A sign welcoming new students is posted at Sproul Plaza on the UC Berkeley campus on March 14, 2022, in Berkeley, Calif. (Photo by Justin Sullivan/Getty Images)

Netwrix on Tuesday published a report that said 47% of educational institutions suffered a cyberattack on their cloud infrastructure within the last 12 months.

The survey on the education sector was part of a broader survey, but Netwrix opted to offer these additional vertical industry findings.

Dirk Schrader, vice president of security research at Netwrix, said for 27% of the attacks on education, incidents around cloud security were associated with unplanned expenses to fix security gaps. Schrader also added that educational institutions expect to have 56% of their workloads in the cloud by the end of 2023, compared with this year’s 44%.

“But without proper visibility into who has access to sensitive data and when and how that data is being used, IT teams will not be able to proactively mitigate data overexposure and spot suspicious behavior in the cloud,” Schrader said.

Educational institutions possess large volumes of sensitive student data and unfortunately, most security solutions used by school districts were designed to protect on-premises data and apps, said Tony D’Angelo, vice president, public sector, at Lookout. D’Angelo said schools are ill-equipped to account for apps that reside in the cloud or student data that lives and travels on mobile devices, hotspots and throughout the internet. 

“To ensure sensitive data is protected, educational institutions must rethink their security strategy,” said D’Angelo. “Simply deploying modern security products for one-off use cases isn’t enough. Some systems focus on implementing a secure web gateway to support secure access to the internet. That’s necessary, but not sufficient, as it leaves out other parts of student activity, such as mobile devices and various cloud apps.”

Chloé Messdaghi, chief impact officer at Cybrary, said schools are attractive targets and are often an entry point for threat actors into state, county and local governments, simply because their cybersecurity bar is so much lower and governmental networks are so large. Messdaghi said educational institutions have been used as stepping stones or ladder steps to ultimately reach other governmental targets.

“There will always be kids out there who want to change grades, and see student and teacher records,” Messdaghi said. “There’s also stalkers who follow kids on TikTok and Instagram and then seek to get to them through their education institutions. Unfortunately, too many educational institutions don’t have the funds and expertise to prevent this. That’s why all of us in cybersecurity should volunteer our free time to help educational institutions develop best practices, help them follow those steps to tighten day-to-day cybersecurity, and also put together and regularly update incident response plans that institutions can act on immediately.”