Schools ‘more vulnerable' than companies to cyber attacks

Schools ‘more vulnerable

For the second time in less than a month, a global cyberattack has crippled computer systems across multiple continents.

The latest ransomware attack – called ‘GoldenEye’ – struck across the globe yesterday, taking down servers at Russian oil giant Rosneft and computers at multinational businesses, including the Australian offices of a global law firm.

The way the malicious software works is by encrypting computer files and demanding a ransom in the ‘virtual currency’ bitcoin before access is restored.

With some schools enrolling thousands of students across multiple campuses, this is an issue that school principals should have on their radar, say cybersecurity experts.

Professor Gernot Heiser, a cybersecurity expert from the University of NSW, told The Educator that schools are just as vulnerable – if not more so – than companies.

“Schools don’t tend to have professional IT staff with a deep understanding of security issues, although a number of schools doubtlessly have teachers who understand IT and the associated security issues,” Heiser said.

“While vulnerable, schools are probably not particularly high-value targets, which means that the risk is probably somewhat less – the pros go for where the gains are biggest. But anyone can be the target of vandals.”

So how can principals drive better cybersecurity education?

Heiser said schools are in a similar position as many companies and organisations in terms of the lack of skills to face cyber threats.

“However, schools have an incredible asset in the form of smart kids. Many of them are very fast in understanding IT problems,” he said.

“And the best aren’t necessarily the academic top performers. I think the main challenge as well as opportunity for schools is to channel their talent pool.”

Heiser said that while schools should let students play and experiment, they must provide the right supervision and guidance to lead them in the right direction.

“For example, get them to understand the flaws, but instead of using their insights to subvert the system, get them to help improve it,” he said.

“That’s not easily done, but it’s possible. I’m a professor and internationally well known for my work, but I learned a lot from my students over the years. It’s an incredibly powerful resource for those who know how to harness it.”

A renowned information security expert says cybersecurity education is lacking in schools as the public remains divided over who should be responsible for such training.

Nick FitzGerald, senior research fellow at ESET, a global IT firm based in Slovakia, told The Educator that there is an urgent need for trained cybersecurity staff in schools, many of which lack this kind of specialist teaching.

“There are very few teachers who are specialised in cybersecurity education, and this is an issue in itself because this kind of education is important in a digital world,” he said.

Dan Slattery, senior information security analyst at Webroot, which provides threat intelligence services, said unless those caught in the ransomware attack have sophisticated policies in place, it is likely that ransom will be paid.

“Ransomware’s business model is proven to work, and this ongoing issue demonstrates that no matter how reputable or confident a company is with their security policies, they are still vulnerable and at risk,” he said.

“While it’s understandable that businesses want to pay the ransom to get their files back, the reality is that there is no guarantee that the cybercriminal will actually return the files, even if the ransom is paid.”

Slattery said that the best way to mitigate the risks of ransomware is “user awareness”, such as backing up your data.

“Unfortunately, ransomware attacks can impact cloud storage services and network drives,” he said.

“To avoid this, create a physical backup on a DVD or portable drive, and keep it in a secure location that is not connected to your computer.”

Slattery said another step is to make sure you are practicing “cyber hygiene” by patching and update your device. This includes regularly checking for firmware updates.

“Hover before you click to make sure you know the end destination of links, change your passwords regularly and keep your operating systems up-to-date. Don’t open emails from unknown senders,” he said.

“Also ensure you’re using effective antivirus software. Make sure ransomware doesn’t get on your computer by using software that can block malicious phishing sites. But, beware of free security: you get what you pay for.”