Why cybersecurity needs to be a priority for the education sector
Adrian Jones, CEO at Swivel Secure Education institutions need to make cybersecurity a priority. Despite the sector facing major challenges such as a lack of staffing and a lack of funding and resources, cyber attacks are no less frequent or less severe in education. In fact, they seem to be gaining ground in prevalence year-on-year as instances of breaches in schools and higher education are widely reported. In recent years we’ve seen news of ransom attacks causing financial damage – like that on the University of Calgary where the institution allegedly handed over $20k to cybercriminals, and malware attacks causing mass disruption – similar to the disruption which, apparently, caused the Minnesota School District to shut down for a day while IT professionals rebuilt the system. The more worrying breaches are where student safety is compromised. Educational institutions are entrusted to safeguard their students, many of whom are minors, but a weak cybersecurity infrastructure can put them at risk. This was made all too clear when the CCTV in several schools in Blackpool was allegedly breached, and the footage reportedly live-streamed on the internet. It’s an unfortunate fact that, while cybersecurity in education is necessary to protect against financial loss and prevent disruption, it’s also crucial to protect students from harm. Which is why the sector needs to do everything it can to ensure their applications and systems are protected, and work to overcome any challenges. In this article, we’ll look at the current state of cybersecurity in education. We’ll discuss the most common reasons for attack, the highest threats and the main challenges facing the sector to help you understand why cybersecurity needs to be a priority, and how you can make it a priority for your educational institute. Why education is a target for cybercrime There are four key reasons why Education is a target for cybercriminals. With Education venues varying in size, purpose, and stature, the motives for attack can vary too. For example, what might be a common threat for world-renowned Universities/Colleges might not be an issue for schools or school districts. So, institutions need to evaluate the risk and understand what data is vulnerable to unauthorised access. DDoS attacks – Distributed Denial of Service, or DDoS attacks are a common type of attack on all levels of Education venue. This is where the attacker’s motive is to cause widespread disruption to the institute’s network, having a negative effect on productivity. This can be a relatively easy attack for amateur cybercriminals to carry out, especially if the target network is poorly protected. There have been instances of students or teachers successfully carrying out a DDoS attack, with motives ranging from simply wanting a day off, to protesting the way a complaint was handled. Data theft – This is another attack affecting all levels of education because all institutions hold student and staff data, including sensitive details like names and addresses. This type of information can be valuable to cybercriminals for several reasons, whether they plan to sell the information to a third party or use it as a bargaining tool and extort money. The concerning aspect of this type of attack is that hackers can go unnoticed for long periods of time. As was the case at Berkeley, where at least 160,000 medical records were allegedly stolen from University computers over a number of months. Financial gain – Another motive for hackers carrying out an attack on an education institution is for financial gain. This might not be as high a risk for public schools, but with private institutions and Universities/Colleges handling a large number of student fees, they’re a prime target for cybercriminals. Today, it’s usual for students or parents to pay fees via an online portal, often transferring large sums of money to cover a whole term or year of tuition. Without proper protection or preparation on the part of education institutions, this presents a weak spot for cybercriminals to intercept. Espionage – The fourth reason why education is a target for cybercrime is espionage. In the case of higher education institutes like Universities/Colleges, they’re often centres for research and hold valuable intellectual property. Universities/Colleges need to be suitably protected, as it’s thought that scientific, engineering and medical research by UK Universities has been previously compromised by hackers, and with plenty of time and money to fund them professionals are often at the helm of these attacks. With these four motives in mind, the way in which hackers carry out an attack on Education networks can further help us understand how to protect them. How education is targeted JISC’s 2018 Cybersecurity Posture Survey questioned IT professionals within further and higher education. They were asked to name the top cyber threats facing their institutions, and the top three answers give us insight into the most common ways Education networks are breached. Phishing – Phishing scams often take the form of an email or instant message and are designed to trick the user into trusting the source in a fraudulent attempt to access their credentials – whether that’s sensitive student data or confidential research. This type of attack is highlighted as the top threat facing higher education venues, suggesting hackers regularly target the sector using the method. Ransomware/Malware – Also in the top three cyber threats highlighted by the report, ransomware and malware attacks prevent users from accessing the network or files and cause disruption. More advanced forms of this threat can see attackers hold files to ransom. Ransomware or malware typically infects devices using a trojan, a file or attachment disguised to look legitimate. However, some ransomware (like the WannaCry attack) have been shown to travel between devices without user interaction. Lack of awareness – The third threat listed by professionals in both further and higher education is a lack of awareness or accidents. This could be on the part of staff or students who aren’t sufficiently trained to practice good cyber hygiene or accidentally compromise the network. Despite taking on different appearances,
Cybersecurity disconnect poses problem for school technology
