By Mark Orchison and Olaf van Tol
As schools and universities have had to move their teaching online in response to the Coronavirus, their reliance on IT systems has increased and a series of data protection and cybersecurity risks have emerged. We’ve outlined the important points to be aware of in a new school year and the steps you can take to mitigate new threats.
Most schools we work with have strong IT security and data protection policies in place with a dedicated team to support the on-site IT systems. However, with recent campus closures and resulting working-from-home and learning-at-home, a large portion of their IT systems is now out of the school’s control. When students and staff are not on a school network, using a school internet connection, on a school managed device, the protections inherent to school IT systems (for example, network firewalls, network monitoring, email scanning, virus protection, the forced push of security updates and other management controls) are significantly compromised.
Many organisations quickly implemented new IT systems in response to the pandemic, often consisting of additional tools to support video conferencing and working from home or new learning tools to deliver or enhance virtual learning. The selection and implementation of these systems were in many cases guided by the need to act quickly and ensure continuity of education. In some cases, there wasn’t enough time to carry out the same level of data protection and information security scrutiny as there would otherwise have been.
Cybercriminals are busy exploiting this dramatic shift in the IT landscape and are finding new avenues of attack. The FBI and Interpol have both reported an increase in digital crime. In April the FBI saw a 400% increase in cybercrime reports. Jurgen Stock, of Interpol, reports “Cybercriminals are developing and boosting attacks at an alarming pace […] Exploiting fear and uncertainty caused by the unstable social and economic situation created by COVID-19.” What is certain though is a heightened need to understand the means and tactics deployed by cybercriminals.
Tactics used by cybercriminals
We have seen a recent increase in the following attacks on the schools and universities we work with:
- Fee fraud—cybercriminals impersonate the school and contact parents to encourage them to pay discounted tuition fees upfront. They then attempt to claim a refund from the school by taking on the identity of the fee-paying parent.
- Malware attacks—attackers use a variety of methods (e.g., the school’s website, calling and pretending to be a prospective family member, searching for students, or staff associated with the school on the internet) to gain information about the school’s approach to distance learning and identify specific students or staff members that are distance learning. They then contact the student or staff member online, sometimes using a fake social media profile, to gain their trust and obtain identify other students and staff that are distance learning. Finally, the attacker sends the individual an attachment that will allow their device to be compromised with malware. This enables attackers to obtain sensitive data and identify vulnerabilities in the school or university network (once the victim’s device is connected to the network again). Attackers can benefit from these tactics in several ways
- Threaten disclosure of data or disruption to educational provision to extort money from the individual
- Block the school or university’s access to data until they pay a ransom
- Sell stolen data on the dark web
Join us at the Data Protection, Cybersecurity & Safeguarding Workshop
16–18 September | Virtual | Register
The impact of cyberattacks
The damage caused by cyberattacks on schools and universities is far-reaching and can include, for example, the following financial and reputational losses:
- A cyberattack is, in many cases, a data protection breach which would need to be reported to the relevant authorities. This can result in fines and/or reputational damage as the breach becomes public and potential victims need to be informed. See this example: GDPR breach at EU universities.
- The damage of unlawful disclosure of sensitive data by cybercriminals can be significant. A recent attack on a university highlights the potential damage of a cyber attack. In this case, the data itself was not at risk because backups could be used to restore the data that had been locked (encrypted) by attackers. Despite this, the institution still paid the ransom to prevent the criminals from publicly disclosing the data.
- Cyberattacks frequently disrupt the school or university’s ability to deliver virtual learning. This can give rise to fee discounts or the loss of current and/or prospective families—not only in this academic year but in the future when prospective families are likely to be more attracted to schools that can demonstrate an effective distance learning plan.
Remember that if you are under a privacy regulation such as the GDPR (EU), PDPA in Thailand, LGPD in Brazil and POPIA in South Africa, you are legally required to identify any data protection risks associated with distance learning and put in place mitigating actions to reduce the risk of occurrence.
Steps to mitigate and manage risks
“Education leaders need to ask themselves this question: How long would it take a criminal hacker to compromise and take control of my computer systems or data? It takes 9ine’s ethical hackers less than four man-hours of effort to significantly compromise a school IT system. Schools are seen as easy targets by criminals—they need to audit their security defences and have confidence they are less likely to be a victim”
To help you prepare to deal with these new developments we can recommend the following steps. Of course, the exact steps to follow will depend on your organisation and its context.
- If you were not able to carry out robust reviews and impact assessments at the time, then schedule a review of all the IT systems that have been added or updated in response to the Coronavirus. Share and review the outcomes with a multi-disciplinary team and complete a written risk assessment setting out current data protection and cybersecurity risks and put in place mitigating actions to reduce these risks. Consider insuring against the risks that cannot be (fully) mitigated.
- Mitigate against cyberattacks by checking with your IT team that the following steps have been taken:
- School network is configured so that only students can connect to a student wireless service set identifier (SID). Each SSID is segregated and the network is segmented via virtual local area networks (VLANS).
- The school has a list of all network assets and the IT team can validate every active component with a password. They also have a differentiated and complex password.
- Every network device and all computers have regular and documented security patches applied.
- Administrator access for staff devices is disabled and staff are not allowed to install their own locally run applications.
- The primary cloud platform—usually Google or Office 365—has been configured in line with security best practices. Have this evidenced in your documentation.
- Stress test your systems against the various likely cyberattack scenarios with your leadership team.
- Raise awareness across your whole organisation and schedule regular refreshers. Organisation-wide awareness of the risks of cybercrime and the most common attack scenarios are vital to reducing the exposure to these threats. Card games like 9ine’s ‘Go Phish’ can be helpful when delivering cyber training to your community.
Resources and support
- CIS members can sign up for our virtual Data protection, Cybersecurity & Safeguarding Workshop 16–18 September where these issues will be discussed in more detail. New workshop content is based on recent case studies and specific issues that have arisen as a result of the Coronavirus.
- Contact firstname.lastname@example.org to arrange cyber training using Go-Phish with your staff or to learn more on 9ine’s Security & Systems services.
- Register for a demo or free trial of 9ine’s data privacy and protection platform providing school leaders, boards and governing bodies with a comprehensive, real-time analysis and benchmark of their compliance in the areas of data privacy and protection, security & systems, IT management and safeguarding. Learn more at app.9ine.com
Related content: Read more CIS blogs about data protection, cybersecurity, and online learning.
Mark Orchison is Managing Director, 9ine Independent Tech and Compliance Specialists in Education. Olaf van Tol is IT Systems Manager at CIS.