Most schools have tried their hand at variations of distance learning, from delivering lessons via virtual learning environments (VLEs) to presenting school assemblies via video conferencing platforms such as Zoom. Data Privacy and safeguarding issues relating to the use of technology have been well documented, revealing the plethora of risks. In this blog 9ine’s Founder and Manager Director, Mark Orchison, explores the most common cyber threats facing schools in the new academic year.
Cyber actors and criminals seek a gain from their cyber activities. This could be as simple as an ego driven desire to demonstrate to themselves how good their cyber skills are, through to the online ‘street cred’ gained through larger attacks, all the way through to achieving financial gain. Where there is a potential financial gain, the motivation to find entrepreneurial ways to steal funds by committing cyber crimes is always present.The FBI and Interpol have both reported an increase in digital crime; the FBI reported crime increased by 75% since the beginning of the pandemic. Jurgen Stock, of Interpol, reports “Cyber-criminals are developing and boosting attacks at an alarming pace… exploiting fear and uncertainty caused by the unstable social and economic situation created by covid-19.” What is certain though is a heightened need to understand the means and tactics deployed by cyber criminals.
In readiness for the 2020/21 academic year, most schools are preparing to provide a hybrid of on site/campus and distance learning. Many of 9ine’s client schools are preparing to have teachers in class, with cameras used to provide access to the lessons for those students unable to attend. This method allows schools to continue to operate and provide education services. It also means that fee-paying schools can demonstrate that access to online education services are comparable to those on-site, and therefore, can justify charging standard tuition fees, or as close to, in order to maintain income streams.
In the current circumstances any disruption in the ability to operate may give rise to fee discounts or the loss of current and/or prospective families - not only in this academic year, but in the future when prospective families are likely to be more attracted to schools that can demonstrate an effective distance learning plan.
“The increased online dependency for people around the world, is also creating new opportunities, with many businesses and individuals not ensuring their cyber defences are up to date.” - Interpol, 4th August 2020
In the economics of international and independent education, students have a value. The higher the enrolment number you have, the more resources you will have available to you. Cyber criminals know this. They understand the commercial relationship between a school and the families that enrol. Many schools have suffered the consequences of fee fraud - where parents are directed to pay for discounted tuition fees upfront where the cyber criminal has access to the fee payers bank details and is using the school as a trojan horse in which to pay tuition twice, then attempting to claim a refund from the school by taking on the identity of the fee-paying parent.
Register for a free 14-day trial of the 9ine App and transform the way you manage data privacy and protection.
“Education leaders need to ask themselves this question. How long would it take a criminal hacker to compromise and take control of my computer systems or data? It takes 9ine’s ethical hackers less than 4 man-hours of effort to significantly compromise a school IT system. Schools are seen as easy targets by criminals - they need to audit their security defences and have confidence they are less likely to be a victim”
The presence of having students and staff in a physical building limits the opportunity for other types of attacks. Having students and staff on a school network, using a school internet connection, often on a school managed device, means there are inherent protections: the network firewall, network monitoring, email scanning, virus protection and the forced push of security updates to devices and other management controls. However, in the new world of hybrid in classroom/distance learning models many of these protections are removed. Add to this the financial and reputational need for schools to maintain the distance learning operating model and you start baking a very tasty cake of which cyber criminals want a slice!
We forecast a significant increase in cyber disruption to fee-paying schools over the course of the 2020/21 academic year. Cyber attackers have the financial motivation to cause disruption and fee paying schools have the financial motivation to pay off the attacker to rid themselves of the disruption; two willing parties happy to do business together! Furthermore, if you’re not willing to pay, many organised cyber criminals have invested in PR infrastructure to publicise their activity with a view to place maximum pressure on the organisations whose systems and data they have compromised.
In a distance learning environment there are a range of risks that need to be identified and managed. If you are under a privacy regulation such as the GDPR you are legally required to identify these risks and put in place mitigating actions to reduce the risk of occurrence. This is because a cyber attack is, in many cases, a data protection breach.
The following scenario is one which we have often seen targeted at administrative or academic staff. Many schools have reduced the likelihood of this type of attack by providing cyber training to all staff. Whilst the target in the example is a student, a similar attack is still also likely for members of staff.
Attacker Objective: To identify weaknesses in school network security and pounce from the student device onto an organisationally owned device within the school network. To escalate privileges to gain access to personal data or critical systems. Ransom the for return of personal data or gain access back to critical systems which have been locked or encrypted.
Tactics:
Having malware on the target machine allows the attacker to do a number of things:
In the instance of this scenario, the success of the tactics is dependent on the security controls of the school. The following would limit the risk of the attacker being successful:
To mitigate this scenario ask your school's IT team to explain the degree to which steps 1 through to 4 are in place. Wargaming these types of scenarios at a leadership level will support your school in protecting itself from attack. 9ine’s Cyber Training Card Game Go Phish has been designed to support schools in managing their cyber risk.
Many schools using 9ine’s GRC technology undertake regular Security & Systems Cyber Testing. This includes comprehensive analysis of risk, vulnerability and penetration testing. Once complete, Task Management enables the IT team to structure, plan and action the tasks required to mitigate cyber risk. Not only is this good governance, but provides those responsible for Strategy & Accountability evidence that security measures are taking place. Contact sales@9ine.com to arrange cyber training using Go-Phish with your staff or to learn more on our Security & Systems services.
ABOUT THE AUTHOR:
Mark Orchison is Founder and Managing Director of 9ine. He is an experienced management consultant with expertise in data protection, cyber security, technology, project and programme management in education. Mark began his career with Sun Microsystems before moving into management consultancy, where he was the technical consultancy lead for overseeing technology systems for new build schools. Since 2009, Mark has led 9ine in becoming the leading independent K-12 technology and compliance consultancy in the UK. Mark now leads a team of twenty multi-disciplinary and specialist consultants in-house, with a client base expanding across Africa, Middle-East, Russia, India, Asia and the Americas.
Share this blog