An employee study has revealed the education sector is investing in smart workplace technology and seeing better productivity, skills and wellbeing, but that risky behaviour is opening up potential cybersecurity threats. Employees in the education sector are reporting greater productivity, wellbeing and the development of new skills as a by-product of the introduction of digital technology, according to a global study from Aruba, a Hewlett Packard Enterprise company. Our study of 1,096 employees revealed what those in the education sector, both independent and state schools, want and expect from technology, how they rate the performance of their workplaces, and what the priorities for investment should be going forward, as institutions face up to the opportunities and challenges of becoming a digital workplace. Key themes and findings include: · Investment leads to improvement: Two-thirds (64%) of education employees revealed that tech investments had been made in the last year, improving connectivity and allowing staff to conduct their jobs more efficiently. These investments also looked to be paying off: Over seven in ten (74%) reported increased productivity, as well as greater staff well-being (65%) and the opportunity to develop new skills (74%). · Education of the future: Nearly half (45%) of respondents working in private education believe digital technologies are helping foster better collaboration among team members, while state education employees see it as a means to simplify tasks so they can accomplish more during the day (43%). With this in mind, the sector’s desire for more automation within the workplace is perhaps unsurprising – more than two-thirds (68%) of employees across both state and private education agreed that automating tasks would be beneficial for the future of work. · A security disconnect emerges: A worrying disconnect is forming among employees between their understanding of the importance of security, and their willingness to take risks. Just under half (49%) of education employees admit they rarely (if ever) think about cybersecurity, despite 91% acknowledging the importance of cybersecurity when questioned. In addition over three-quarters (76%) believe there is room for improvement in the way connected tech is managed and controlled. The road to a smarter, secure classroom Jonathon Hickey, Operations Director at Crofton School, recently implemented a new wireless network across the school: “Staff are more productive, they can move from class to class without their connection dropping,” he said. “Before, we were limited to three to four classrooms with strong enough wireless connectivity, but now we can turn any room into an IT suite.” In regard to technological innovation, Hickey is optimistic for the future: “We’re just at the tip of the iceberg. The challenge we currently face is to not be content with what we have, but to push ourselves to investigate what other technological innovations we can implement in order to improve the way we teach. Of course, it can be hard for any educator to find the time to think about improvements, but by streamlining processes and enabling a more digital workplace, we can drive greater efficiencies which will free up space in the day to innovate and try new things.” According to Simon Wilson, CTO, UK & I, at Aruba, the education industry has the opportunity to evolve the way teaching is conducted, using enhanced technology in a secure way. He said: “Educators have only just scratched the surface when it comes to tech implementation. Many are seeing improvements and greater efficiency through better wireless connectivity alone but there is so much more they can do – particularly if they want to match the IT experience most children have today at home. “Now that many institutions have invested and built the digital foundations, they have an opportunity to take advantage of children’s natural enthusiasm for using IT and really innovate and challenge the traditional way of teaching. In order for teachers to be able to do so, however, they can’t be shackled by the fear of cyber risk. By implementing automation technology it will provide the assistance and protection educators need to push themselves further.” A CARTA approach to security An autonomous approach to security is increasingly becoming an imperative as mobile and remote working becomes the norm. This new paradigm creates the need for smart digital workplaces that deliver secure and reliable, optimised and personalised experiences that will foster employee creativity, collaboration, and speed, without clunky security systems causing barriers. To succeed, Gartner has recommended a Continuous Adaptive Risk and Trust Assessment (CARTA) approach to security which leans heavily on AI, Analytics and Automation to embrace the opportunities and manage the risks of digital business. This leads to a more productive and more motivated employee, with a greater sense of job satisfaction. To what extent are you prioritising security within your workplace? Take the Digital Workforce IQ assessment to find out. Research methodology A total of 7,000 employees were interviewed in April and May 2018 by Vanson Bourne, an independent specialist in market research for the technology sector. The respondents were from organizations of all sizes, across both public and private sectors, with a focus on the industrial, government, retail, healthcare, education, finance, and IT/technology/telecommunications sectors. Interviews were conducted both online and via telephone using a rigorous multi-level screening process to ensure that only suitable candidates were given the opportunity to participate. Respondents were interviewed in the United Kingdom, Germany, France, the Netherlands, Spain, United Arab Emirates, the United States, Singapore, Japan, Australia, India, Brazil, Mexico, China and South Korea. About Aruba, a Hewlett Packard Enterprise company Aruba, a Hewlett Packard Enterprise company, is a leading provider of next-generation networking solutions for enterprises of all sizes worldwide. The company delivers IT solutions that empower organizations to serve the latest generation of mobile-savvy users who rely on cloud-based business apps for every aspect of their work and personal lives. To learn more about cybersecurity, visit Aruba at arubanetworks.com. For real-time news updates follow Aruba on Twitter and Facebook, and for the latest technical discussions on mobility and Aruba products visit Airheads Social at http://community.arubanetworks.com/