Schools have today become increasingly reliant on technology to help run their administration and educational programmes. And with digital transformation and the growth of the internet they have created so many more effective ways for schools to work and for students and teachers to communicate with one another.
However, it also brings with it an increased risk of cyberattack, with cyber criminals using various tactics to exploit vulnerable systems and those that make themselves an easy target or fall prey to malicious attacks.
At the same time the use of mobile devices and cloud services in the workplace has exacerbated an already high threat level of cyberattacks.
In such a high risk environment schools have become far more vulnerable because they have failed to:
Recognise the threat.
Adopt a cybersecurity mindset.
Keep staff informed or educated on the risks.
Adopted a robust approach to safeguarding their technology from attack.
Any organisation that handles personal information must comply with the Data Protection Act 2018 (as amended in accordance with GDPR) which means we all have the right to know how the information held on us is used and feel confident that it is being protected.
However, some organisations have greater data protection risks than others, and this is particularly the case with schools that collect and store personal information that they must keep secure.
The threat to schools.
Schools are filled with hundreds or even thousands of people on a daily basis. From students, teachers, parents, suppliers, contractors, support staff, etc. This means a school will likely process and hold a significant amount of personal data about visitors, students and staff.
Handling this personal information in a safe and secure manner, upholds a schools reputation, keeps students and staff happy, and by making sure personal information is accurate, relevant and safe, saves in the long term in both time and money.
Traditionally, student data consisted of things like attendance, grades, discipline records, and health records. Access to that data used to be restricted to school officials.
With the increase in the use of technology in schools, traditional data is now often shared with companies that provide student information systems, learning management systems, and many other technologies utilised in the classroom and schools.
The growth in the availability of tools and apps are making it possible for educators and students to collaborate, create, and share ideas far more effectively than they could ever do before.
When schools use technology, students’ data, including some personal information is collected both by educators and often the companies that provide apps and online services.
Educators use some of this data to help them develop learning plans for students and also to maintain information on them.
New technologies introduced to the classroom from personal computers, mobile devices, apps, websites, software programs, and other online services are used in ways that create new data about individual students that never existed before.
Communications between students and teachers and the history of their online behaviour is now created, collected, and often held by third party educational technology vendors as well as schools.
What is a cyberattack?
Cyberattacks are an attempt to disrupt or gain access to an individual’s, or a business’s, IT system or data. Hackers carry out cyberattacks by using various malicious tactics to infiltrate systems and applications.
The majority of cyberattacks are not planned or highly targeted. They are automated and indiscriminate, exploiting known vulnerabilities within commonly used IT systems.
Cyberattacks can be devastating though, disrupting day to day operations, causing considerable reputational damage, and possibly having a direct impact on students and staff if their personal data has also been breached.
Because our world is so much more connected, and those connections are often not properly protected, it is becoming easier to find ways of exploiting the vulnerabilities of computer systems.
It can be done with the brute force of a powerful computer guessing passwords, or through human fallibility by sharing too much information on your social networks or falling victim to a phishing email.
Motives behind cyberattacks:
1. Financial gain
This is the most common motive. If a hacker acquires your passwords and other personal information, or successfully installs malware on your computer, they can commit identity theft.
Using your identity fraudulently hackers can withdraw money, send fake invoices and sell your information on to other cyber criminals.
2. Forward a political or ideological agenda.
Many hackers carry out cyberattacks to access and leak data that helps promote their own agendas, or, more commonly, to damage those of others.
Common categories of cyberattacks.
Over time, hackers have developed various methods to achieve their aims.
These are the seven of the most common threats that schools need to be aware of:
Malware (i.e. ‘malicious software’) refers to harmful programmes and software that allow hackers to access or destroy data on an infected system.
Email is the most common attack vector for malware: a recent estimate is that 80-90% of ransomware attacks for example come via this method.
Hackers often distribute malware by disguising it as a downloadable file, such as a Word document, PDF, .exe file, etc. They usually attach them to emails or have download links on websites in a form that looks legitimate.
In order to infect your system, malware requires you to click and allow the download. When the link is clicked or the document opened, malware is downloaded to the now compromised computer.
Once malware is on your system, the hacker can access your data in numerous ways. For example, monitor keystrokes, activate webcams, or remotely take control of your computer. Ransomware is a common form of malware, which encrypts all documents locally, and all connected backup devices and hard drives and asks for payment to release the data.
There have been high-profile cybercrime incidents using ransomware such as the WannaCry in May 2017, which affected 200,000 computers in 24 hours, highlighting the indiscriminate nature of such attacks.
Similar to malware, phishing involves tricking the user into clicking false links to acquire account information, such as passwords, by posing as someone or an organisation known to that person.
It can be conducted via a text message, social media or by phone, but most people use the term 'phishing' to describe attacks that arrive by email.
According to one 2018 study, mobile device phishing attacks are up 85 percent, year-over-year, since 2011, and the reason has to do with the increasing amount of data collected by every site and app visited on your mobile device.
