Education and the third sector:  the growing target area for cyber crime

Recent reports highlight that the education and third sectors are increasingly being targeted by cyber criminals as weaknesses in IT security, staff awareness and process present opportunities for threat actors and criminals.

As recently reported by the Telegraph, independent schools are increasingly being targeted, as cyber criminals look to defraud parents of students through social engineering scams and invoice hijacking.  The scam commonly follows the criminals compromising the school’s IT systems, usually through a phishing attack that implants a piece of malicious software that then enables the criminals to gain access to the school’s emails and contact list.

These criminals will then email parents, explaining that the school’s payment details have changed, and issue a new invoice with their own account information.  Parents who respond to request a confirmation will have their emails diverted to the fraudsters, so the school will not receive them.

As reported by the Telegraph Neil Hare-Brown, of Cyber|Decider, cyber risk specialists, said he had investigated incidents at six private schools in the last two-and-a-half months, which have made claims on their insurance following cyber attacks.  He said he believes this is “just the tip of the iceberg” and warned that many schools may have had their mailboxes compromised without realising.

The Information Commissioner’s Office confirmed it was aware of at least one case where a private school’s system had been attacked, while the Independent Schools’ Bursars Association (ISBA), said the issue of cyber-attacks had become more than an “isolated incident” over the last 12 months. Indeed the potential for reputational harm is significant as the malware and other malicious software used could result in personal information about parents and pupils being breached. More worryingly, this could also include prospective parents and students who attend open days or where enquires are made. The data captured about the individuals could include contact information, age of children and even information relating to occupation and affordability.

The threat is not limited to independent schools as state and academy schools could also be targeted as threat actors will likely purchase data lists for potential targets from the dark web and the nature of the phishing attacks being widespread. The data breached from a school could also include sensitive information related to the students including details as to welfare, medical conditions and other data that may identify vulnerable young people.

Undoubtedly the entire education and third sector is vulnerable, as Higher and Further Education institutions could also be targeted. Whilst it is presumed that the IT and Cyber resilliance in a university may be more sophisticated than a schools’ a report published by the BBC showed that a test of UK university defences against cyber-attacks found that in every case hackers were able to obtain “high-value” data within two hours. These tests were carried out by “ethical hackers” working for JISC (formerly the Joint Information Systems Committee), which is the agency providing internet services to the UK’s universities and research centres. They were able to access personal data, finance systems and research networks.

A report into their effectiveness, published by JISC and the Higher Education Policy Institute (HEPI), showed a 100% success rate in getting through the cyber-defences. Within two hours, and in some cases one hour, they were able to reach student and staff personal information, override financial systems and access research databases.

The intended targets of these attacks could be similar to schools, as threat actors look to gather sensitive personal data and payment information, but this could also include valuable research and Intellectual Property.  Universities and research centres have faced repeated attacks from hackers, with more than 200 institutions reporting more than 1,000 attempts last year to steal data or disrupt services.

The nature of these attacks and the likelihood of any breach being common means that local councils and community groups are also likely to be targeted and their IT security and Cyber Hygiene is likely to be similar to the education sector. Based on Freedom of Information requests, Big Brother Watch found that UK local authorities have experienced in excess of 98 million cyber attacks between 2013-17. At least 1 in 4 councils experienced a cyber security incident – that is, an actual security breach – in that period.

As reported by the BBC, Copeland Borough Council has revealed that an attack on its systems in August 2017 has cost it about £2 million. The hack locked staff out of a number of council services, including payroll, planning and environmental health.  The authority said it had brought in experts to better protect the authority from any future attack. Copeland, Islington and Salisbury councils were targeted in the Bank Holiday cyber attack, in which hackers demanded a bitcoin ransom to regain access to encrypted files.

Whilst it is not possible to zero out the risk of a cyber-attack, the likelihood of a breach/attack can be greatly reduced by taking some simple steps and examining the people, process and technology risks. Most data breaches occur as a result to some degree of human error, which can be avoided through better training and awareness.

The fall-out and potential reputational harm can also be managed and mitigated through the implementing of a robust and thorough breach response mechanism and engaging expert practioners including forensic IT investigators, legal support, PR & Communications advisors, in addition to credit monitoring and other support services. All of these services can be provided and paid for by a Cyber Insurer and the insurers will also support the business in improving the degree of cyber hygiene to reduce the likelihood of a breach or attack occurring.

Talk to us

Stackhouse Poland is an award-winning specialist insurance broker with dedicated practices in education, faith/community and cyber sectors. For more information, please contact us on 0330 660 0401 or email


Download “Education and the third sector:  the growing target area for cyber crime” as a PDF.