Just like the rest of the world, schools and universities are growing more reliant on the cloud and web to function. While these technological advances keep schools on the cutting edge, they also make them more vulnerable to attacks.
- In Japan, a 16-year-old high school student (frustrated with teachers) attacked the Osaka Board of Education server in 2016, knocking 444 schools offline
- Rutgers, Arizona State University and the University of Georgia have all had recent denial-of-service attacks
- A 15-year-old in Australia recently attacked several organizations, including Reynella East College
The examples above highlight the worst-case scenarios for a cyberattack. However, even seemingly harmless attacks (where data isn’t compromised or denied) can be terribly embarrassing. Imagine if a hacker or disgruntled student posted offensive imagery or language on your school’s homepage?
In an age when prospective students can research thousands of schools with a click of a button, falling victim to even the most childless of “pranks” can hurt your school’s chances of attracting new students.
If you can’t protect your website from an attack, why should a student entrust you with their education?
Why are schools so susceptible to attacks?
One of the most common motivations behind attacks on school websites is aggression – by a student – toward a staff member or administration. But students might also hack into a site to attempt to change grades or manipulate the registration process.
And with the widespread availability of free or cheap hacking software and services, students and hackers no longer need specialized skills to cause serious and irreparable harm.
Of course, it’s not just students who are interested in hacking a school’s website. Personal data (from social security numbers to addresses, passwords and more) are housed throughout a school’s database and, these days, on the cloud. Hackers looking to access this information realize that many educational institutions simply don’t have the security resources in place that, say, a Fortune 500 company would have.
In other words, hackers view schools and universities
as easy targets.
These cyber-attackers take aim at student portals, admission processing sites, mail servers, and databases that house personal information.
They also target educational platforms like Blackboard and Moodle. Take, for example, a recent attack on Janet, a research and educational network connecting 19 regional universities in England.
How CMS’s are making websites more vulnerable
Cyberattacks are an unfortunate reality of the digital world. In fact, compromised data is becoming more and more prevalent with each day:
Roughly 17 million website users in March 2015 were greeted with some form of warning that websites they visited were either trying to steal information or install malicious software.
One year later, that number catapulted to more than 50 million users.
And schools and universities present hackers with the perfect storm: they house scores of sensitive data while often lacking the resources to keep up with the latest security measures.
One of reasons schools are held back in terms of their security is because of their choice of CMS.
What is a CMS:
A CMS, or content management system, makes it easy for non-developers
to manage and maintain their websites.
There are countless CMS options out there, with the most popular being:
- WordPress (with currently 60%+ market share)
- Magento (popular for eCommerce businesses)
- DNN (our preferred CMS)
While each CMS presents its own approach to security measures, none are foolproof. And, in fact, when a website is hacked, more often than not it’s not the fault of the CMS.
Rather, it’s user error.
The entire purpose of building a website on a CMS is to make it easier to operate a website without the cost and expertise of an in-house developer.
But this user adoption has created an entire legion of unskilled webmasters and service providers who lack the skills necessary to protect virtual data.
In a report focusing on website security in 2016 Q1, Sucuri noted that:
- Of the 11,000+ infected websites analyzed, 75% of them were on the WordPress platform
- More than 50% of those websites were out of date
And that is where the problem exists: have CMS platforms made it too easy to become a webmaster?
CMS platforms like DNN or WordPress do offer regular updates to protect users from security threats. However, often times these updates require special care (so as not to disrupt the live site). Rather than seek out the support of a developer, we’ve found many school administrators simply let an update go by without deploying it, which can open their website up for cyberattacks.
To make matters worse, CMS platforms aren’t the only vulnerability to your website. The plugins and extensions you install are just as dangerous.
Plugins/extensions are a way to extend the functionality that exists in a CMS. Developers create these extensions to help users customize their sites to their own needs. These extensions are another entry point into a website for hackers to take advantage of.
TIP: If you don’t regularly update your plugins and extensions, or if you download one from an unknown developer, your website could be at risk.
In Sucuri’s 2016 Q1 report, they found that nearly 10% of the compromised WordPress sites analyzed had a vulnerable version of the popular RevSlider plugin. When you combine the popular WordPress plugins RevSlider, Gravity Forms, and TimThumb, they account for 25% of all compromised WordPress sites.
4 tips to protect your school or university’s website
1. Your passwords
We all like to think of hackers as highly intelligent modern-day mad scientists who spend their lives finding ways to fight through our well-guarded security measures.
The reality, however, is that the most common reason behind a website hack is due to being able to figure out simple passwords. To avoid this faux pas, keep in mind the following:
- Any variation of the word ‘password’ (like p@$$worD1) is NOT safe
- Variations of your school name or classes/clubs at your school are NOT safe
- Using the same password for all of your accounts is NOT a good idea
- Require using a combination of letters, numbers, symbols and mixed cases for your website login, hosting (cpanel) and domain registrar
2. Revoking access
Employee turnover is common with most organizations. But schools and universities have even more turnover when you factor in students who no longer attend your school (for whatever reason).
It’s imperative that you revoke access to any student or employee who no longer needs website access. Make access revocation a normal part of the exit process for all students and employees (similar to how former employees must hand in keys, badges, and a company credit card during an exit).
You should also perform periodic audits of your website’s user accounts as an added security measure.
3. Secure those backdoors!
We mentioned earlier that plugins/extensions offer hackers yet another access point into your website and database. Ensuring these additional access points are updated will be one of the biggest steps you can take to protect your site.
However, keep in mind that if you use WordPress as your CMS, many plugins created for that platform aren’t regularly tested or updated. That’s because many developers offer free versions of their plugins. That’s great, in theory, as you don’t have to pay to enhance your site. However, free plugins rarely come with the ongoing upkeep and maintenance needed to ensure all security measures are upheld.
As a result, it’s quite common to hear of a security hole in a WordPress plugin compromising a company’s entire data system.
Other CMS platforms, like DNN (where these plugins are called extensions), prefer to focus on premium extensions (extensions that come at a cost). At the onset, this might be a source of frustration for you; however, developers who make money from their extensions are far more likely to have the resources to not only develop top-tier products, but to offer the ongoing support to ensure each extension remains secure.
4. Don’t automatically turn to the biggest fish in the pond
WordPress’s popularity is actually part of the reason why it’s so susceptible to cyberattacks. With millions upon millions of WordPress sites out there, hackers have a virtual buffet from which they can test out approaches that will breach the system. And when they finally do find a chink in the armor, they gain instant access to scores of websites.
It’s the same reasoning behind why PCs tend to get more viruses than Macs. There are more PCs in use on the planet, making it easier (and more worthwhile) for hackers do their dirty work.
That’s why we’ve seen a lot of larger institutions, including NASA, Bank of America and several big-name schools (Purdue, Cornell) choose DNN as their CMS platform. With fewer live installs (when compared to WordPress) on the web, DNN is far less likely to be targeted by hackers – it’s just not worth their while.
Make sure you build your website with a security-first approach
When designing or redesigning your school’s website, it’s easy to get caught up in the look and feel of each page (which, of course, is important). But make sure that your developer is comfortable discussing your security options as well.
Whether it’s choosing a CMS like DNN as your platform, or creating a process to revoke access to former students and employers, you’ll want to ensure that security is a centerpiece of your website build from day one.