Education at all levels has transformed over the last few years. Education in its various forms had been gradually implementing E-Learning for several years, especially at the tertiary level. Many Universities had started remote learning classes, and some completely online Universities with no physical campuses had come into being.   They all saw distance learning as a useful way to increase income with little additional capital and operational cost.

However, the pandemic that started in 2020  signalled a significant move to remote learning for all students. Cyber Security raised concerns about the uncontrolled use of personal equipment over unsecured networks to join online classes.

School and University systems need to be secure. Potential employers of their graduates want assurances that the education systems have not been compromised and their transcript and graduation details have not been tampered with.

At the tertiary level, it’s not just education. Many institutions earn significant income and status through research. Sponsors and research students expect that their intellectual property will be kept secure.

According to Microsoft Security Intelligence in the US:

• There were over 1,000 ransomware attacks on US schools in 2019.
• 87% of all Educational Institutions have experienced at least one cyberattack.
• 30% of Educational Users were victims of phishing.
• Data breaches in Education cost an average of $4.77Million each.
• You can buy an Academic Record for under $300.

A particularly worrying statistic is that ransomware attacks in Education have increased by a factor of seven in 2020. The FBI state that 57% of all reported ransomware attack in August and September 2020 were on schools.

The obvious question is to ask why are attacks on educational institutions increasing?

The major reason is that the education sector, especially Universities, has a great deal of valuable and marketable data – personal identification data, medical records and research information.   As corporate security ramps up, Education is seen as a soft target.

Other generally accepted reasons include:

• The increasing use of remote education in less controlled environments such as home make the potential for easier attack much greater.
• Data security has not kept up with the changing environment.
• Many schools believe that they have nothing worth stealing and give Cyber Security a low priority.

It is generally felt in the US and elsewhere that schools in particular, lack the technical resource and user awareness to create, implement and manage a cybersecurity programme. Universities tend to be better resourced, but with the move to distance learning and remote access by staff and students are having to shift their focus to new areas of cybersecurity.

A further issue is that schools and Universities tend to operate on policies and procedures and in many cases, these are deficient concerning distance learning and remote access.

What are the remedial actions that need to be taken? These will include:

Additional Resources

The first and most pressing need below tertiary level is the provision of much greater resources to schools. Physical resources will be needed in the form of security software and hardware and warm bodies to implement and manage new security protocols and carry out user and technical training.

Awareness Training

This will take two forms, user and technical training.
User training will alert users on how to recognize potential malware threats and what to do if they suspect they see one. Policies and procedures will need to be updated, and regular reinforcement is needed to keep awareness levels high.

Technical training will provide technical support to define and implement a security environment for the management of potential malware and ransomware attacks. Special consideration for the on-site use of personal equipment as attack vectors will need special attention.

New Policies and Procedures

The management of user security levels, induction of new users, and removal of leavers will need to be strictly controlled.

The use of personal equipment onsite must be controlled

In particular for data security:

• Using removable data such as flash disks and removable hard drives to transfer information between home and onsite must be stopped.
• Uncontrolled use of online data stores like Dropbox, One Drive and Google Drive must be stopped.
• It may be necessary to block personal email accounts, allowing only centrally managed and controlled mailing lists.

This is especially important to protect research data