Remote learning — education sector has a growing cybersecurity problem
- A state of normality still seems far off for the education sector, which remains in a crisis of its own
- Remote learning solutions and edtech have provided a lifeline, but the transition has been far from smooth
- Cybersecurity is now a problem plaguing the sector, a threat which remote learning has magnified
Like every other organization with a physical presence, schools and universities have had to shut their gates. And like every other business, the education sector has had little choice but to embrace digital tools and solutions to keep operations afloat.
Schools in Singapore, Malaysia, Thailand, Cambodia, Indonesia, among others have all been forced to delay re-openings. Those few that have reopened have had to embrace strict measures, including mandatory masks, recording temperatures, sanitizing hands regularly, and tracking movements in and out of school. Everyone else has had to rely on the power of remote learning and edtech solutions to maintain some degree of ‘education-as-normal’.
But while the move online was relatively smooth for white-collar businesses, albeit with a few teething problems, for education, the transition to remote learning has been much more of a challenge. The stakes of ineffectiveness or failure here are not simply financial, but risk “scarring the life chances of a generation of young people.” Online teaching needs more than basics. Lecturers or teachers need access to a computer that supports teaching software; they and all of their students need a reliable internet connection.
The shift to remote learning has also highlighted an economic problem, whereby lower-income families may be excluded from the same learning experience, given their lack of access to the right hardware or services. But for those students fortunate enough to be able to access online courses or video-conferenced lectures and seminars, there is another problem: security.
The cybersecurity issues of remote learning
As noted in The Guardian, those who have returned overseas to be with their families during the crisis, for example, may be subject to different data protection laws than are assumed where they study. Privacy, or even freedom of speech, may not be guaranteed for ideas and personal data. This is a serious problem for universities, intended to be homes for free and open academic discussion and debate.
In the same vein, this freedom may be compromised when institutions are suddenly reliant on and contributing to the revenue of solutions created by Big Tech companies, such as Microsoft Teams, where data — including conversations and ideas — are swept away, however impermanently, to data centers around the world.
But the education industry faces a more malicious threat; the pandemic has assured us that cybercriminals are indiscriminate about their targets. More than 20 universities and charities across the UK, US, and Canada reported themselves victim to a supply chain cyber-attack via compromised cloud provider Blackbaud.
The breached provider, which eventually paid the attackers, waited weeks to warn its clients that data had been stolen, which, in some cases, included the personal details of existing staff, students, and other parties.
Ransomware is a growing issue in the education sector. The growing threat of attacks to individual schools in the US prompted the FBI to issue a security alert about the growing risks, especially in regard to vulnerabilities created by a reliance on remote staff connections using Remote Desktop Protocol (RDP) accounts on internal school systems.
Cybercriminals were likely to increase targeting of K-12 schools “because they represent an opportunistic target as more of these institutions transition to distance learning,” the FBI said.
“K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyber attacks.”
A growing cybersecurity problem
The education sector has long been a target for cybercriminals to exploit, but the problem is getting worse — US schools and districts publicly disclosed 348 cyber incidents in 2019, three times more than 2018 — but the pandemic has kicked the hornet’s nest.
According to Microsoft’s Global Threat Activity tracker, 61% (nearly 4.8 million) of malware encounters reported within the past 30 days took aim at the education sector, making it the most affected industry. The business and professional services sector came in second with just under 1 million incidents.
‘’Even before the COVID-19 outbreak, school districts already faced serious cybersecurity challenges,” said Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams. “A lack of dedicated funding and skilled personnel made it hard for educational institutions to keep data secure and improve privacy-related defenses.”
Gurinaviciute continued: “Hence, many schools make essential primary setup errors and put little effort into overseeing old existing vulnerabilities. It comes as no surprise that, during the COVID-19 crisis, hackers and scammers found those vulnerabilities so easily.’’
While still a relatively new concept in the area, edtech startups have been making their online learning experiences available, seeking to introduce new ways of learning and disrupt tried and tested methods. These edtech firms have been crucial in filling the learning gap that many students are experiencing right now.
But schools and students also face potential risks from third-party edtech firms that fail to appropriately secure data in their platforms.
‘’Systems have to be set up with adequate authentication and controls. Otherwise, they can become vectors for attack,” said Gurinaviciute. “Without proper implementation, tools to access school networks remotely – even VPNs, password managers, and remote desktop protocols — can all be hacked to gain unauthorized access and steal sensitive data.’’
With schools and universities facing continued uncertainty, with potential further outbreaks or even second spikes of the coronavirus looming, the education sector cannot think about folding its new reliance on remote learning yet.
As millions of teachers and students will once again make remote access attempts from a slew of devices this fall, cybercriminals will swarm to the opportunity once again. Those who have learned hard lessons must now enact them, and the rest of the industry should take note, ensuring staff and students are thoroughly and consistently trained in IT solutions they are using and are taking the steps to ensure cybersecurity and data privacy compliance remains airtight.
Conversations should arise not just about internet connections and devices, but about the integrity of the software being used and implications, as well as the data privacy rights of all users.
‘’Edtech and its infrastructure is not given the importance it is due,” continued Gurinaviciute.
“As governments attempt to address the public health crisis around the world and contain the spread of COVID-19, there is a very large chance criminals will continue to exploit this chaos, and that there will be another spike in cyberattacks against vulnerable targets.
“Educational institutions should focus on protecting their open networks and managing devices they don’t have control over.”