Security Awareness Training for Schools and Educational Institutions

In our data-driven world, most organisations are at least partially dependent on a measure of electronic storage and networking. Perhaps out of experience, large organisations are generally aware of the need for effective cyber security frameworks including firewalls, access and awareness training, and anti-malware systems. Educational institutions, however, tend to be somewhat behind the curve, when it comes to tightly securing their data-verse. Recently, ethical hackers while testing the computer security of university networks discovered that they were able to successfully breach networks in less than 2 hours by using spear-phishing attacks to gain access to sensitive information. Well over 50 universities across the UK were a part of the test and in almost every case, testers were able to acquire domain-level administrator access used to control systems and gain complete unauthorised access to system information.

The education sector is becoming an increasing target for cyber-criminals and there are several examples to learn from. In 2016, the University of Calgary famously fell victim to a ransomware attack in which it was forced to pay out more than $15,000 to regain access to forcefully encrypted files. The following year, the University College of London (UCL) fell victim to another ransomware attack which took down its student management system. Earlier in 2019, an entire school district inConnecticut was locked out of its own data banks until a ransom was paid.

Every second spent on the internet increases your chance of becoming a victim of identity theft or a phishing email fraud. In the world of academia where digital learning and electronic documentation are now more or less the norm, this is especially important. From digital classes to online fee payments and cloud documentation, educational institutions have embedded at least one of these three factors which could possibly put them at risk of a cyber attack. Students who have to pay via online portals run a huge risk of falling victims to credit card fraud and identity theft if adequate measures are not taken to safeguard their data.

Logging on to attend online classes leaves students exposed to digital hacks and bugs, schools that run a free Wi-Fi system could very easily have their public hotspot hacked or cloned, giving hackers access to laptops and mobile devices of thousands of students and staff. Then there’s the fact that educational systems have a huge data collection of student history including personal data like birth certificates, home addresses, phone numbers, medical history and even bio-metrics. One hack into a school’s system could leave more than a thousand people exposed.

Cyber-criminals are well aware that a lot of educational institutions do not have the same cyber-security consciousness as major companies, making the sector a prime target for their criminal activities. A common tactic used by threat agents is spear-phishing attacks. Here, they target employees of an educational institution by spoofing an email to make it look as if it is coming from a senior member of staff and send it to people they’re known to work closely with. These messages will then send victims to websites that attempt to steal credentials or contain attachments which will drop malware.

Considering this increase in prevalence and sophistication of cyber-attacks, educational institutions should begin to tackle this problem with the seriousness, thoroughness and urgency that it deserves.  There are a number of things institutions can do in order to help protect their networks from attacks, some of which includes:

• 1.) Know where data is stored and control who has access to it
• 2.) Ensure systems and software are patched and up to date to prevent attackers exploiting known vulnerabilities.
• Perform regular vulnerability scans
• 3.) Have an incident response plan
• 4.) Train staff and students in security awareness and using regular phishing security tests to help them spot phishing emails and provide information on how to report suspicious incidents or suspected attacks.

The last point on cyber security awareness training for students and faculty members is very crucial element of any effective cyber-security strategy. While several layers of firewall protection and comprehensive antivirus coverage are necessary to prevent hackers from gaining unauthorised access, these systems are not in themselves sufficient. Cyber criminals target people more than they target systems as people tend to be more vulnerable than systems. So, it is important that all stakeholders are made aware of the risks they face and the need to integrate cyber-security into their daily lives.

Training topics should cover areas such as the basics of data protection, shoulder surfing, email security, mobile device security, password security and protection, an up-to-date rundown of the tactics and strategies frequently used by cyber-criminals etc. Alongside security training, phishing tests and simulations should also be routinely carried out to identify those that are phish prone and administer necessary training. Regular phishing simulations also helps to build faculty members resistance to falling for phishing emails because over time they are better able to spot and report suspicious emails.

It is important to note that cyber-security awareness training must be carried out periodically because a “one and done” approach would be largely ineffective, as online criminals are constantly evolving and developing new ways to exploit system vulnerabilities and attack network users.

Finally, after running a training program for a period of time, the institution needs to be able to measure and report the effectiveness of such efforts for the purpose of accountability. One way of doing this is to come up with a list of desirable outcomes and metrics that tie in with high levels of security awareness.

For example, access logs to sensitive server and/or data bank areas should show that only authorised employees are given access, and such areas remain strictly inaccessible to anyone else. Another metric could be a reduction in the number of responses to spam or phishing emails based on data from phishing simulations carried out using institutional email addresses. The IT security team can also gauge the general strength of faculty user passwords and record the number of voluntary security reports from students and members regarding suspicious emails and messages.