Phishing can also happen over social media, where hacked accounts share links via a status update or private message. This type of phishing is often effective, as users are likely to trust links sent by people they know.
3. Denial of Service (DoS)
A denial of service attack involves the hacker flooding a website with more traffic than the server can handle, which causes it to overload and shut down.
Hackers do this by sending a high amount of connection requests to the site from their own computer, or from others that they have hacked remotely. If they use more than one, it is known as a Distributed Denial of Service (DDoS) attack.
4. Password attacks
Password attacks differ from malware and phishing because they don’t require the victim to do anything, except have an easy-to-crack password.
After a certain amount of trial and error or through an automated, ‘brute force’ attack eventually a hacker will get your password, although it may take some time.
Many breaches occur because employees reuse passwords for multiple accounts, only to have one of those accounts compromised in a data breach.
Typically, as systems themselves have become harder to penetrate, the hackers have sought out softer targets. The easiest plan of attack has most recently been to target human fallibility, using social engineering to research information for example from social media to prepare an attack.
5. Man In The Middle (MITM)
Anyone using public Wi-Fi is especially vulnerable to a man-in-the-middle (MITM) attack. Because the information transmitted is generally unencrypted.
A MITM attack is where a third-party intercepts communication between two participants. Instead of data being shared directly between server and client, that link is broken by the uninvited guest. The hacker, through a compromised router will try to retrieve information from your device.
Cyber criminals often create bogus hotspots with a similar or vague name that shows up alongside the authentic networks.
6. Bringing Your Own Device (BYOD)
Allowing a policy of BYOD has made cybersecurity more difficult to manage within schools. There is less security employed to protect personal devices compared to the level of security provided on devices supplied by the school.
A BYOD policy can help boost productivity, it can also have the opposite effect, since it is easy to lose a device or be distracted. But when a misplaced device provides access to sensitive data and access to a school’s network, major issues can arise.
The reality is that by allowing staff to use the same devices both inside and outside of work, devices are more vulnerable and organisations are at higher risk. Bringing your own device raises a number of data protection concerns due to the fact that the device is owned by the user rather than the school.
It is important to use data encryption to make sensitive and confidential information unreadable on a device. This protects against data leaks if devices are stolen.
7. Human fallibility.
While most employees who use unauthorised tools and applications do so without malicious intent, nevertheless they’re introducing security vulnerabilities which are almost impossible to identify.
Although cyberattacks remain the leading cause of data breaches, there are still many security issues that were caused by negligent employees. An employee, for example, may open an email attachment that contains malware and compromise confidential information stored in a computer.
To keep on top of the threat of cyberattacks staff need to be knowledgeable of the risks, and understand the role they play in preventing and flagging up security threats.
A mix of education and training can deliver cybersecurity expertise as well as help to establish a security-conscious culture.
Information security measures.
The level of security employed should reflect the potential harm that could result from a data breach or cyberattack. Procedures should be in place to respond to any breaches, how to access important assets during an attack and what remedial actions to undertake.
Possible security measures for data protection include:
Extra Security - "something you have and something you know”.
Two-factor authentication, also known as 2FA is an additional security layer helping to address the vulnerabilities of a standard password-only approach. A common and effective example of this involves a code sent to your smartphone which you must enter in addition to your password.
Limit the administrative account privileges.
By limiting the number of users who have rights to an administrative account you limit the risk of compromising an account that could potentially have far more serious consequences in the hands of a hacker. Plus, you limit the chances of staff downloading malicious software that can have an impact across the network.
Remember to keep your devices and software up to date.
Manufacturers release regular updates to fix security vulnerabilities, so apply these updates to maintain cybersecurity.
Memory sticks in particular need serious consideration as they are very easy to lose. You should either avoid the use of memory sticks completely or ensure they are password protected and fully encrypted.
Furthermore, you must ensure that hard drives are erased securely if you are physically disposing of them. A school may need specialist help to ensure the data has been safely removed from old hard drives.
Preventing data security breaches in schools.
Schools must be prepared to prevent breaches of data through the internet, intranet, stolen devices and email systems.
Getting the basics right.
Cybersecurity practices are as important as locking the doors at night after you have left.
To make sure you get the basics right try to do the following:
Start with adopting safe best practices for working online and managing personal data.
Is internet safety taught as part of the curriculum to students?
Keep on top of software updates.
Adopt strong password hygiene.
If an email looks suspicious, trust your instincts and delete it.
Install antivirus software on your devices to protect against malware.
Inform and train your staff on how to identify potential threats.
Keep your team up to date on the latest threats, but manage the sense of urgency so that staff are not permanently on edge.
Do you monitor or regulate the use of school devices, student chat rooms, etc. in some way?
With the Worktools Tool Secure Plan we've put together a plan around cybersecurity to protect your school from cyber threats ranging from malware to data theft.
Let us help you look after your data, your reputation and legal compliance. As an outside provider Worktools can do initial security assessments and ensure that everything is secure. We can also help create your cybersecurity plan so you know how to respond to an incident.www.freepik.com