The risk of a cyber-attack is now widely recognised by top executives as the greatest threat to their companies, more so than talent acquisition, for example. The corporate sector is investing huge sums of money to improve the situation.
Education is the most vulnerable target for cyberattacks, with one report from Microsoft’s Global Threat Activity across one month showing that it accounted for just over 80% of all attacks.
Meanwhile, the recent cyberattacks on the Ukraine by Russia prompted National Cyber Security Centre, the government’s advisory body on computer security threats, to urge schools to boost their online defences.
“… it is all too easy for hackers to compromise wifi and even set up their own rogue hotspots that look genuine” – Jonathan Whitley, WatchGuard Technologies
“While we have always known that education was a key target for cybercriminals,” says Jonathan Whitley, vice president for UK and Northern Europe at WatchGuard Technologies, “these stats are a wake-up call for those in charge of IT and security.”
With limited budgets and staffing constraints, how will schools and K12 institutions cope?
What kinds of risks are schools facing?
The single biggest threat to schools is ransomware, which is malicious software (malware) that encrypts the users’ files, preventing them from accessing them and demanding money for their release.
“The issue of cybersecurity has been a growing concern for schools for many years,” says Dave Presky, head of computing at York House School in Hertfordshire. “Throughout this time, phishing attacks [where the hacker poses as a trusted source] focused on school emails have become increasingly common. Those with malicious intent often seek to exploit vulnerabilities within school systems, keen to obtain data.”
The phishing emails lead to the encryption of data followed by the demands for money in exchange for its recovery. This is something that could affect teachers, pupils and parents.
Just how common this occurrence is was highlighted in a report by software security company Sophos – 2022 state of ransomware report – which showed that 64% of higher education and 56% of “lower education” organisations were hit by ransomware in the last year.
While not all security hacks manage to uncover details of bank accounts, credit cards and social security details, for example, a number of cyber-attacks of this nature have stolen details such as names, gender, contact information, emails and addresses.
“It’s not just about data and personal information,” adds Jonathan Lee, UK director, public sector relations, Sophos. “In 2018, live video footage from three schools in Blackpool was posted on a US website that allowed people to view unsecured CCTV cameras – a particularly worrying example of how stolen content can end up where one least expects it, and a reminder that a cyber-attack can have even more dire consequences if it features children under the age of 16.”
Remote learning risks
With the move to remote learning, accentuated by the pandemic, there has been a growth in personal and unmanaged devices connecting to education networks. “These devices may be shared with other family members,” explains Whitley, “so if they are compromised, or already infected with malware and then reconnected into the school environment, that could lead to a cyber-incident or potential breach.”
Other attacks include account takeovers, where, through phishing, spyware or malware, a fraudster poses as a genuine customer/service provider and makes unauthorised transactions because they have secured access your emails and files on the cloud.
“All staff should be made aware of the real threat to schools” – Dave Presky, York House School
Another front to fight against are DDoS (distributed denial of service) attacks. These incursions target websites and networks to try to cause a shutdown and cause disruption, rather than a data breach.
Whitley explains how DDOS can pan out: “Domain spoofing is a type of phishing attack where hackers register website domains similar to legitimate sites to trick users into a scam, while software and IT appliances that don’t get the necessary patching, upgrade and maintenance can be a source of vulnerabilities.”
Going forward, Whitley believes that IT managers will need to “focus on proactivity and strengthening their infrastructure to head off ambitious attackers”.
He adds: ‘Patching is key, as is investing in sophisticated solutions and educating both staff and students.”
While not technically a security threat, cyberbullying can lead to breaches. As Whitley explains, cyberbullying can turn into ‘doxing’ where the bully breaks into the accounts (email, social media, etc) of the victim “to publish their personal information or use malware to gain access to their location or other sensitive information”.
As a measure of how widespread cyberbullying is, a UNICEF report identified that a third of young people between the ages of 13 and 24 have been victims of it.
How should schools approach cybersecurity?
Awareness and training are, naturally, at the heart of dealing with and mobilising against existential threats, and lack of training can lead to dangerous blind spots.
“Teachers and students aren’t always properly trained to use the tech at their disposal safely,” says Lee, “for example, attackers often use phishing to infiltrate university networks and navigate their way around, undetected, in search of the information they perceive to be of the highest value.
“Often, this information is then sold or published on the dark web, which makes staff and students vulnerable to further crimes like identity theft.”
Presky agrees that staff training is a key element to a secure workplace. “All staff should be made aware of the real threat to schools,” he says, “to ensure everyone is aware of common techniques and that, as a school, we are a target.”
With the move to remote learning… there has been a growth in personal and unmanaged devices connecting to education networks
A skills gap cannot be overcome without resources, of course, and limited budgets are a huge hurdle for schools.
“With that in mind,” says Lee, “their best course of action is to turn to managed detection and response services [ie remotely operated] to manage threat-hunting and protection for them. Through such services, schools can benefit from an expert team serving as an extension of their own staff, at a time when hiring internal cybersecurity specialists is extremely challenging when competing with the private sector. This then allows schools to focus resources and budget on core areas such as teaching and learning.”
While one option may be to outsource/delegate, some schools are holding the line with a raft of in-house measures to combat cyber threats.
“Well implemented and maintained firewalls and web filtering act as a first line of defence against such ill intent,” notes Presky. “The proactive management of school email settings also adds additional layers of protection. Restricting communications with outside domains or flagging such content to users is a useful way to indicate unusual or uncommon activity.
“Internal monitoring systems, such as Impero, can also act as an extra layer of security, with the ability to flag suspicious listed keyword alerts.”
Whitley believes that a “layered” approach to cybersecurity is vital.
“While every network needs a strong network firewall,” says Whitley, “they also need a full arsenal of scanning engines to provide visibility, threat intelligence and protection against spyware and viruses, malicious apps, data leakage and unknown zero-day threats. Having additional capabilities to block websites, emails or files that can lead to vulnerabilities and incidents provide greater protection against threats.”
On the issue of passwords, Whitley suggests multi-factor authentication (MFA), a security system that requires more than one method of authentication to verify the user’s identity for a login or other transaction such as a one-time password sent to a mobile phone.
Another key weapon in the cybersecurity armoury of a school or college is to provide a TWE (trusted wireless environment).
“We often don’t think twice about connecting to an unsecured wifi network to check emails and social media,” says Whitley, “but it is all too easy for hackers to compromise wifi and even set up their own rogue hotspots that look genuine.”
Help is at hand
There are a number of places where schools can go to check on their respective levels of cybersecurity and to get pointers for improvement.
The National Cyber Security Centre, for example, is a hub for tips, toolkits and guidance.
Specifically geared towards the under-18 age group is Keeping Children Safe in Education (KCSiE) – a requirement for schools and colleges to do all they reasonably can to limit a child’s exposure to risks from the school’s or college’s IT system.
“As part of this process,” Whitley explains, “they [the schools] need to ensure that they have appropriate filters and monitoring systems in place. It is noted, however, that educators should be careful that ‘over-blocking’ does not lead to unreasonable restrictions as to what children can be taught with regards to online teaching and safeguarding.”
Staying alert, staying accessible
When it comes to staving off cyber threats, it’s important that everyone is in the loop about possible risks and the ways to avoid and deal with them.
“As students progress through their educational journey, greater independence can come with greater risk,” says Presky, adding, “it’s essential that we, as educators, foster a culture where students feel able to approach staff with any concerns on this topic.”
You might also like: 18 top tips on how to improve cybersecurity in your school