Cyber security for educational institutions is more crucial than ever with the ASD Cyber Threat Report 2022-2023 highlighting the education sector has being one of the prime targets for cyber crimes. Schools must therefore strengthen their security and compliance measures.
The Rising Threat Landscape in Education
In recent years, the education sector has become increasingly susceptible to cyber threats. Australia saw a 51% increase in cyber incidents reported by critical infrastructure organisations, including educational institutions. A Check Point Research study showed a weekly global average of 1,739 attacks per education or research organisation.
With 90% of data breaches due to phishing attacks worldwide, students, teachers, and staff are also often targeted through deceptive messages.
Cyber-attacks on the sector are not random. They are targeted and strategic, driven by the potential rewards and the relatively lower security defences compared to other sectors.
Reason #1: Valuable Data
Educational institutions hold a wealth of sensitive data, including personal information of students, staff, and parents, as well as financial records and intellectual property. This data can be highly valuable for cybercriminals seeking to sell it on the dark web or use it for identity theft.
Reason #2: Diverse User Base
Schools and universities have diverse populations of students, teachers, and staff with varying levels of IT expertise. Some are tech-savvy digital natives while others are still mastering computer basics. Everyone needs training and support to ensure each can confidently and securely collaborate better.
Reason #3: Limited IT Resources
Smaller schools often face resource constraints. Staff must juggle multiple responsibilities, including network maintenance, user support, and security. Tight budgets limit cyber security investment. Some could have aging hardware and limited bandwidth. Schools must therefore explore cost-effective cyber security solutions.
Reason #4: BYOD Risks
Bring your own device (BYOD) allows students and staff to use personal devices for learning, but also present security risks:
- Personal devices may lack proper security measures.
- Sensitive information can leak if devices are compromised.
- Infected devices can spread malware within the school network.
Schools can manage BYOD risks by:
- Establishing clear policies and guidelines for acceptable device usage
- Implementing network segmentation, isolating BYOD devices from critical systems
- Adopting mobile device management (MDM) solutions to enforce security policies
- Enforcing regular audits to assess compliance and address vulnerabilities
Impact on the Sector
Successful attacks disrupt operations and put student data, including personal and academic records, at risk. This undermines privacy and trust, leading to potential identity theft, financial fraud, and emotional distress.
Technological Innovation in Education
The rapid shift to digital learning environments, especially during the COVID-19 pandemic, has increased the attack surface for cybercriminals. With more devices connected to school networks and the use of various online platforms, there are more opportunities for vulnerabilities making cyber security solutions an all-time priority.
Remote Learning Platforms
Online learning platforms have bridged geographical and time boundaries. Students in any location now have access to the same kind of education. There are live online sessions, shared cloud resources, and virtual interaction. Platforms like Microsoft Teams for Education are boosting collaboration and engagement.
Digital Learning Tools
The sector has also benefitted from the proliferation of digital tools. Interactive whiteboards are replacing traditional chalkboards, allowing dynamic lessons and easier understanding of complex concepts.
Adaptive learning software enable personalised learning pathways. They can analyse student performance and adjust content accordingly. Virtual reality (VR) and augmented reality (AR) are also transporting students beyond textbooks.
Increased Reliance on Technology
Technology has become integral to the educational journey. Laptops, tablets, and Wi-Fi are now lifelines for learning. Teachers are harnessing digital tools to create more engaging content and enhance teaching methodologies.
Educators have shifted from traditional lectures to student-centred learning – facilitating discussions, encouraging critical thinking, and guiding students. Students are empowered by technology to collaborate, create, and explore.
Australian Laws and Regulations
As schools chart a course toward safer digital horizons, they must also comply with relevant regulations.
The Privacy Act 1988
The Privacy Act covers private schools, except those that fall within the small business exemption or do not provide health services (e.g., physical education classes, nursing services). The Australian Privacy Principles (APPs) prescribe how schools must:
- Have data privacy procedures, practices, and systems to ensure compliance
- Handle personal data transparently, ensuring consent, accuracy, and security
- Demonstrate accountability by promptly addressing queries and complaints
Apart from the Australian Capital Territory (ACT), government schools are not directly covered by the Privacy Act. They fall under state or territory privacy legislation or schemes. In Queensland, for example, the transfer of personal information between schools without consent is allowed before enrolment in a new school.
The Australian Education Act 2013
The Australian Education Act governs Commonwealth funding to both government and non-government schools. It specifies specific requirements to receive Australian Government funding for school education, covering student data protection, educational reforms, and financial accountability. Schools are required to manage student data prudently and proactively while fulfilling their educational mission.
Best Practices for Cyber Security in Schools
Safeguarding digital learning environments is highly important today. Educators are responsible for protecting their students, staff, and sensitive data from cyber threats. Below are some best practices:
Password Hygiene
Educate students, teachers, and administrators – everyone in your school community — to create strong, unique passwords.
- Combine uppercase and lowercase letters, numbers, and special characters
- Never reveal a password to anybody
- Encourage regular password updates or implement a password expiration policy
Data Encryption
All sensitive information (e.g., student records, financial data, and research findings), must be encrypted. Encryption ensures that even if data falls into the wrong hands, it remains unreadable. Consult with your IT provider about the different industry-standard encryption methods such as Transport Layer Security (TLS), Full Disk Encryption (FDE) and File-Level Encryption.
Incident Response Plan
Swift action is crucial when a breach occurs. Handling security incidents starts with preparing a well-defined incident response plan, which should include:
- Designated Incident Response Team: Identify key personnel responsible for handling incidents.
- Communication Protocol: Establish clear lines of communication during an incident.
- Containment and Recovery Steps: Consult with your IT support team to outline the steps to isolate the breach and restore normal operations in your school.
- Legal and Reporting Obligations: Understand our legal responsibilities and reporting requirements.
These best practices can help your school become more cyber resilient. Just remember that it’s not just about technology but also about building a culture of vigilance and responsibility.
Cyber Security Training for Education Sector Leaders
If you’re not sure where to start with fostering a cyber aware culture in your school or university, ADITS conducts tailored cyber security training sessions for boards and school executives. Kindly fill up the form below: