A renowned information security expert says cybersecurity education is lacking in schools, adding that as the public remains divided over who should be responsible for it, cyber criminals becoming more innovative.
His comments come after the release of a new survey, which revealed that the public believe cybersecurity education should be the responsibility of parents and teachers.
The survey, which involved 1,300 online users across Australia and New Zealand, was conducted by ESET, a global IT firm based in Slovakia.
According to the findings, 73% think parents should educate children about cybersecurity, followed by 71% who said it should be a high school teacher’s responsibility and 54% who said it should be a primary school teacher’s job.
Nick FitzGerald, the latest recruit to ESET, is a member of numerous groups and organizations in the field of cyber security – notably the Computer Antivirus Research Organization (CARO).
More cybersecurity training in schools needed
FitzGerald told The Educator that the survey showed the need for trained cybersecurity staff in schools, many of which lack this kind of specialist teaching.
“A lot of parents probably feel a little challenged because this is not an area they are very familiar with, so it’s perhaps something they look to schools to help with,” he said.
“However, what I found interesting was that comparatively few people ticked the option that the government should do the teaching, because if it was teachers that were going to do it, they’d do it because it would be part of a government-led curriculum initiative.”
FitzGerald added that a significant majority of students in Australia and New Zealand are taught in public schools, and as such this education would be best delivered by the government.
“Recently, the Australian and New Zealand governments have recently updated their national cybersecurity policies. Both claim that there should be a stronger focus on initiatives to boost cybersecurity education in schools,” he said.
“There are very few teachers who are specialised in cybersecurity education, and this is an issue in itself because this kind of education is important in a digital world.”
Cyber-criminals changing tact
FitzGerald outlined some of the things principals should be aware of when striving for effective cybersecurity education in their schools.
“Looking at the history of short-term initiatives, a lot of them addressed issues that were only one part of a broader problem – and in some cases this is still happening today in many organisations,” he said.
“For example, once we had warnings about double-clicking on Word document attachments to emails. That ignored the fact that the general problem was not Word documents per se, but rather unexpected attachments that were potentially dangerous.”
FitzGerald said that as organisations became good at preventing staff from doing this, cyber criminals changed tact and began using a range of other file types with malicious viruses to catch their targets off guard.
“It’s not far-fetched to argue that the reason why the Internet of Things (IoT) has such an appalling Internet security posture is because there aren’t enough people who understand computer security,” he said.
Internet of Things has ‘poor state of security’
FitzGerald said one “wake-up call” was the recent Direct Denial of Service (DDoS) takedown of IT security journalist Brian Krebs’ popular site, despite it being covered by one of the recognized DDoS protection service providers.
“Analysis of that attack shows that many of the devices involved in delivering the massive traffic spike that took Krebs’ site offline were simple IoT devices such as home routers, IP cameras, DVRs and so on,” he said.
“Prior to this attack, many of us saw the generally poor state of the security of IoT as a major concern, rather than as an actual threat.”
FitzGerald pointed out that this has “clearly changed” and with the source code of the tool used in the Krebs attack – or at least that of a closely related tool having been released – the ability to scan the internet for similar, poorly-secured devices and then use them for your own purposes, is now potentially in anyone’s hands.
“There are no direct educational lessons to take from this development, but it speaks to the broader issue of IT security education and awareness,” he said.
“On reflection, perhaps more attention to the ethical side of computer security issues should be included in our schools’ curricula, and this could be added onto whatever ethics education there already is.”