solution for assessment of vendors, like EdTech platforms for compliance with privacy law, AI, cyber security and safeguarding risks of harm.
• Application Library - Providing educators with accessible knowledge and support on how to effectively use technology in the classroom while managing privacy law, AI, cyber security and safeguarding risks of harm.
• Cyber Security Testing - Helps schools identify potential cyber threats through a comprehensive review of IT systems, services, and devices. Audit your IT infrastructure to protect sensitive data, ensure smooth online learning, and foster a secure digital environment for students and staff.
• Tech Academy - Develop your school IT team with tailored, comprehensive certified training in three specialised streams: Security standards, network security, and cyber awareness. The program offers up to six focused sessions per stream, providing step-by-step guidance, on-demand video tutorials, and quizzes to ensure thorough understanding and practical application.
• Privacy Academy - Training and professional development to manage privacy law, AI, cyber security and safeguarding risks of harm at your school.

9ine company overview

9ine equips schools to stay safe, secure and compliant. We give schools access to all the expertise they need to meet their technology, cyber, data privacy, governance, risk & compliance needs - in one simple to use platform. For additional information, please visit www.9ine.com or follow us on LinkedIn @9ine.