Last month (17 Sept), the National Cyber Security Centre (@NCSC) issued an alert to the entire education sector over cyber security fears. Prompted by the rising number of cyberattacks being carried out against schools, colleges, and universities, the announcement urged immediate action to be taken to ensure data is both backed up, and stored offline.
The timely warning came just weeks after both Newcastle and Northumbria Universities were targeted by cyberattacks, with a whole host of additional ransomware attacks also carried out against other academic institutions earlier in the year.
While many of these incidents have been isolated, and other industries have been subject to far worse in terms of size and scale of attacks, there is no ignoring the pattern that seems to be forming.
With the pandemic dramatically accelerating the adoption of e-learning platforms and the use of technology now spanning back into the classroom, educators must address system vulnerabilities as a matter of urgency.
Increased dependence, heightened target
Despite the use of technology across the education sector gaining greater momentum in recent years, the closure of schools, colleges, and universities – as a result of COVID-19 – has resulted in a surge in the adoption of ed-tech.
Not only have institutions been exploring new tools and platforms, they have been relying on them to keep students engaged and encourage home learning. Those that had already invested in robust IT systems have been continuing to build out their resources, while those that didn’t quickly recognised how important they were.
However, this increasing dependence on tech-driven learning solutions has also created new network security challenges for education systems, with over half (54%) of UK universities reporting a data breach to the regulator in the past 12 months alone. In addition, 46% of staff claimed to have had no security training in the last year.
Educate, explain, enforce
Uneducated and under attack, institutions must raise awareness and invest in improving their employees’ cyber security knowledge. Through regular training and testing – such as the use of simulated attacks – it becomes easier for people to identify malicious and suspect activity, including attacks targeting their network.
This makes the support of both parents and educators critical, especially for younger students. Both need to be able to understand and spot the types of behaviour that create risks for the children, home and school networks, in order to ensure they are protected from scams and malicious online activity.
At home, parents must take responsibility for enforcing digital security and coaching safe behaviour online. The same also applies in education institutions. There is no point in enforcing strong digital security at one point of access, only for a hacker to gain access at another point. Wireless networks should be password secure and protected with encryption. If possible, parents should also consider creating a separate network at home for children to use for e-learning. Schools can then explore similar approaches to minimise wider system exposure.
Smart classroom security
With the full-time reopening of education institutions a top priority, it is likely that the wide-spread closure of schools, colleges and universities will not occur again, even in the event of a second wave of COVID-19. While parents work to protect remote learning environments, it is just as critical to ensure that any technology being used in a physical environment is also secure.
Many of the new technologies being installed in education settings are Internet of Things-connected devices such as smart boards, 3D printers and projectors. As such, they are inherently less secure than traditional computer hardware, which makes them a much easier target for cybercrime. Each time one of these new devices connects to the education institution’s network, a new threat vector becomes available to hackers.
In order to ward-off unwanted attention, educators must prioritise the security of any new – and existing – devices connecting to their network. A natural first step is ensuring the factory-provided password on each piece of technology has been changed. Another risk comes from failure to update firmware or software. Since smart devices usually require updates at different times, and running those updates require the devices to be offline, software and firmware updates are not always completed. This leaves any newly discovered security vulnerabilities unaddressed, allowing cybercriminals to potentially take advantage.
As the education sector continues to adopt more tech-driven learning solutions, there will be a greater number of weaknesses for malicious actors to discover and exploit. This shouldn’t, however, stop schools, colleges and universities from innovating. Instead, they should stay vigilant, focus on good cyber hygiene practices and ensure classrooms remain secure both on and offline.
Rodney Joffe, SVP and Fellow, Neustar