Whenever we hear
about a Cyberattack or a security breach, we often think that the entity
involved is a Fortune 500 company, or even a healthcare organization. True, these are prized targets, but many people
do not think that the education sector could be at risk also, or for that
matter, even the nonprofits.
Well truth be
told; they are also in the cross hairs of the Cyberattacker as well. You might be asking, “Why?”. Well, here are some reasons:
*These institutions
contain a large amount of PII datasets, not just of students, but also teachers,
administrative assistants, and other faculty, including principals and
superintendents.
*While most
schools do have some kind of IT/Network Infrastructure, they are often running
legacy hardware and software, even on par with the systems found in Critical
Infrastructure.
*The schools
contain a very volatile group of victims – young children, all the way from
K-12. In this regard, they can easily become the victim of a Cyberbullying
Attack.
*The schools
very often have an extremely limited budget, and therefore, they cannot upgrade
their IT/Network Infrastructure in a timely manner. Because of this, there are many
vulnerabilities and weaknesses that are present, making it extremely easy for
the Cyberattacker to penetrate covertly.
In fact, in
2023, the educational sector witnessed its largest number of Cyberattacks ever
recorded, even more so than what was around during the COVID-19 pandemic. A lot of this can be attributed to the fact that
students these days have easy access to smartphones.
Thus, the temptation
to download mobile apps, especially those that involve sharing posts on social
media (the most notorious of these is Facebook) and games.
Many of these
students are simply not cognizant of where to safely download these mobile apps,
such as from the Apple Store. Although
there are parental controls that can be deployed on these devices, many of them
are not the best, and the source code that was used to create them was never
tested. But these apps can also be used by
the teachers for online learning to the students.
Another weakness
here is the Digital Personalities that the mobile apps use. They try to take the place of the traditional
teacher, but what they can do for the student can only go so far. For example, a Digital Personality can ask a
student about their personal information/data, and innocently, they will submit
it without giving it a second thought.
But what
happens when the vendor goes under, and falls off the radar? The question of how they used and processed
that student’s information/data comes under scrutiny, even more so, where it is
stored.
This was the
case in the Los Angeles Unified School District. They made use of a Digital Personality named “Ed”
and its experience with a chatbot named "Ed." It was used
both by students and teachers, but one day, the vendor, AllHere, suddenly went
under, and completely went silent. Obviously, both school administrators and
parents were overly concerned as to what happened to the student’s PII
datasets. More details about this link
can be seen below:
An
Education Chatbot Company Collapsed. Where Did the Student Data Go? | EdSurge
News
It is also especially
important to remember that information/data about the student is not just
school records. A lot of this also
includes medical records as well, so that the nursing staff at the school and
take easily take care of an ill student.
These are
also at risk, and the scary part is that if the Cyberattacker does get their
hands on this, they can easily sell them onto the Dark Web or use them in an
Extortion Attack against the child, as sickening as this sounds.
To drive home
just how serious this situation is, here are some stats:
*61% of
schools that were hit by a security impacted students from K-12, with no discretion
whatsoever.
*85% of the
schools that were the victim of a Ransomware Attack had their all their devices
locked and files encrypted, making them completely unrecoverable.
*The cost of
downtime for schools increased by at least four times from 2023 to 2024.
*Surprisingly,
the educational sector is one of those that are almost reluctant to report a
security breach to law enforcement and federal authorities – only 22% of those entities
that have succumbed to a security breach reported anything.
(SOURCE: The
Education Industry: Why Its Data Must Be Protected)
My
Thoughts on This:
As one can
see, there is no easy fix for this horrible situation. When you compare this to Corporate America,
at least one can claim that the business can somehow set aside the needed funds
to beef up their lines of defenses.
But the same
cannot be said for school. They are often
at the mercy of the state government to procure the money, but if the budget does
not have money, there is nothing that a school can do except start having fundraisers.
I sincerely
do hope that the new Presidential Administration does take Cybersecurity very
seriously in terms of having a strong budget not just for American businesses
in general, but especially for that of the educational sector but also for nonprofits.
But even with their limited funding, here are some tips that schools could make
use of:
*Consider moving
to the Cloud. Many schools still have an
On Prem Infrastructure, which is making it very costly for them to maintain. By moving it a platform like Microsoft Azure,
the costs will become much affordable, and many of the tools there which are
comparable to what one would use for the On Prem Infrastructure are much more sophisticated
and are available for a fraction of the cost.
Also, Microsoft has been very well-known offering steep discounts to the
educational sector.
*Security Awareness
training must be given to all involved – not just the teachers, but also the students
and the parents alike. However, it is
very crucial that this training is tailored appropriately to the grade level in
question.
*Schools should
ban the use of smartphones all together, at least until the students are upper
classmen in high school. Although this
may be viewed as being harsh, this is one of the best ways to reduce the attack
surface.
Of course,
there are other tips as well. But the above are some starters. Very often, I usually ask my close friends from
time to time: “How did we make it through school without Google or smartphones”?
We had to learn the old-fashioned way, when life was much simpler and less
interconnected than it is today.
Gosh, I yearn
so much for those days to come back.
No comments:
Post a Comment