Why are schools and universities such an attractive target for cybercriminals?

Ransomware attacks are on the rise across the Eastern region and a target rich environment for criminals remains the education sector.

The reasons for this are fairly simple

  • Schools possess large quantities of high value and sensitive data that they may be willing pay for to get back

  • Schools networks and processes offer a lot of vulnerabilities through either underinvestment or weaknesses in their underlying processes. In many cases these vulnerabilities are caused by the necessity of having so many people and devices to attach to the network

A number of education ransomware alerts have been published by the National Cyber Security Centre throughout 2020 and 2021, and more are expected over the coming year. 1000s of schools have been attacked over the past few years and many have resulted in long term problems for the organisations affected, including the staff, students and parents.


Whilst the rise in attacks was blamed partly on the pandemic and a rise in remote learning, the risk to schools will persist until they are provided with the tools to fight back. And these attacks are happening right now in our region. In the summer of 2021 a ransomware attack against schools in Kent actually caused several of them to close for several days whilst the data breach was resolved.


What is ransomware?

Simply put this is a malicious attack against a network where the criminals get access to data and either steal it, threaten to delete it or encrypt it. The criminals will then demand a payment for the return of the data. Imagine how this could affect a school – sensitive pupil data, Parent Pay financial details for thousand of parents and coursework and exam results for students - these could all be compromised or lost.

The reality is that ransomware is now viewed as a business model and many entities behind these attacks will present themselves as being on the same side as the victim. So in return for the payment the school or college will often be supported through a process which will return the data that has been encrypted / stolen.


It is worthy of note that paying the ransom does not guarantee the return of the data and certainly does not guarantee that it won’t be sold on or published at some point in the future. Also, your network will still be infected and you are more likely to be targeted again in the future.


The paying of the ransom has moral and ethical undertones that may not be immediately apparent when you are faced with such an attack. Consider the fact that you may be financially supporting terrorists or criminals by paying the ransom.


Can you protect yourself from these attacks?

Ransomware is always preceded by a an attack on the network itself, commonly through a phishing e-mail or brute force attack. These attacks are increasing in complexity and sophistication meaning that defence against these dark arts needs continual review. But the key points for protection to remember are

  • Look at the free tools and guidance available on the ECRC site Education & Resources at the Eastern Cyber Resilience Centre (ecrcentre.co.uk).

  • Make your network resilient and practice good cyber hygiene – using Cyber Essentials (CE) principles In particular use strong passwords and multi-factor authentication if you can. You can find the link to the education specific CE process on our website

  • Ensure Staff Awareness Training is a priority and is up to date – spotting a phishing e-mail early will prevent a lot of pain further on down the line. The NCSC has free online staff training.

  • Make sure all staff know the symptoms of an ongoing ransomware attack and respond quickly to it using a prepared incident response plan. You can download our free template here as a starter for ten if you don't have anything in place already.

  • Identify common points of failure across the network – patch vulnerabilities and restrict access from malicious sites and IP addresses – speak with your MSPs about this and don’t assume that it will be done automatically.

What next?

The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of data and permanent loss of reputation. But all is not lost.


So, what can I do?

Here at the centre, we would advise you to do these things now

  1. Join our free core membership by clicking through to https://www.ecrcentre.co.uk/core-membership-sign-up. You will be supported through implementing the changes you need to make to protect your organisation, staff and students. And our membership comes with the free Little Steps pathway we provide to Cyber Essentials – the basic government backed kite mark standard for cyber security. And remember that a company operating under Cyber Essentials processes is 99% protected either fully or partially from today’s common cyber-attacks. Join the centre as a free member and we will take you as far as the CE accreditation process. And if you want to pay for the assessment, we can refer you one of our Trusted Partners – all regionally based cyber security companies that can help you become accredited.

  2. We would also recommend that you speak to your Managed Service Provider and / or website company to discuss how they can implement cyber resilience measures on your behalf. If you do not know what type of conversation this should be, have a look at the NCSC board toolkit. The toolkit looks at a different considerations and can lead discussions around these areas.

Members of the centre will be reminded in the next few months about a new Department of Education Tool called Cyber Secure, which will allow schools to accurately assess their IT assets and the risk they create when used on their network


Whatever you decide to do, doing nothing is no longer an option.

Here at the ECRC we are already working closely with schools and academic institutions across the seven counties to help them tackle the continually changing cyber threats that they face.


So come and join the centre as free members and let us help you protect your organisations from the ever presents threats out there in the cyberverse.


Reporting a live cyber-attack 24/7

​If you are a business, charity or other organisation which is currently suffering a live cyber attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.


Reporting a cyber attack which isn't ongoing ​

Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime.

You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened.

Action Fraud advisors can also provide the help, support and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050).

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.