With the growing sophistication and use of digital technology, students are fortunate that technology is easily available to them, enriching their education and making learning more engaging and interactive. However, it’s important that they also need to be equipped with cybersecurity skills at an early age as they are vulnerable and at risk of exposing themselves to danger.
In today’s digital age, young people are fortunate that so much technology is easily available to them, enriching their education and making learning more engaging and interactive. However, the earlier they start using technology, the earlier cyber-risks are introduced.
Research has revealed that 42% of five to seven year-olds now own a tablet. It’s easy to forget that children and young people are inherently vulnerable and at risk of exposing themselves to danger, whether knowingly or unknowingly, when using the internet and connected devices – so the right protection is crucial for parents and educators to consider.
In addition, schools, colleges and universities are facing more cyber-attacks than ever before. Many educational organisations only appoint one or two IT personnel, and often have no dedicated cyber-security staff; and the increase in school-issued devices has drastically expanded the attack surface, along with the number of systems that need to be secured. Teachers and parents alike place high importance on protecting children from physical harm, but they often unwittingly overlook the consequences of omitting to put effective measures in place to protect them when they’re online.
Protecting students from cybercriminals: Whose responsibility is it?
There is no denying that online safety has moved higher up the agenda, especially where technology supports learning, but there needs to be an all-inclusive approach - from teaching staff to governors, volunteers and parents - in order to encourage a better understanding of the risks involved and the processes needed to secure students and staff.
The government’s statutory guidance requires that a member of the senior leadership team is made responsible for safeguarding in schools. Cyber-security and online safety should be included in this and should be taken just as seriously. It should be discussed regularly with governors and at leadership team meetings, and appropriate policies should be implemented and enforced by the senior leadership team itself.
However, whilst it is important to continuously educate and galvanise staff, children and young people also need to be equipped with cyber-security skills at an early stage. The government launched a Cyber Schools Programme in 2017, which was a significant step in supporting and encouraging students to develop key skills when it comes to online security – but more needs to be done.
Educational organisations need to assess whether changes are needed to their technical systems, policies, processes and procedures.
They must also consider the following:
- What assets does the school have?
- How are those assets vulnerable to attack?
- What would the impact of a breach be?
It’s important to then look at the measures needed to secure the institution. Software is important, but so too are policies such as limiting access rights, not assigning admin rights and using two-factor authentication for access to school resources.
A risk assessment will highlight the areas that need attention and will prevent money being wasted on solutions that aren't appropriate – an important factor for budget-strapped institutions to consider.
Keeping pace with security measures in an ever-evolving cyberspace
Due to their wealth of data and often limited cyber-security budgets, schools are increasingly drawing the attention of hackers. Typically, school systems suffer from using older equipment and having less-than-optimal cyber-security expertise, making them an easy target. As a result, educational institutions must reconsider how they think about security. Whilst the implementation will differ from school to school, it means using appropriate technology, always supported with clear policies and, most importantly, extensive awareness and education.
Alongside this, schools should back up their data regularly, as well as investing in proper cyber-security training and testing their preparedness to prevent attacks. It's important to see security as an ongoing process, and therefore essential to carry out periodic risk assessments to identify the potential ways in which an attacker might target an institution, and identify the measures needed to stay secure.
Where the organisation doesn't feel it has the necessary skills, using external expertise is important. This will vary depending on the skills available in-house, and could extend to all aspects of security policy, including risk assessment, management of security software, security awareness and dealing with a cyber-security incident.
Dealing with internal threats as well as external ones
People within an organisation often become unwitting security threats through a lack of knowledge about the dangers, or by cutting corners. In general, security policies that include a human factor often only go as far as telling people what they should and should not do when it comes to using technology, which isn’t sufficient. This is why an imaginative security programme is so important across all sectors.
Ultimately, schools should invest in cyber-security for not only safety, but peace of mind – and to ensure staff can focus on what really matters, which is educating children.
To ensure rigid cyber-security in an institution, educators should consider the following tips when developing their own cyber-security processes:
- Protect all devices for students and teachers, including smartphones and tablets
- Update operating systems and applications as soon as updates become available
- Back up data regularly and store the backup offline
- Where staff are connecting remotely to school systems, they should use a VPN to secure communications
- Implement two-factor authentication
- Encrypt sensitive data
- Don't assign admin rights automatically and don't use admin rights for general use of computers
- Develop a digital security culture that mirrors real-world safety policy
- Follow the governmental Cyber Essentials guidelines
- Review policies, procedures and processes regularly
David Emm, Principal Security Researcher, Kaspersky