Sunday, December 22, 2024

Why Students From K-12 Are So Vulnerable In Becoming A Cyber Victim

 


Whenever we hear about a Cyberattack or a security breach, we often think that the entity involved is a Fortune 500 company, or even a healthcare organization.  True, these are prized targets, but many people do not think that the education sector could be at risk also, or for that matter, even the nonprofits. 

Well truth be told; they are also in the cross hairs of the Cyberattacker as well.  You might be asking, “Why?”.  Well, here are some reasons:

*These institutions contain a large amount of PII datasets, not just of students, but also teachers, administrative assistants, and other faculty, including principals and superintendents.

*While most schools do have some kind of IT/Network Infrastructure, they are often running legacy hardware and software, even on par with the systems found in Critical Infrastructure.

*The schools contain a very volatile group of victims – young children, all the way from K-12. In this regard, they can easily become the victim of a Cyberbullying Attack.

*The schools very often have an extremely limited budget, and therefore, they cannot upgrade their IT/Network Infrastructure in a timely manner.  Because of this, there are many vulnerabilities and weaknesses that are present, making it extremely easy for the Cyberattacker to penetrate covertly.

In fact, in 2023, the educational sector witnessed its largest number of Cyberattacks ever recorded, even more so than what was around during the COVID-19 pandemic.  A lot of this can be attributed to the fact that students these days have easy access to smartphones. 

Thus, the temptation to download mobile apps, especially those that involve sharing posts on social media (the most notorious of these is Facebook) and games.

Many of these students are simply not cognizant of where to safely download these mobile apps, such as from the Apple Store.  Although there are parental controls that can be deployed on these devices, many of them are not the best, and the source code that was used to create them was never tested.  But these apps can also be used by the teachers for online learning to the students. 

Another weakness here is the Digital Personalities that the mobile apps use.  They try to take the place of the traditional teacher, but what they can do for the student can only go so far.  For example, a Digital Personality can ask a student about their personal information/data, and innocently, they will submit it without giving it a second thought. 

But what happens when the vendor goes under, and falls off the radar?  The question of how they used and processed that student’s information/data comes under scrutiny, even more so, where it is stored.

This was the case in the Los Angeles Unified School District.  They made use of a Digital Personality named “Ed” and its experience with a chatbot named "Ed."  It was used both by students and teachers, but one day, the vendor, AllHere, suddenly went under, and completely went silent. Obviously, both school administrators and parents were overly concerned as to what happened to the student’s PII datasets.  More details about this link can be seen below:

An Education Chatbot Company Collapsed. Where Did the Student Data Go? | EdSurge News

It is also especially important to remember that information/data about the student is not just school records.  A lot of this also includes medical records as well, so that the nursing staff at the school and take easily take care of an ill student. 

These are also at risk, and the scary part is that if the Cyberattacker does get their hands on this, they can easily sell them onto the Dark Web or use them in an Extortion Attack against the child, as sickening as this sounds. 

To drive home just how serious this situation is, here are some stats:

*61% of schools that were hit by a security impacted students from K-12, with no discretion whatsoever.

*85% of the schools that were the victim of a Ransomware Attack had their all their devices locked and files encrypted, making them completely unrecoverable.

*The cost of downtime for schools increased by at least four times from 2023 to 2024.

*Surprisingly, the educational sector is one of those that are almost reluctant to report a security breach to law enforcement and federal authorities – only 22% of those entities that have succumbed to a security breach reported anything.

(SOURCE:  The Education Industry: Why Its Data Must Be Protected)

My Thoughts on This:

As one can see, there is no easy fix for this horrible situation.  When you compare this to Corporate America, at least one can claim that the business can somehow set aside the needed funds to beef up their lines of defenses. 

But the same cannot be said for school.  They are often at the mercy of the state government to procure the money, but if the budget does not have money, there is nothing that a school can do except start having fundraisers.

I sincerely do hope that the new Presidential Administration does take Cybersecurity very seriously in terms of having a strong budget not just for American businesses in general, but especially for that of the educational sector but also for nonprofits. But even with their limited funding, here are some tips that schools could make use of:

*Consider moving to the Cloud.  Many schools still have an On Prem Infrastructure, which is making it very costly for them to maintain.  By moving it a platform like Microsoft Azure, the costs will become much affordable, and many of the tools there which are comparable to what one would use for the On Prem Infrastructure are much more sophisticated and are available for a fraction of the cost.  Also, Microsoft has been very well-known offering steep discounts to the educational sector.

*Security Awareness training must be given to all involved – not just the teachers, but also the students and the parents alike.  However, it is very crucial that this training is tailored appropriately to the grade level in question.

*Schools should ban the use of smartphones all together, at least until the students are upper classmen in high school.  Although this may be viewed as being harsh, this is one of the best ways to reduce the attack surface.

Of course, there are other tips as well. But the above are some starters.  Very often, I usually ask my close friends from time to time: “How did we make it through school without Google or smartphones”? We had to learn the old-fashioned way, when life was much simpler and less interconnected than it is today.

Gosh, I yearn so much for those   days to come back.

No comments:

Post a Comment

Why Students From K-12 Are So Vulnerable In Becoming A Cyber Victim

  Whenever we hear about a Cyberattack or a security breach, we often think that the entity involved is a Fortune 500 company, or even a hea...