According to the NTT Security 2018 Global Threat Intelligence Report, the education sector is the most cyber-attacked industry in Australia – a wake-up call that many schools are not heeding.
Professor Gernot Heiser, a cybersecurity expert from the University of NSW, said that schools are just as vulnerable – if not more so – than companies.
He says that schools, like small businesses, typically have not a lot of IT know-how, and are probably at least as likely to run outdated IT systems – especially unpatched software.
“I suspect they are on average even less aware of cyber risks than small businesses. Also, they tend to have plenty of smart and sometimes naughty kids with insider knowledge, some of whom might be quite IT-savvy,” Professor Heiser told The Educator.
“Other than vandalism [which might be directed to schools by disgruntled students] most cyberattacks are done for economic reasons, eg organised crime stealing or blackmailing for money or shady players stealing intellectual property [inventions].”
Professor Heiser said this is less of a risk for schools because there is typically not much money to steal.
However, he pointed out that organised criminals make money from widespread ransomware attacks where the ransom may only be $100, schools would be possible targets.
“I think the biggest risk factor for schools are integrity attacks: students falsifying marks. I suspect that many such cases remain undetected. If I was a school principal, that would be my top concern.”
So what can principals do to mitigate the risks associated with cyberattacks?
One effective solution, says Professor Heiser, is standard “cyber hygiene”.
This involves using the latest software patches and updates, never sharing passwords, keeping critical data away from students, keeping regular backups and placing backup devices in a safe place.
“Ideally apply some integrity checks. For example, have teachers check marks after final processing to detect discrepancies,” Professor Heiser said.
“It may be impractical to do this for all marks, but at least test random samples, and at the very least, look at modification dates of files to see whether anything has been modified more recently than it should be. If so, investigate.”
Beyond this, Professor Heiser said much depends on schools’ actual ICT setup.
“It makes a big difference whether the sensitive grade information is kept on an excel spreadsheet, a database or a server provided by the education department,” he said.
Professor Heiser said he recently heard from a colleague that their school was collecting scans of students' and even parents’ passports.
“This is a big no-no in an organisation that does not have the skills to effectively protect sensitive information,” he cautioned.
“If I was a parent, I would definitely not provide this. The school is making itself a bigger target, and an economic target: identity theft is big business!”