Paul Crighton is the Managing Director ANZ, Barracuda Networks. In this opinion piece, he shares his insights on how schools can protect systems for cyber attacks..
When the COVID-19 pandemic struck in early 2020, schools, like workplaces, were forced to immediately move to a remote working model, enabling a new norm that required students to learn from home using computers and communications technologies.
Just like workplaces, this shift exposed schools, staff, and students to increased risks of cyber-attacks. And while schools might seem less attractive a target than commercial organisations, that didn’t stop threat actors from going after them.
While the strict social distancing measures implemented at the height of the pandemic have now eased, COVID-19 continues to disrupt classroom schooling. As recently as May 2023, the Sydney Morning Herald reported that hundreds of students at Liverpool Girls High School had returned to remote learning due to a new wave of COVID-19 outbreaks.
Australian education institutions increasingly targeted
The Australian Cyber Security Centre (ACSC), in its most recent Annual Cyber Threat Report, said the education and training sector had reported the most ransomware incidents in 2021–22, rising from the fourth highest in 2020–21. It says the education sector is particularly vulnerable because its business model favours open, collaborative environments.
In February 2023, one of Queensland’s largest tertiary institutions reported admitting that 11,405 people—2492 staff and 8846 former staff—had been impacted by the Royal Ransomware cyber-attack.
In November 2021, the NSW Department of Education also became the victim of a cyber-attack. Teachers were unable to access coronavirus guidelines, emails, calendars and Zoom. And in January 2023, The Age reported that hackers had accessed the credit card details of about 400 parents whose children attended Mount Lilydale Mercy College in Melbourne.
Unfortunately, schools are increasingly becoming vulnerable to cyber-attacks. Such attacks, if successful, could expose the personal data of staff and students, highlighting the need for educational institutions to be better equipped with proper cybersecurity measures.
Meeting cybersecurity challenge in educational institutions
Fortunately, there are many ways schools can protect their systems, staff, students, and parents from the impacts of a cyber-attack.
First, they need to understand their technology landscape, including the network, the devices connected to it, who has access, which applications are running, what data is held and where. Schools need to identify the potential points of weakness and how to address them continuously, including through software updates, access restrictions, offline back-ups, and incident response plans.
New vulnerabilities are being discovered all the time and swiftly exploited by cybercriminals. Software vendors release software updates to patch newly reported bugs, so securing vulnerable systems as soon as possible is essential.
Second, schools need to implement a robust security solution that protects devices, networks, applications and data, as this will do the heavy lifting when it comes to threat detection, prevention, and response. This means that even if hackers successfully breach defences, they can still be stopped before doing significant damage.
Third, access to email accounts and online resources must be protected by multi-factor authentication rather than simply a username and password. Additional factors could be verification codes sent to a mobile phone or email or an email with a link that must be clicked on to complete the access process. There should be restrictions on who can access the most sensitive data, such as student or financial records and core IT systems.
The great majority of successful cyber-attacks are initiated by emails. Many try to lure the recipient into sharing data—a technique known as phishing. A more sophisticated type of phishing email, known as spear-phishing, presents a greater threat as the attackers use knowledge of their targets to hyper-personalise the phishing email, making it look like the email was sent by someone the target personally knows. An AI-based email security solution will help to detect and block these types of emails before they even reach the intended recipient.
Humans are also an essential line of defence. Education institutions must teach students, teachers, and administrative staff how to spot and report suspicious emails.
Finally, data backup is vital—but it must go beyond simply having a real-time copy of all data. A criminal can corrupt live, and backup data before their attack is discovered. Hence, the 3-2-1 rule must be followed, which entails making copies of all data that must be protected, storing these copies on two different types of storage media, and keeping one copy off-site.
Protection is possible
In summary, there are many ways educational institutions can protect themselves against cyber-attacks. At the heart of this is a comprehensive and streamlined approach that includes technology, policies, and procedures.
Technology can help education providers create adequate barriers, detect any breach of those barriers, and create backup copies of sensitive data. Clear policies and procedures can ensure those technologies are used to full advantage, lift cybersecurity awareness and minimise the chance of human error.