The attackers
Four categories of attackers target English schools, each with different motivations and methods.
Cybercriminal groups (ransomware)
Ransomware groups operate a “ransomware-as-a-service" model, targeting schools for their sensitive data, operational dependency on IT, and historically weak defences.
Nation-state actors
The education sector has been one of the top 3 targets by advanced persistent threat (APT) groups. Nation-state actors usually target universities and research institutions but schools connected to government programmes are also targets.
Opportunistic attackers
These attack attempts are usually automated and untargeted. They might:
- use scanners to probe for vulnerabilities
- have programmes to attack your site with stolen information and passwords (“credential-stuffing”)
- recruit bots to carry out attacks
Insider threats
Insiders threats can come from:
- deliberate actions from staff or students
- negligence, from users who don’t recognise ransomware or phishing attacks
- compromised accounts used by external attackers
Business email compromise is a growing threat in this category. It involves attackers impersonating school leaders or suppliers to authorise fraudulent payments.