Cybersecurity is now a major concern for educators all over the world. From primary schools to colleges, hackers have the potential to negatively impact education. Students, parents, teachers and school systems have all been the victims of these attacks and, with more and more learning moving online in response to COVID-19, we must assume this is a trend that is set to continue.
Education authorities are also having to respond to the threat of cyberattacks at a time of budgetary constraints. A survey conducted in the US in January 2020 found that only 20% of IT budgets was devoted to cybersecurity. Taken in the context of the wholesale move online that then occurred in March/April 2020, this amount can be taken to be wholly insufficient.
The most common delivery mechanism for malware during this period has been email. Simple deceptions, such as an email telling a person their system is not up to date, can easily be opened accidentally in the confusion of adapting to lockdown-life. Once the attachment is opened, the virus is unleashed into the system. Educational establishments do not have the same history of dealing with cyberattacks as industry and commerce. Receivers are unaccustomed to getting suspect emails from schools and colleges, and faking emails from these institutions is not difficult.
With educators, ancillary staff and students all working remotely, the threat of cyberattacks has increased in scale, if not sophistication. Universities, especially, have found themselves a prime target for attack. Their systems face attacks from criminals seeking to steal research data, especially in relation to COVID-19.
Apart from budgetary constraints, the main problem faced by educational authorities is that securing devices remotely is considerably more difficult than protecting computers that are on a campus.
In a comparatively short space of time, school districts and education authorities have had to develop entirely new infrastructures to handle the traffic associated with thousands of remote students. Creating a viable online model that is secure has led to the relocation of resources on a grand scale but any change in structure represents an opportunity for hackers.
Not all threats are high-tech and not all cybersecurity responses need to be high-tech. For example, increased use of videoconferencing technology can give non-students access to information that should be protected. The simple fix for this is for the instructor to be cognizant of who is attending and what information they are disseminating during the lesson.
The correct response to the issue is a combination of high-tech and low-tech.
Educational authorities need to address these issues in a cohesive manner. Responses need to be comprehensive, taking into consideration the institution’s needs, goals and challenges. Part of this plan must be the elimination of outdated processes and technology and the consolidation of operations and security teams. Working in this way, the response to the challenge of securing a remote network becomes an opportunity, with the potential for cost savings and greater long-term efficiencies.
Seeing the forced restructuring of educational IT in this way makes it an opportunity. For the new system to give maximum advantage, it needs to have:
A key component of any cybersecurity protocol must be awareness by operators of the threat of an attack. This can be the lecturer considering what information they display during an online lecture or the understanding that students and parents should not click on attachments in unexpected emails.
Other simple, low-tech fixes include ensuring antivirus software and applications are up to date on school-owned devices, ensuring passwords are not used on more than one application, and the regular updating of passwords. The ultimate goal for many institutions is an automated email system that will remove all phishing attacks before they reach the user’s inbox.
Some higher education institutions are employing a cybersecurity technique known as ‘zero trust’. This strictly limits access to their network. The downside is that it requires extensive verification and institutional users must ‘buy-in’ to the system.
Finally, it must be remembered systems are only as vulnerable as the negligence of their users. With more and more of us working, learning and being entertained online, it is no longer just the responsibility of the IT department to safeguard the security of the system. From the vendor, through students and lecturers, to the highest echelons of administration, combating cyberattacks is the responsibility of everyone using the system.
ISO/IEC 27001:2013 Information Security Management Systems (ISMS) is an internationally recognized standard that sets out the requirements for establishing, implementing, maintaining and continually improving IT security within the context of an organization. Compliance with the standard is a clear demonstration to stakeholders that an organization respects the integrity of the data being entrusted to it.
SGS offers a comprehensive range of services to help organizations efficiently and cost-effectively comply with ISO/IEC 27001:2013. Because the standard acts as a framework, its requirements are generic. This means it can be successfully applied to organizations of all sizes and types, from small school boards to large educational establishments.
Learn about SGS ISO/IEC 27001 Services.