Class is not dismissed
Peter Thomas, co-founder of Upling, writing with TNK2 co-founders Elston DSouza, Alix Kwak and Principal Researcher Jay Jeong
Why K12 schools are vulnerable to cybersecurity breaches — and what we might do about it.
If you work in education this headline in the Sydney Morning Herald on July 8, 2021 won’t have escaped your attention: ‘NSW Education Department hit by cyber attack hours after remote learning announcement’. The story says:
The NSW Department of Education has been hit by a cyber attack just hours after it instructed its schools to prepare for a week of remote learning, leaving teachers and principals without access to their email, coronavirus guidelines or online learning materials. The department was forced to deactivate its systems as a precaution after the attack, which happened about 3pm on Wednesday, causing the online portals used by teachers to go dark for more than 21 hours.
Details of the nature of the attack remain undisclosed, but it adds an alarming picture that’s emerging on the state of cybersecurity in K12 schools.
Australia’s Office of the Australian Information Commissioner (OAIC) tracks data breaches through its Notifiable Data Breaches Report. Notifiable breaches include malicious or criminal attacks, phishing, stolen credentials, social engineering and ransomware and the unintended release of data. They said that they had received 539 data breach notifications from July to December 2020, an increase of 5% on the previous six months.
Education – defined by the OIC as private providers who are bound by the Australian Privacy Protection (APP) legislation (public sector education providers are bound by their own state and territory privacy laws) — came in third (40) by volume of reports behind health (123) and finance (80). These figures probably downplay the extent of the problem — see, for example, the AusCERT/K7Maths incident in 2020 which involved a dump of data from an unknown number of individuals in the education sector including those with vic.edu.au and wa.edu.au email addresses.
Globally, the picture is similar. The State of K-12 Cybersecurity: 2020 Year in Review report from the US K12 Security Information Exchange and the K-12 Cybersecurity Resource Center, says:
“the 2020 calendar year saw a record-breaking number of publicly-disclosed school cyber incidents. Moreover, many of these incidents were significant: resulting in school closures, millions of dollars of stolen taxpayer dollars, and student data breaches directly linked to identity theft and credit fraud.”
And the US Consortium for School Networking (COSN)’s recently released The State of Edtech Leadership report notes that:
Cybersecurity and the privacy of student data are the top two technology priorities, yet specific cybersecurity risks continue to be generally underestimated.
So why are schools vulnerable?
Australia’s OIC report gives you some insight into what was reported and identifies the type of breach.
Less clear are some of the root causes of cybersecurity breaches, but you don’t have to think too hard to arrive at some of the reasons why schools are vulnerable to cyberattacks.
As in many other areas of life, the pandemic has surfaced lots of issues – some new, some old and persistent and some that have morphed to assume a new character.
The need for K-12 schools to rapidly transition to remote learning was uniquely occasioned by the pandemic. While a huge amount of digitalisation was already happening in K12 education, the sheer velocity that schools needed to generate to move students and teachers from classrooms and homerooms to bedrooms and lounge rooms was head-spinning.
Systems that previously were sparingly used have been bent out of shape to support remote learning. IT staff and teachers never imagined that they would ever even need to use many systems, other than now and again — even less that they would need to use them in these ways every day. Zoom and other videoconferencing platforms — formerly the domain of the dull business meeting — are prime examples.
As a result, mistakes creep in: configuration errors; a failure to keep software updated; the continued use of well-past-their-expiry-date, poorly-supported and infrequently-updated legacy systems that didn’t have robust security measures in the first place — and with no way to back out of those systems when schools have to be up and running doing remote teaching; a lack of up to date training, or incentives to do training if it exists; or a simple lack of understanding of cybersecurity amongst school leaders.
One could also observe that many purchasing decisions about software were made at a time when security issues were assumed to be less important than they are now. Those decisions were often based on information provided by vendors — information that schools may not have been in the best position to interrogate thoroughly. As is often said, don’t accept a ride across the river from a crocodile. The lesson learned — one would hope — is that schools should put more robust processes in place to analyse the cybersecurity stance of vendors, continue to do so on an ongoing basis and not hesitate to act if it's not working.
All of this points up the fact that K12 schools, both individually and at a system level, don’t have the depth of expertise in cybersecurity that is commonplace in other industries partially because the issues haven’t been foregrounded to the extent they are now, because expertise is hard to find, and because those IT staff that are better informed are stretched thin across a variety of projects — resulting in cybersecurity strategy, planning and execution getting easily lost in business as (un)usual.
