What can schools, which all too often make easy prey for cybercriminals, do to bolster their defenses and keep threats at bay?
Schools are at the center of societal change, whether it is by educating and empowering students or by serving as a mirror of current social and economic realities. In order to fulfill their role, however, schools need resources and staff ready to answer these challenges.
While the digital era was increasing in pace and slowly becoming routine in many schools, the pandemic accelerated this process. From one week to another, with no alert, teachers and students went from physical classrooms to the virtual classrooms of online video platforms. Tablets replaced books, screen sharing replaced whiteboards, and messaging apps replaced the playground. In less wealthy areas or in places with more restrictive anti-COVID-19 measures, schools closed down, leaving pupils without important support.
For schools that went online, new challenges arose over privacy concerns, data leaks, and hacks. But online education is a trend that is here to stay, even as the classroom returns to school buildings.
Each school runs risks…
Schools hold sensitive data, including names, addresses and payment details. So if you are a school administrator, it is likely that cybersecurity is one of your main concerns today.
Keep in mind that threats come in different formats, and they can come from anywhere:
- Hackers: Cybercriminals and automated attacks will be the most common scenario and the biggest threat. Hackers might send phishing emails – emails that look legit, but are traps – to try to get a school staff member to click a link and unwittingly give access to all manner of personal data. With this information, hackers can steal bank accounts, commit fraud, or even sell the data. Another possible risk is ransomware attacks, used by hackers to hold your school’s data hostage.
- Students: Your own students might also be the hackers trying to crack the school’s systems. Sometimes it’s just for fun; other times it’s to change their grades or access the information of fellow students.
- School staff: Just like a student, a staff member may also be behind a cyberattack. Although this is a rare case, it might happen out of a wish to cause harm, panic, or revenge.
…so keep it safe!
And although it sounds like a complex topic, cybersecurity can be broken down into five very concise steps to follow when implementing a new strategy.
- Make an inventory of your equipment: How many laptops does your school own? Are they all working properly? Do they have security software installed? Is the operating system updated to the latest version available? List all your equipment one by one, including details on where each piece is installed, who can access it, and whether it needs further inspection.
- Have a dedicated IT specialist: To understand whether all the devices you listed are working properly or need to be updated, you need an IT person, or an IT team, depending on the size of your school. Only specialized personnel can correctly assess and keep maintaining such equipment. The IT staff will also be responsible for setting up user credentials with strong passwords and two-factor authentication, and for keeping track of who has access to which device. They will also be responsible for implementing a comprehensive and easy-to-understand user policy for all staff and students.
- Create cybersecurity workshops for school staff: Start from zero: assume that none of your staff has cybersecurity knowledge and try to build it up through dedicated workshops. Invite experts in the field to give presentations, ask for support from your local city council, and find online resources. Make sure that, over time, your staff understands the importance of not sharing equipment, of keeping passwords private, and of not publishing pictures that might identify sensitive information – and that they can recognize basic features of phishing email.
- Create an environment that encourages staff to report possible threats: Everyone makes mistakes, and the fear of reporting them might increase the risk and exposure of the school. Let staff members know that it is okay if they fell for a scam. We want you to report it so that we can help protect you and the school. Hackers use simple social engineering tricks to catch people, so everyone is a possible victim.
- Make cybersecurity a topic present throughout the school’s curriculum: More than just protecting the school from a potential threat, teachers must be knowledgeable in cybersecurity to ensure they can pass on that knowledge to their pupils from an early age. Even if you have a dedicated IT class where these subjects are taught in depth, with students using laptops and mobile devices in most classes it is important for IT education to become a subject throughout their school path.
Online privacy and safety starts at home
It is not just indoors where students and staff need to comply with online safety rules. Just like following safety rules when crossing a road or wearing a seat belt, cybersecurity must be top of mind, mainly considering how present cyber-risks are in our lives.
For school staff, their work location and pictures shared on social media can be used by hackers to reach specific people within the school’s administration. And in a topic where kids tend to perceive themselves as more experienced than adults, it is essential that both teachers and parents can keep up with the online experience of younger people, even if ‘just’ for the sake of understanding possible threats and vulnerabilities.
BEFORE YOU GO:
by André Lameiras, ESET