The education and training sector reported the most ransomware incidents in 2021–22, rising from the fourth-highest reporting sector in 2020–21, according to the latest assessment of cyber security threats and trends released by the Australian Cyber Security Centre (ACSC).
A separate study published in July by global cybersecurity company Sophos revealed 60% of both higher and lower education providers suffered ransomware attacks in 2021 compared to 44% in 2020.
Ransomware attacks can cripple a school’s network, and are often spread through phishing attacks proliferated through email. With this is mind, experts say principals need to consider the security posture of their schools’ ICT networks.
RSM Australia Director of Cyber Security and Privacy Risk Services Ashwin Pal said the new ACSC report highlighted the cybersecurity challenges posed by the business model of open collaborative environments that is favoured by the education sector, and the mass proliferation of digital devices into classrooms and homes during the Covid-19 pandemic.
“Adding to this identified challenge is the sector’s access to cyber security funding and expertise as well as the use of mandated service providers, particularly by government or system-operated education entities,” Pal told The Educator.
“School principals navigating these challenges need to focus on what is critical and secure. That is the personal information of students, their parents – particularly banking details for those paying tuition or other fees - and teachers.”
The key here, according to Pal, is for schools to ensure the location of this data is well understood, and the data isolated and secured.
“This does not negate the need to secure other areas of the IT environment, but given the constraints outlined above, focusing on critical data can mean the difference between a minor data breach and a major one that puts sensitive private information at risk,” he said.
“For independent schools with stand-alone IT systems it’s important to understand current threats and attacks and to ensure you have controls in place to address these. These can be achieved via formal risk assessments.”
Pal said schools should regularly consult their service provider to ensure they are across current threats.
“This includes signing up to the ACSC’s free alert service, and having a robust plan to deal with these,” he said. “Also uplift your environment’s cyber security as required by your risk analysis to ensure the safety of your school’s `crown data jewels’ and remain vigilant in protecting them.”
Not investing in ICT puts schools at risk
Aaron Bugal, Sophos’ Global Solutions Engineer APJ, said the growing threat of ransomware highlights the need for schools to invest in a robust ICT architecture.
“Cybersecurity budget constraints coupled with a shortage of skilled cyber security operators exposes a significant risk in mitigating threats from highly skilled, funded and aggressive cyber criminals,” Bugal told The Educator.
“Staying ahead of cyber criminals is integral to maintaining an efficient educational ecosystem. Schools must focus on both cybersecurity education and implement the right processes and technical controls to effect a positive security outcome.”
Bugal sais anyone with access to a school’s IT environment, whether staff, students, or parents, are vulnerable to attacks, and must stay vigilant.
“As part of their duty of care to the school community, principals should provide training to all users before enabling access to systems.”