Many schools were already in the middle of digital transformation projects. Those projects have had to be accelerated in the pandemic. It’s not surprising that the push to the finish line has caused problems: the velocity of projects has had to increase, shortcuts are necessary, there is little time to conduct thorough due diligence, and hard decisions have to be made when resources are already stretched. The only thing to do in this situation is to make progress: if you find yourself on a rock face and unable to go down, the only way to go is up — no point clinging on in the hope that someone will come to get you.
Overwhelmingly, K12 education has been a digitalisation success story. It has benefited students, teachers and parents: from the LMS that supports blended learning, through enterprise tools for teachers, to reporting platforms for parents that mean that students don’t have the end of term report in their bag like in the old days.
But the success of the digitalisation agenda in K12 schools has introduced new vulnerabilities: the sheer amount of technology in a school — including, but not just, all of the devices used by staff and students — are now, during the pandemic, connected to off-campus networks a lot of the time.
Many schools operate ‘managed device’ programmes that remediate some of the problems; those with more liberal ‘BYOD’ schemes that allow many types of devices onto a network are more vulnerable. But even with the most robust managed programme, devices are used during remote learning on untrusted networks in students’ and teachers’ homes and then re-introduced to school networks when a lockdown is over. Some of these devices may not have been updated or scanned for malware before they are reconnected to the network.
Add in the multitude of internet-connected IoT (Internet of Things) devices — including smart boards, smart projectors, devices for recording or streaming in-class video or 3-D printers, plus the many cloud-based tools commonly used in schools — and the situation gets worse. IoT devices — which really only work when they are connected to a network — are especially vulnerable because of the way their communications protocols are implemented and so can present an easy target for cybercriminals. According to Neustar’s International Cyber Benchmarks Index, less than a quarter of organisations surveyed were confident they understand how to protect their IoT devices against cyberattacks.
And finally, schools are about people.
Systems and software need to be secure, robust and functional but ultimately, everything must be as usable as possible. No point in having something so locked down and furiously functional that no one wants to use it.
In learning, and especially in online learning, experience is everything. Cybersecurity measures — for example, 2FA (two-factor authentication) or MFA (multi-factor authentication) using a one-time password (OTP) or Google authenticator, combined with Single Sign On (SSO)— are often compromised in favour of user experience.
Whether the lessons are learned the hard way or learned through a deliberate effort to change, it seems that there is some work to do. Class is definitely not dismissed on cybersecurity.
While at the moment schools aren’t high-value targets, the bad actors are creative, resourceful and smart and some people just like to cause havoc. Which one of these the NSW incident was we will probably never find out.
While the personal data stored in K12 schools about students and parents may not be as value-rich as that stored by, for example, universities, it is still an attractive target for hackers. Schools are increasingly being forced into areas of digitalisation that are new for them, such as online payment of fees — and not just school fees, but large numbers of low-value transactions for lunches, school trips and excursions and everything else. Adding financial data into the equation is always going to attract unwanted attention. Even if handled by an external provider, data is only secure if the provider the school uses is secure.
So what can be done? The technical playbook is already pretty well worked out — for those schools that have the capability to understand and implement it.
Segmenting infrastructure to ensure that communications are secure is an obvious step, as are restricting connections to known devices, monitoring unusual network traffic patterns, using systems that block delivery of unauthenticated mail and using next-generation firewalls to protect databases. And of course, encouraging a culture of positive compliance with policies and procedures, plus early and frequent upskilling on best practices, is essential.
And this last point is where we return to the data from the Office of the Australian Information Commissioner.
You would have noticed that data breaches attributed to human error are increasing. As Australian Information Commissioner and Privacy Commissioner Angelene Falk said:
“The human factor is also a dominant theme in many malicious or criminal attacks, which remain the leading source of breaches notified to my office.”
As we suggested in our story ‘All too human’, it’s not the cybercriminal equivalent of Tom Cruise Mission Impossible-style dangling from the ceiling that’s out to get us: it’s ourselves and our vulnerabilities.
The most robust policies and processes mean nothing if people don’t know about them, don’t care about them and fail (or choose not) to follow them. The injunction to use a VPN means nothing if it’s not followed. The instruction to better secure your home network by only using the 5GHz band isn’t helpful if you can’t figure out how to log into your router. And the warning don’t click anything that looks suspicious assumes a level of knowledge and experience that people may not have.
