Cybersecurity is as indispensable today as electricity and running water. While everyone deserves robust cybersecurity and to feel secure, but the reality is some industries and institutions are favored more than others. Education for instance, despite the essential role it plays in molding our future, is not afforded the same degree of protection as enterprises and other corporate environments. This clear lack of prioritization leaves education vulnerable, with inadequate safety measures that malevolent actors can effortlessly exploit.

Last week, the University of Michigan disabled internet and Wi-Fi connections for staff and students across campus in response to a cyber-attack. This disruption affected essential cloud services, including Google, Zoom, Dropbox, and Adobe Cloud, impacting the 51,000 enrolled students at the start of a new semester. Though internet access was restored, and students could continue registration for the new semester a day-and-a-half later, the university did not disclose further details of the attack, cost, or expected remediation.

A cyber-attack of this scale is not the first of its kind in the education sector: earlier this year, Mercer University in Georgia fell victim to a ransomware attack that resulted in the theft of Social Security Numbers (SSN) and driver’s license numbers from student records. Over 93,000 students and staff were affected, leading to two lawsuits against the university claiming they failed to administer adequate cybersecurity protections to prevent the breach entirely.

It should come as no surprise that education institutions are a prime target for hackers. From 2020 to 2021, ransomware attacks against college-level, and even K-12 level, education institutions increased significantly as institutions became more reliant on virtual learning according to Verizon’s 2022 Data Breach Investigations report. In 2020 alone, there were over 400 cyberattacks recorded in K-12 schools.
The financial damages sustained by educational institutions can range anywhere from $50,000 to $1 million, and, unsurprisingly, the remediation process typically extends over several months.

While education institutions by themselves may not net substantial bounties for threat actors when compared to larger business entities, education is a viable hunting ground due to the expansive attack surface and access to significant troves of personally identifiable information (PII). This is especially disconcerting for K-12 students who are too young to understand the risks at hand. Regarding these students, threat actors can steal their SSNs and other sensitive information, subsequently utilizing their identity for fraudulent and nefarious activities.

Cybersecurity experts are acutely aware of the inherent vulnerabilities within educational institutions compared to large-scale corporate entities. While businesses may yield substantial financial resources, it is important to recognize that student data, an easy bargaining chip for threat actors to leverage against school administrators, warrants equally rigorous protection. Educational institutions often grapple with limited budgets as is, and they are significantly less secure than large, privately held organizations as a result.

The impact of compromised school systems extends beyond immediate financial concerns; it jeopardizes our future as a society when it’s our youth ultimately bearing the brunt of the attack.  While as a society we have initiatives to protect youths from any range of threats, we are sadly allowing their exposure to cyber threats.

Educational establishments should not be at a disadvantage in terms of resources and capabilities, and thus they deserve the same level of investment as any other sector. By failing to properly invest in educational cybersecurity, we are leaving students vulnerable to risks that could impact them for life. We need to treat this issue with the urgency and seriousness it deserves, for the sake of our youth and the future they will inherit.

We at OccamSec are invested in the future of every youth and have conducted extensive research into the threat actors that would attack them.  Through this research, we are well poised as an organization to provide consultation for educational facilities of all sizes whether public or private.


If your institution is concerned, let’s set up a time to talk and ensure that our tomorrow is protected.
Let’s talk