Cyberthreats in education sector growing says NTT report

Accelerated online learning environments and increasing rates of ransomware and phishing attacks against K-12 schools in America are creating unique cybersecurity challenges for the education sector, according to the September 2021 “AppSec Stats Flash” report from global technology provider NTT.

The report found three key takeaways: 

1. Applications within the Education Sector Have a 57 Percent Window of Exposure (WoE) Rate: WoE represents the amount of time that an application has a serious vulnerability that can be exploited to data breaches, NTT stated. The education sector’s WoE rate is improving, and this can be attributed to the fact that many schools are focused on fixing vulnerabilities within their web applications. Also, education has one of the best WoE rates (less than one month) across all sectors.
2. Information Leakage Is the Most Common Vulnerability Among Schools: Information leakage ranked first in terms of vulnerability classes identified between June 1, 2021 and Sept. 1, 2021, followed by insufficient session expiration, cross site scripting, insufficient transport layer protection and content spoofing.
3. On Average, It Takes Approximately 206 Days to Fix a Critical Vulnerability in Education: It takes an average school about 206 days to fix a critical vulnerability, NTT reported. In addition, the remediation rate for critical vulnerabilities is 34 percent; comparatively, this rate is 46 percent across all industries.

An NTT spokesperson said: "Our Application Security research team focused on cyberthreats targeting education applications as security concerns in that sector continue to grow. Accelerated online learning environments due to the pandemic and considerable rates of ransomware and phishing attacks against K-12 schools have increased focus on the unique cybersecurity challenges these organisations face.

"According to a report released by the K-12 Cybersecurity Resource Centre during the calendar year 2020, the K-12 Cyber Incident Map catalogued 408 publicly-disclosed school incidents, including student and staff data breaches, ransomware and other malware outbreaks, phishing attacks and other social engineering scams, denial-of-service attacks, and a wide variety of other incidents. This is 18 percent more incidents than were publicly-disclosed during the prior calendar year and equates to a rate of more than two incidents per school day over the course of 2020.”

The report concluded that organisations in the education sector are hyper-focused on fixing critical vulnerabilities within their critical web applications. This approach seems to be working, as the sector’s otherwise stable Window of Exposure metrics are now improving but cybersecurity remains a top concern for organisations across the education sector.

NTT indicated said there are many things that schools can do to guard against application security vulnerabilities, including:

• Tracking application security vulnerabilities.
• Educating their software teams to eradicate vulnerabilities from their applications.
• Monitoring the average time to fix critical and high-severity vulnerabilities.
• Exploring ways to improving WoE and the overall security posture of applications.