Cyber-attacks have been making headlines after massive data breaches at Fortune 500 companies. According to a recent report by the Business Continuity Institute[1] and the British Standards Institution, nearly nine in 10 businesses worldwide are worried about the threat of cyber-attacks.

Recently, the panic has spread to educational institutions. Unfortunately, schools, colleges and universities are perfect targets, often possessing out-of-date security systems and a wealth of sensitive, monetizable student data. According to the Wall Street Journal[2], cyber attackers have struck more than three dozen schools this year, including recent news of an attack on the Flathead Valley School District[3].

Experts warn these attacks are likely to increase, and educational institutions are increasingly prioritizing investment in technology and systems to prevent cybersecurity breaches.

On October 16, the U.S. Department of Education issued a letter[4] for teachers, parents, students and administrators warning against the dangers of hackers. It recommends infrastructure change and preventative measures. According to the letter, “the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records.”

Hackers aren’t slowing down, so it’s important for educational institutions to employ proactive methods to prevent cyberattacks and protect data and reputational assets.

Recognizing an Attack

Ninety-one percent of cyberattacks start with a phishing email, according to a study by PhishMe[5]. Email scams frequently attempt to trick an employee into clicking an email link, which launches malicious software that compromises the security of the employee’s network. The FBI estimates[6] that compromised email accounts for $3.1 billion in losses per year worldwide.

To prevent an attack, it’s important to train employees to look for the three most common types of email hacks:

  • Fake email coming from a company executive or colleague
  • Fake invoice from a supplier whose email address has been spoofed
  • Fake email from an attorney requesting funds or information about a deal

Even if the employee doesn’t send a payment or transfer funds in response to the email, simply clicking a link in a phishing email could cause a chain of events that compromise the network. 

(Next page: More tactics to prevent cyberattacks in schools)

How Data Gets Held Hostage

Educational facilities are also vulnerable to “ransomware,” a malicious type of software that can harm or disable computer systems until hackers receive a payoff. These types of attacks are up 400 percent, according to PhishMe.

Ransomware works by tricking an employee into opening a fake email and then clicking on a link or attachment that infects the system and locks the user out of the computer system or network until a ransom is paid. Unfortunately, paying the ransom doesn’t ensure a fix, as evidenced by the recent Petya ransomware attack, which hit 65 countries in June.

In the case of schools, the FBI warns against paying a ransom, as it would encourage hackers to target more districts in the future. It’s best to educate faculty and administration on habits that prevent a ransomware attack, including:

  • Implementing security patches – Every time the operating system or security software asks if it can run a system or security update, promptly follow through.
  • Backing up data – Back up files remotely every day on an external hard drive not connected to the internet.
  • Using an antivirus program – Antivirus programs can scan files to see if they might contain ransomware. Run the program automatically before downloading files. 

Bolstering Defenses 

The best protection against email fraud is to employ multiple lines of defense. While upgrading software and backing up data is critical, training employees to spot warning signs is the most important proactive measure. Empower your staff to:

  • Be cautious. Flag suspicious emails to IT. Additionally, never reply or open links and files within suspicious emails.
  • Get two approvals for transactions. No matter the size of the school, dual authorization should, at a minimum, be implemented for certain transactions. For example, beneficiary or address changes from vendors could be validated by phone.
  • Alert your bank to unusual requests. It’s essential to inform your bank of suspicious activity so proper action is taken to stop or prevent a financial transaction.
  • Remove every “dirty” PC. If a laptop or PC is compromised, remove it from the company’s network until it’s been cleansed of malware.

Ideally, every school district should develop processes to teach employees to recognize potential cyber-attacks via trainings and simulations. According to PhishMe, susceptibility to phishing email drops almost 20 percent after a company runs just one simulation.

Proactively training staff to recognize a potential cyber-attack or ransomware intrusion can prevent compromising private student information, prevent monetary losses and spare an institution from reputational harm.

Bank of America Merrill Lynch” is the marketing name for the global banking and global markets businesses of Bank of America Corporation. Lending, derivatives, and other commercial banking activities are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Securities, strategic advisory, and other investment banking activities are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp., both of which are registered broker-dealers and Members of SIPC, and, in other jurisdictions, by locally registered entities. Merrill Lynch, Pierce, Fenner & Smith Incorporated and Merrill Lynch Professional Clearing Corp. are registered as futures commission merchants with the CFTC and are members of the NFA. Investment products offered by Investment Banking Affiliates: Are Not FDIC Insured • May Lose Value • Are Not Bank Guaranteed.

©2017 Bank of America Corporation

[1] Business Continuity Institute, February 2017

[2] Hackers Target Nation’s Schools, 2017

[3] In Columbia Falls, A Shaken School District Moves Forward from Cyber Threats

[4] CyberAdvisory – New Type of Cyber Extortion/Threat, 2017

[5] PhishMe, December 2016

[6] Federal Bureau of Investigation, June 2016

About the Author:

John Lenckos is senior vice president, Specialized Industries, Bank of America Merrill Lynch.