Cybersecurity: how schools can protect against ‘human factors’

Cybersecurity: how schools can protect against ‘human factors’

Data breaches are becoming increasingly common, and more costly. In Australia, 30% of businesses can now expect to suffer a data breach – and for schools, protecting against hackers and cybercriminals is a uniquely complex task.

According to Chris Gersch, chief information security officer at NetStrategy, breaches are usually the result of two things – weaknesses in software and systems, and human factors. Often they’re a combination of the two, with a human mistake opening the door to allow malware or ransomware to infect a system.

While schools are generally good at identifying and managing risks, fewer understand the ‘human factors’ that can lead to a cybersecurity incident, preferring to leave the issue solely in the hands of the IT department. But as incidents rise in number, it’s becoming increasingly vital for schools to understand that cybersecurity is not an IT problem, and that everyone plays a vital role in keeping data safe.

“If we look at schools, they have one of the most complex environments to be managed from a cybersecurity point of view,” Gersch told The Educator.

“If you compare a traditional K-12 school to a corporate environment, you might have an equivalent number of users, but the users on a school’s network will range from children through to adults with a huge mix of devices.

“However, in almost all cases, schools don’t have dedicated cybersecurity resources on staff. That makes it quite a challenge, and so that human factor is really prevalent in that education space because it’s such a dynamic and complex environment to manage.”

Gersch notes that common security protocols can often be difficult to implement in schools. For example, multi-factor authentication (MFA) is one of the most effective ways to manage credential misuse – but in an environment where phones aren’t allowed in the classroom, that becomes hard to do.

In his work with NetStrategy, Gersch says that a general lack of cybersecurity understanding from school leaders is also a common issue, as well as a general attitude of “it won’t happen to us.” Many schools think they’re simply too small a target – but what they don’t realise is that with their lack of cybersecurity protocols, they become a very easy one.

Many also don’t realise the ramifications of clicking on the wrong link, or entering confidential information into the wrong form. This is where awareness training and creating a multi-layered approach becomes important.

“A lot of the school leaders will tell us that they’ve just spent a lot of money on a firewall or an anti-virus, and will see that as a cure-all,” Gersch says.

“Unfortunately, the reality is that an antivirus only goes so far in addressing the human factor. These systems aren’t perfect, and things can slip through. This is where we need to understand concepts like defence in depth, and shared responsibility.

“Many schools think it won’t happen to them. But once we start talking to schools about financial threat actors, how they operate and what their motivation is, it very quickly dawns on schools that they’re actually a weak target.”

Ultimately, Gersch says schools need to understand that cybersecurity is not just one cure-all product. Having more than one control in place is also important – whether it’s a physical control such as a lock or alarm, or an administrative or procedural control. This can all then be layered, making it much more difficult for the threat actor to get what they want.

“We frequently see schools not understanding or implementing that multi-layered approach,” Gersch says.

“That’s where engaging with a partner like NetStrategy can really help improve the security of your data. A partner can become the dedicated cyber resource that schools often don’t have, and they can work with the school’s executive leadership team to ensure a strong cybersecurity strategy from the very top.”

To find out more about NetStrategy and how it works with schools on cybersecurity, click here.