What makes educational institutions a prime target for cybercriminals


Cybersecurity is one of the most critical issues confronting educational institutions like schools and universities worldwide. Educational institutions are often considered the most attractive target for cyber crimes due to their less-than-effective cybersecurity practices.

Increasingly, schools and universities are repositories of large data sets containing valuable information in a cyber marketplace. They have information on students and their parents, including social security numbers, email addresses, financial data, credit card numbers, and other personally identifiable information (PII) that could be stolen and sold on the black market.

Additionally, they have business offices that manage accounts payable and provide organizational financial data access. Typically, schools have less-expended resources to handle cybersecurity in the same manner as the government and big business.

Cybercriminals often gain access to schools through sophisticated spear phishing attacks, preying on the human and technical vulnerabilities in the school cybersecurity system. A little over half of all digital data breaches were caused by members of the affected school staff and vendors or partners caused by students, and 23 percent by unknown actors carried out the remaining 23 percent.

Types of cyber events that impact educational institutions:

  • data breaches (unauthorized disclosure of personal information),
  • security incidents (malicious attacks directed at a school),
  • privacy violations (alleged violation of consumer privacy),
  • phishing/skimming incidents (individual financial crimes),
  • technology-focused threats (hacking, malware, and spyware),
  • content-related risks (exposure to illicit or inappropriate content),
  • harassment-related threats (cyber-bullying, cyber-stalking, and other forms of unwanted contact) and risk of exposing information (children exposing their personal information through phishing or sharing information on social networking platforms).

This post will discuss key factors that make educational institutions a prime target for cybercriminals.

Wide Variety of Valuable Data

Schools have sensitive data about students, parents, alumni, faculty, and staff. Records
are routinely retained decades after students have left an institution. Moreover, the sheer volume
of potentially valuable data housed at most schools makes them highly attractive targets.

The potentially valuable data stored by educational institutions include:

• Student ID
• Social security numbers for students, faculty, and staff
• Credit card numbers for faculty, staff, and school
• Immunization history and/or medical records
• Enrollment and attendance
• Special education documentation
• Names of students, faculty, and staff
• Addresses
• Date of birth
• City, state, and country of residence
• Bus routes
• Telephone numbers
• Email addresses
• Gender
• Race
• Criminal record
• Test scores
• Grades
• Achievements
• Free lunch applications
• Participation in school activities (dates and times)
• Family members
• Prior students at the school and their data
• Community and business involvement in school

Lack of Centralized Structure for Cybersecurity

Instead of a single centralized location, schools may store their data in multiple locations. Student information can be kept separately at each school and centralized at a district office. Student and financial information may be stored separately. Because of this decentralized structure, cyber criminals may be able to exploit vulnerabilities in disparate systems containing sensitive data.

Organizational Vulnerabilities

Similar administrative and operational issues frequently parallel the decentralized nature of data storage in educational institutions. Several people within different departments, frequently with different reporting structures, may be in charge of putting security measures into place, running them, and deciding on processes. Schools generally lack a top-down command structure that simplifies implementing new security measures and increases security.

Prevalent Use of Personal Devices

When downloading sensitive data to less secure personal devices, administrators, faculty, and staff frequently aren’t aware of the extent to which they may be exposing their institution to cyber risks. Ninety percent of faculty members have smartphones, but only 27 percent have taken the required information security training. Furthermore, a large percentage of high school and elementary students own smartphones, and the majority of them have never received a security education. Therefore, even if the school has strong security measures, staff members may unintentionally expose sensitive information due to negligence or a lack of awareness.