Over the last few months, there have been a number of cyberattacks and/or threats on schools across the country. Education providers are increasingly becoming a tempting target for adversaries, ranging from nation-state threat actors in search of intellectual property to common cyberthieves looking to make some easy money.
The security challenges of schools
The modern classroom’s foundations consist of IoT devices that enable collaboration and growth. However, while this undoubtedly brings a plethora of benefits and allows students to learn in various ways, it also leaves schools, students and teachers particularly vulnerable to cyberthreats.
To add to the already complex challenges associated with cybersecurity in schools, we’re in a pandemic, which saw students and staff migrate to digital classrooms in a matter of days in some cases. This means laptops and other devices will have been purchased and configured in a rush and cloud services rapidly scaled up with security often an afterthought when there’s so much urgency (and wrongly so).
The insider threat
An insider threat comes from within an organisation – often in the form of employees, however in the case of schools, students and teachers can be insider threats (often unintentionally and with no malicious intent).
Many students use their own personal devices at school, including laptops, tablets and smartphones, meaning there are a myriad of endpoints connected to a network. If these endpoints are unsecured or unpatched, they automatically present a vulnerability without the user doing anything. And, with students having limited security awareness and training, they’re easy prey for attackers looking to breach a school’s security infrastructure.
All it takes is one small crack in the school’s security – a security feature turned off on a device, an undetected port, an insecure password, a click on a malicious link, etc. – and the attackers are in.
Once they’re in, attackers can access highly sensitive information relating to staff and students. This could include addresses, medical details and other personal information that schools will have on their internal systems. Alternatively, the cybercriminals can encrypt the organisation’s files, promising to send the decryption key once a ransom has been paid, granting the attacker a nice pay-cheque.
Strengthening schools’ online perimeters
At Sophos, we recommend large organisations regularly review and update their IT security infrastructure to ensure they’re protected – that same recommendation extends to schools.
Here’s a checklist on how schools can ensure their network is safe.
With IoT devices so ingrained in modern classrooms, schools should look to implement a cyber-awareness curriculum that is a part of day-to-day learning – similar to what is offered by Services Australia. This will ensure everyone understands the importance of getting the basics right (such as having a strong password and not clicking on suspicious links), which will improve the school’s cybersecurity. More importantly, it will provide students with a platform to build broader IT/cybersecurity skills which are critical in the modern workplace.
Cybercriminals are increasingly seeing value in targeting the education sector and looking to exploit the impacts of the pandemic. Fortunately, there are practical steps and measures cybersecurity teams can do to strengthen their defences, however it’s important to develop a culture of cyber-awareness among students (which can be achieved through the implementation of a cyber-awareness curriculum), so they can carry it with them and ensure Australia’s future is secure.