Why the Education Sector Needs to Get Better at Cyber Hygiene
As we enter the New Year, it hasn't taken long for the education sector to be hit by several high-profile cyber attacks, underscoring the growing threats facing this critical industry. One of the groups responsible for some of these attacks, known as FOG, is a relatively new player in the ransomware-as-a-service world. The group appeared in the wild in May 2024 and has built a reputation for targeting U.S.-based higher education institutions by exploiting compromised VPN credentials to gain access to sensitive systems. In fact, cybersecurity researchers at Arctic Wolf reported that 80% of all FOG's victims are in the education sector.
This rise in incidents highlights several important considerations that demand attention. First, it raises a critical question: Why aren't higher education institutions learning from the mistakes of their peers? Cyber attacks targeting educational institutions are not a new phenomenon. In recent years, ransomware groups and other bad actors have repeatedly exploited the sector. Despite the wealth of publicly available information about prior attacks and the TTPs (tactics, techniques, and procedures) used by cyber criminals, many institutions appear unprepared to protect their students, faculty, and endowments from cyber threats.
The second takeaway is that cyber criminals continue to exploit well-established attack vectors, such as phishing, unpatched systems, and compromised credentials to infiltrate systems and access sensitive data. These vulnerabilities could often be mitigated with the implementation of basic security best practices.
A Call to Action
The recent wave of cyber attacks targeting the education sector underscores the persistent vulnerabilities within higher education institutions and the urgent need for these organizations to get up to speed on cyber hygiene and prioritize a comprehensive approach to cybersecurity.
Historically, institutions have pointed to tight budgets, reliance on outdated technologies, and the necessity of maintaining an open and collaborative environment as barriers to robust cybersecurity. However, these challenges can no longer serve as acceptable excuses. The stakes are simply too high, with ransomware groups and other threat actors continuing to exploit weaknesses to access sensitive data, disrupt operations, and demand significant payouts.
Educational organizations must recognize that adopting a proactive cybersecurity posture is no longer an optional investment — it is an operational necessity. Fortunately, there are several fundamental cybersecurity controls and practices that institutions can implement quickly and cost-effectively to significantly strengthen their defenses. Here are 10 of the most impactful measures.
1) Regular Cybersecurity Awareness Training
Offer short, engaging, and frequent training sessions to ensure participants pay attention and retain the information long after the session ends. The curriculum should cover common threats, how to respond, and cyber hygiene best practices. Empowering individuals with knowledge can drastically reduce the success rate of attacks.
2) Incident Assessment Integration
Use recent cyber attacks targeting educational institutions as case studies during training. Analyze the incidents to draw actionable insights. This can enhance internal processes and help participants understand real-world applications of cybersecurity measures.
3) Foster a Proactive Cybersecurity Culture
Make cybersecurity awareness a shared responsibility across all levels of the organization — from administrators, operators, and IT teams to faculty, staff, and students. Help individuals understand their role in safeguarding digital assets, networks, and identities. A culture of accountability can inspire widespread adoption of best practices.