Cybercriminals are targeting schools, it’s time to lock them out

The modern classroom’s foundations consist of IoT devices that enable collaboration and growth. However, it also leaves schools, students and teachers particularly vulnerable to cyberthreats.
Threats can come from within and without the school

Over the last few months, there have been a number of cyberattacks and/or threats on schools across the country. Education providers are increasingly becoming a tempting target for adversaries, ranging from nation-state threat actors in search of intellectual property to common cyberthieves looking to make some easy money.

The security challenges of schools
The modern classroom’s foundations consist of IoT devices that enable collaboration and growth. However, while this undoubtedly brings a plethora of benefits and allows students to learn in various ways, it also leaves schools, students and teachers particularly vulnerable to cyberthreats.

To add to the already complex challenges associated with cybersecurity in schools, we’re in a pandemic, which saw students and staff migrate to digital classrooms in a matter of days in some cases. This means laptops and other devices will have been purchased and configured in a rush and cloud services rapidly scaled up with security often an afterthought when there’s so much urgency (and wrongly so).

The insider threat
An insider threat comes from within an organisation – often in the form of employees, however in the case of schools, students and teachers can be insider threats (often unintentionally and with no malicious intent).

Many students use their own personal devices at school, including laptops, tablets and smartphones, meaning there are a myriad of endpoints connected to a network. If these endpoints are unsecured or unpatched, they automatically present a vulnerability without the user doing anything. And, with students having limited security awareness and training, they’re easy prey for attackers looking to breach a school’s security infrastructure.

All it takes is one small crack in the school’s security – a security feature turned off on a device, an undetected port, an insecure password, a click on a malicious link, etc. – and the attackers are in.

Once they’re in, attackers can access highly sensitive information relating to staff and students. This could include addresses, medical details and other personal information that schools will have on their internal systems. Alternatively, the cybercriminals can encrypt the organisation’s files, promising to send the decryption key once a ransom has been paid, granting the attacker a nice pay-cheque.

Strengthening schools’ online perimeters
At Sophos, we recommend large organisations regularly review and update their IT security infrastructure to ensure they’re protected – that same recommendation extends to schools.

Here’s a checklist on how schools can ensure their network is safe.

  • Implement an intelligent, layered security solution. Ideally a solution that has proactive and reactive protection and detection capabilities; where different parts communicate with each other to provide your team with greater visibility into the security posture of the network at any time; and which offer an automated response to threats rather than just sharing a mountain of event logs for the IT security team to wade through
  • Ensure that all data travelling from server to server across the network is protected
  • Patch early, patch often. Patch updates often address known vulnerabilities, so by ensuring all devices are using the latest software updates, the organisation will be more secure
  • Have robust access controls for anyone connecting to the network. Apply the principle of “least privilege required” so stolen credentials cannot be used to move around the network
  • Consider working towards a “zero-trust” model. The principle of zero-trust is exactly what it says: nothing is assumed, every access, transaction or device is required to validate itself, upon every interaction
  • Educate staff and students as to how they can keep themselves and the data they hold secure. This should include phishing simulation tests to show them what a phishing email looks like
  • Test your defences regularly.

With IoT devices so ingrained in modern classrooms, schools should look to implement a cyber-awareness curriculum that is a part of day-to-day learning – similar to what is offered by Services Australia. This will ensure everyone understands the importance of getting the basics right (such as having a strong password and not clicking on suspicious links), which will improve the school’s cybersecurity. More importantly, it will provide students with a platform to build broader IT/cybersecurity skills which are critical in the modern workplace.

Cybercriminals are increasingly seeing value in targeting the education sector and looking to exploit the impacts of the pandemic. Fortunately, there are practical steps and measures cybersecurity teams can do to strengthen their defences, however it’s important to develop a culture of cyber-awareness among students (which can be achieved through the implementation of a cyber-awareness curriculum), so they can carry it with them and ensure Australia’s future is secure.