Education sector not learning from the US$7mil cost of cyber-threats

• Educational organisations suffered an average of 11 attacks in 2019
• Smarter counter-measures are required, not pull-the-plug solutions

CYBER-ATTACKS can be costly. The problem, however, is when the sectors that are hit the hardest are not taking the necessary steps to safeguard their data. Most frustratingly, we’ve just discovered that the education sector is not learning the importance of cyber-security.

DNS security specialists EfficientIP revealed, through a joint research with IDC, that the education sector is one of the most heavily targeted industries by cyber-attacks.

In its 2019 Global DNS Threat Report, they discovered that 86% of education sector respondents experienced under-the-radar Domain Name System (DNS) attacks in the past year – the second-highest across all sectors, after Government.

Surveying 900 security experts from nine countries across North America, Europe and Asia, the report found that education organisations suffered an average of 11 attacks last year, each costing US$670,000 – resulting in annual total of a massive US$7,370,000.

Half of the DNS attacks that education institutions experienced last year were phishing-based, and the attacks can have devastating impacts. 66% of the surveyed organisations suffer from in-house application downtime, while 50% had their websites compromised. This, the report notes, is high above the global average of 45% of victim organisations.  

Smarter countermeasures

The report also notes that attempts to mitigate attacks here are mostly insufficient. 50% of those surveyed said they currently mitigate attacks by shutting down servers and services; 64%, on the other hand, does so by shutting down affected process and connections.

The report says that while pulling the plug may help stop attacks, it is “a blunt instrument attempting to stop increasingly sophisticated threats.”

Smarter counter-measures would include improved DNS monitoring, analysis and threat intelligence to first identify the threats before they begin, followed by quarantining attacks without taking entire servers offline (which would disrupt normal service).

Education has fallen behind healthcare, retail and other industries when it comes to cyber threats – only 22% of education institutions surveyed prioritised monitoring and analysing DNS traffic to meet the compliance requirements of data regulations such as GDPR (General Data Protection Regulation).

“Cyber-attacks are no less frequent and severe in education than other sectors. In fact, they are becoming more prevalent as educational institutions house valuable personal information about students and faculty and intellectual property. As Southeast Asia positions itself as an innovation-led region, cyber-security remains critical in realising that future vision,” says EfficientIP APAC vice president of sales Nick Itta.

“For the education sector, the burden of responsibility falls on institutions to keep people and data safe. Yet, our report shows that they are woefully underprepared to cope with the risks. There is a need to invest more resources in cyber-security measures, as well as encouraging students and faculty to do their part by practising good cyber-hygiene,” he adds.