Last month, a combined estimate of 11 thousand current and former university staff and students had their personal data compromised in a cyber-attack. Noticeably, similar attacks have become more frequent, as highlighted in a recent research paper in the education sector which identified the education and research sectors as experiencing the highest volume of cyber-attacks per organisation over 2021 and 2022. For this period, these two sectors averaged 2,297 attacks per week, which was a 114% increase over the previous two years.
Unfortunately, these figures are unsurprising to most in the cyber industry, due to our first-hand experience with the devastating impact cyber security incidents have every day on individuals and organisations.
A common misconception heard throughout the education sector is that larger organisations such as Banks, Telcos, Retailers, etc. will always be a more appealing target for hackers, as opposed to schools or other education providers. Unfortunately, these education bodies store a lot of sensitive information, manage large sums of money and often operate an IT environment offering a lot of flexibility to students which are increasingly becoming a target for cyber criminals.
While most cyber criminals couldn’t care less about student essays or class grades, the personal information collected and stored by the school is especially valuable to criminals interested in perpetrating fraud or ransom payment demands. Additionally, given that larger organisations with similar valuable data are more likely to have the resources and funding to better protect their information, schools represent an attractive target for many criminal groups.
Solution: The Cyber Resilience Review
To support schools with understanding their cyber unique cyber risk exposures, BDO developed a cyber resilience assessment to identify their risk posture from both a technical and governance perspective. The review covers a broad range of people, process and technology related cyber security controls which are benchmarked against industry better practice standards.
The outcome of the Cyber Resilience review is a formal report summarising the key findings and recommendations, peer benchmark results against the education sector, and detailed assessment results across the people, process and technology controls. These assessments allow schools and education providers to better understand their high-level cyber risks, with clear strategic and technical recommendations to help them improve their overall cyber resilience.
Case Study: Education Body
BDO recently partnered with an educational body that lacked visibility into their school's cyber security processes. To improve protection for students and staff, BDO helped the organisation tailor an assessment for non-technical stakeholders, which informed the board's future cyber improvement investments.
The board was actively involved throughout the assessment, participating in workshops which discussed key business issues and improvement recommendations. These workshops, attended by both technical and non-technical executives, used real-world examples to demonstrate the impact that poor cyber security management has on everyone - not just IT.
The organisation’s prior lack of insight into its cyber security had limited the realisation of some of its investments. After working with BDO, they were able to implement new processes with immediate benefits and have a roadmap to address all other vulnerabilities and opportunities for improvement. While full implementation of the report's findings will take a few years, the immediate improvements will greatly benefit the organisation's future investments.
Interested in seeing more about the cyber landscape in the education sector? Sign up now and be notified of the release of the latest BDO Cyber Security Survey Report.
BDO’s team of dedicated Cyber Security professionals are experts in risk assessment, security training and awareness, and incident response planning and operations, with experience performing these services for over 40 schools across Australia. Should you wish to discuss your organisation’s current risks and controls, please contact your local Digital and Technology Advisory expert.