We’ve been busy looking at these issues – the human factors issues – and analysing the vulnerabilities we all have.
In All too human we delved into some of these issues — and what we think is a valuable solution. It goes hand in hand with the technical plays but introduces tools that will address the most vulnerable in the school setting: students.
Upling is our cybersecurity diagnostic and learning platform for K12 schools. Upling uses our proprietary Behavioural Assessment Engine, a system that evaluates individuals’ digital strengths and vulnerabilities.
Using a combination of profiling and assessment, the engine generates an individual’s dType that describes who they are and what they do in the digital world. Data generated by simulation tasks are then added to create a Digital Profile that embodies an individual’s unique digital strengths and vulnerabilities. Using machine learning, the engine becomes increasingly accurate at predicting those vulnerabilities. We can then recommend training and education that targets vulnerabilities through gamified and nudge-based behaviour change techniques.
So why is this a useful thing to do?
We can’t just turn online off: students are increasingly living their lives online, and the pandemic and its continuing effects have accelerated this.
And beyond school, being able to participate fully in society now requires high levels of digital literacy — whether that’s for learning, consuming news, forming and maintaining social relationships or preparing for the world of work. The eSafety Commissioner suggests that almost all children are online even before ELC and most students enter their primary and secondary education ill-equipped to use digital technologies safely.
While this means there are risks — online bullying, easier access to age-inappropriate content, fake news, identity theft, social engineering scams or malware — there are also many more opportunities to use digital technologies in safe, positive, productive and life-enhancing ways.
Of course, there are many excellent digital literacy programmes, and consultation is underway on changes to the Australian Curriculum for a new Digital Literacy general capability which covers managing online privacy and safety and managing digital identity. And in the US, Cyber.org have recently released their K-12 Cybersecurity Learning Standards, which aims to ensure that “all students grow up to be good digital citizens that will live, work and play in cyberspace safely and ethically.”
But equally, many cybersecurity awareness programmes for schools focus only on threats — often recommending that apps are banned or avoided — or offer generalised ‘spot a scam’ advice. Much of this lacks any serious evidence base and is delivered by ‘cybersafety’ consultants who have little understanding of cybersecurity beyond reacting to, and creating, scare-mongering headlines — many of which are wrapped in anti-capitalist rhetoric that reflects a bias against ‘big tech’ that is characteristic of those who were educated in a pre-technological era.
We believe that a more nuanced, realistic and evidence-based approach to digital literacy is needed. One that develops students’ practical digital literacy skills and helps them make the best of — while managing the hazards of — life online. We want to build, and credential, the digital literacy capability of students. This will give parents, teachers and schools the reassurance that what students learn is more likely to keep them safe, whether at school or home — and for the rest of their lives.
And that’s what Upling aims to do.
Upling is in closed beta right now. That means we are testing with our first customers, learning from those customers and changing as we learn.
But we think that alongside implementing the cybersecurity technical playbook – something that as technical experts with an extensive background in cybersecurity, including the design of next-generation Digital ID services and more, we also support schools in doing – an approach to cybersecurity that is individual, personal and acknowledges the growing importance of human factors is essential.
Come back to the TNK2 publication to read more stories including:
The state of cybersecurity
We know that cyberattacks are on the rise. Cybercrime is up 600%. We go behind the numbers to look at trends and patterns — and the rise of cybercrime-as-a-service. By Elston DSouza, Alix Kwak, Peter Thomas and Jay Jeong for TNK2.
Your money or your data: inside ransomware
Expensive, disruptive, and possibly disastrous. We look inside the disturbing, and rapidly-growing, ransomware phenomenon. By Alix Kwak for TNK2.
All too human
An overview of why the difficult challenges of cybersecurity are human, not technological. Peter Thomas, co-founder of Upling, writing with TNK2 co-founders Elston DSouza, Alix Kwak and Principal Researcher Jay Jeong.
To err is human
We look at the science of errors, how it relates to cybersecurity and how unintentional actions make us less secure — from downloading a malware-infected attachment to failing to use a strong password. By Jay Jeong for TNK2.
And coming soon:
Why small business is big business for cybercriminals
A cybersecurity incident that impacts a small business can be devastating. Why are small businesses vulnerable? We look at some of the reasons — and what we might do about them. By Alix Kwak for TNK2.
You can learn more about our work by visiting tnk2.com.au and read more about our approach to the human factors of cybersecurity.
