Industry Trends

Common Types of Cyberattacks in Education and What We Can Learn from Them

By Susan Biddle | October 06, 2017

Cybercriminals have increasingly taken notice of schools and universities as profitable targets for cyberattacks. A key reason for this is the types of information schools keep on students, parents, and staff.

Typically, upon infiltrating an institution’s network, cybercriminals will probe for, find, and exfiltrate valuable user data. This could be anything from health records, financial information, or any other personally identifiable information, such as social security numbers. Cybercriminals typically then take this data and sell it on the dark web for a profit. For this reason, healthcare providers and retailers are often high-target industries facing cyberattacks. However, because schools usually keep records of students’ and staffs’ health, financial, and personal information, they have now become a one-stop shop.

Another reason schools are being faced with a growing number of cyberattacks is the use of technology and internet-enabled devices in the classroom. Many schools have a 1:1 or higher student to device ratio, and often times those machines belong to the students, fostering a bring your own device environment. This makes it harder for school IT teams to enforce network protections and creates backdoor entrances for cybercriminals.

It is not hard to find examples of cyberattacks in education, with 141 K-12 schools or school districts in the US disclosing one or more cyber incidents since the beginning of 2016. However, looking at the most popular attack vectors used by cybercriminals offers insight into how educational institutions can prioritize their data security, and protect their networks.

Three of the most popular cyberattack strategies against educational institutions are ransomware attacks, DDoS attacks, and phishing scams.


The education sector has recently surpassed healthcare and government as the industry that suffers the most ransomware attacks, with a recent study finding that 13 percent of educational institutions had experienced the malware. This is compared to 5.9 percent of government institutions and 3.5 percent of healthcare providers.

Ransomware is a type of malware, which once on a device, encrypts the owner’s files and demands a ransom in return for the decryption key. These attacks promise to gain even more momentum as ransomware as a service offerings gain traction.

Ransomware attacks result in downtime and unexpected costs that schools cannot afford, with ransomware remediation costs expected to exceed $5 billion in 2017. Schools especially are often forced to pay up, as they cannot justify delaying the education of hundreds or thousands of students while they try to carefully restore the system.

Ransomware is typically proliferated through malicious attachments or links sent in emails. School districts and universities should make sure they have secure email gateways in place to detect and block messages from malicious accounts. Additionally, schools should implement firewalls on the perimeter of, and within, their networks. Network perimeter defenses such as next generation firewalls can detect and block malware such as ransomware from entering the network, while internal segmentation firewalls ensure that any breaches stay isolated. This is especially important as instances of ransomware spread through worms, which require no user interaction, are becoming more frequent.


Phishing scams are a popular attack vector across corporate industries that have also spread to education, with 91 percent of cyberattacks starting with a phishing email.

Phishing scams are typically carried out over email, but may also come from social media or SMS.  Attackers will send an email that appears to be from an authoritative source, or from someone the user knows personally, asking users to send along sensitive information or to enter their login credentials on a fake site. Thirty percent of phishing messages get opened by targets, and 12 percent of those users click on the malicious attachment.

Once cybercriminals have the information requested, they can use it for fraudulent purposes, credential stuffing on other websites, selling it on the dark web, and more.

Phishing scams can have diverse consequences and motivations. There have been reports that cybercriminals, in addition to targeting personal data, have also hoped to use the school districts as entryways into other government networks, including state voting systems, demonstrating the importance of internal segmentation. Additionally, a recent announcement from the IRS warns of a phishing scam targeting school employees to steal W2 information.

As these attacks become more common, breaches will happen. Schools need to make sure they have strong SIEM protocols to detect breaches quickly, greatly reducing their consequences. 

These examples of education-focused cyberattacks further demonstrate the need for email security, internal network segmentation, and faster incident detection and response times at schools and universities.


Distributed Denial of Service (DDoS) attacks have become common occurrences at both K-12 schools and universities. DDoS attacks overwhelm network servers by flooding them with requests from thousands of machines, usually through a botnet. Ultimately, the increase in traffic knocks the institution offline.

While DDoS attacks can be monetized, they are more often of a hacktivist nature. Cybercriminals will target organizations or institutions with which they are competitive, or take issue. Thus, DDoS attacks on schools are often perpetrated by students, with several instances at the K-12 and university level. This is a trend that will likely increase, as DDoS as service attacks can cost as little as five dollars on the dark web.

Early detection is key for mitigating DDoS attacks. Next generation firewalls and web application firewalls can be useful in defending against DDoS attacks that persist at the web application or network layer, especially models that employ anti-botnet security.

Key Takeaways    

Schools may be targeted for stored student and staff data, backdoors into other sensitive networks, or to carry out a personal vendetta. Each attack gives insight into how they must prioritize and protect their data and networks. With such varied attack vectors and limited IT resources, schools should focus on gaining visibility into the movement of data and incoming traffic in their network. Coupled with prevention and detection measures, schools can greatly improve the security of their users.

Let’s get a conversation going on Twitter! How can schools protect students and staff from the onslaught of cyberattacks? #NCSAM