by Mark Anderson
With the schooling year well underway and universities fast approaching examination periods, Australia’s education sector is well and truly buzzing. This hive of activity has meant an increasingly large number of digital devices, platforms and applications are being used across the sector to enable learning and collaboration.
The COVID-19 pandemic has been a major driver of this uptake, with education institutions in Australia and around the world accelerating their digital transformations to embrace the hybrid world. However, the growing digital footprint of technologies also makes them prime targets for cyber attackers.
A quick look at Microsoft’s Security Intelligence website shows education is the industry most affected by malware globally – and by a big margin. Our data shows that more than 6.5 million devices we track across the education sector encountered malware in the past 30 days. This represented more than 80 per cent of all devices that encountered malware.
Interestingly, we have also found that Australia’s education sector is targeted significantly more often than others around the world.
Malware is a term used to describe malicious applications or code that can damage or disrupt the normal use of endpoint devices. Cybercriminals often use malware for their own financial gain by obtaining banking details, collecting information that can be sold, or selling access to computing resources. They also use it to threaten victims by destroying or blocking access to critical data or systems unless a ransom is paid – known as ransomware.
The recent ransomware attack on Queensland University of Technology, which resulted in thousands of staff and students having their personal data compromised, highlights how damaging this type of malware can be to Australia’s education institutions. And according to the Australian Cyber Security Centre (ACSC), the sector with the most reported ransomware incidents during the year to June 2021 was – yep, you guessed it – education and training, which accounted for 11 per cent of all ransomware-related cybercrime.
Of course, there are many other types of malware attacks that the education sector needs to be aware of, including phishing, spyware, rootkits and viruses. One that’s particularly hard to detect and remove is fileless malware. This type of malware doesn’t rely on files to breach a network and essentially lives in the memory of hardware. Fileless threats can even survive hardware reboots, disk reformats and operating system reinstallations.
Simple steps for building cyber resilience
While malware poses a significant threat, there are several measures institutions can take to effectively respond to and recover from these types of attacks – and ideally prevent them from happening in the first place.
One is to practise basic cybersecurity hygiene, a set of standards every organisation should adopt as a baseline for their overall cybersecurity strategy. The Microsoft Digital Defense Report 2022 found that basic cyber hygiene protects against 98 per cent of all types of cyberattacks. The strategy includes:
- Enabling multifactor authentication: This adds a layer of protection during the account sign-in process by asking users to verify their identity with another ‘factor’ beyond their username and password. It could involve entering a one-time passcode or using biometrics like fingerprint or facial recognition technology.
- Applying Zero Trust principles: Verify explicitly, use least privilege access and assume breach – these are the three guiding principles of the Zero Trust security model. Educational institutions that apply these principles will be able to better protect their identities, devices, data, apps, infrastructure and networks.
- Using extended detection and response anti-malware solutions: Educational institutions can rapidly scale their security operations by deploying software that’s able to detect and automatically block attacks, remove malware from infected devices and generate valuable insights into cyber threats. For example, the Queensland Department of Education integrated Microsoft Defender for Endpoint across its 257,000 shared devices and 14,000 servers in six weeks. The solution is giving the department better endpoint protection and a higher level of cyber intelligence.
- Keep systems up to date: Microsoft’s latest Digital Defense Report notes that unpatched and out-of-date systems are one of the main reasons why many organisations are falling victim to malicious cyberattacks. That’s why it’s crucial to not only keep antivirus solutions updated with the latest version, but also firmware, operating systems and applications.
- Protect data: Organisations should know where their important and sensitive data is located, and who has access to it. This will help them implement suitable protections, such as sensitivity labels, data loss prevention policies and information barriers.
In addition to adopting these basic cyber hygiene practices, I’d strongly encourage educational institutions to become familiar with the ACSC’s Essential Eight security guidelines. As I highlighted in an earlier blog post, implementing one or more of these controls can go a long way towards preventing cybersecurity incidents.
It’s also important for educational institutions to have an incident response plan in the event of a malware attack, as they would for a fire or natural disaster. This will prepare them for different scenarios and guide them on the appropriate course of action to quickly and safely recover from an attack.
A great example of an incident response plan in action was RMIT University’s speedy reaction to a malware attack in February 2021. The attack impacted trust in the university’s on-premise IT infrastructure, but it still needed to remain operational. By leveraging Microsoft Intune and the firmware used in Microsoft Surface devices, RMIT was able to provide a secure and compliant environment for staff to keep working while the university recovered from the attack.
Approaching cybersecurity in a challenging economic environment
Finally, I’d like to note that chief information security officers, like many leaders, are under pressure to contain costs and resources even as the frequency and severity of malware attacks continues to grow.
This is a difficult challenge to work through, but I do believe the current environment presents a great opportunity for the education sector and other organisations to become more resilient by focusing on maximising the value of their cybersecurity investments.
Whether that involves simplifying vendor management, reducing threats with AI and automation, or improving the efficiency of security operations, taking a ‘doing more with less’ approach can significantly boost defences against malware and other cyberattacks.
Cyber security really is a team game. It’s not about who’s getting there first, it’s about collaboration. Everyone has a role to play in keeping our nation safe from threat actors and fostering a cyber smart culture in Australia – From the citizen to the CEO. The education sector is unique in that it reaches Australian homes, as well as our businesses, so it’s very much a critical sector to get right when it comes to cyber security.
Mark Anderson is the National Security Officer at Microsoft Australia and New Zealand