Step up to cyber risks in education
10 Aug 2018
Know what the main risks are for primary vs. secondary schools, and how to reduce and manage them.
Tracking emerging risks in education takes more than research studies. It’s why CCI has ongoing conversations with members of our education community, and has engaged cyber security experts, risk audit specialists, and consulted lawyers who can help us to better understand the regulatory framework around data breach laws.
The information CCI has gathered helps schools to identify ways to reduce and manage risk, and understand the Mandatory Data Breach Notification Laws.
It’s now the law for schools to comply with legislative requirements.
It’s no surprise that cyber risk is a high priority for the education sector, and it carries increasing risks because schools hold the personal information of students.
Outlining risks and recommendations will serve more educators and students in their need to adopt best practices over common ones, and support efforts to remain as digitally safe as possible.
Brian Parker is a specialist in conducting cyber risk reviews for CCI clients and describes cyber awareness among schools as low.
“We need to close gaps in the school system. Most schools don’t really understand their vulnerability and they aren’t doing network or IT boundary analysis. If there is a policy it’s not adhered to in practice. The fact is that personnel at schools are not technical people, and they have little IT knowledge. Schools need staff with proper training and education in cyber risks and risk management,” says Parker.
Primary schools are using iPads for a range of subjects today, and many secondary schools require students to use laptops and access study tasks remotely. The more digital our curriculum becomes, the more exposed schools are to cyber threats.
Barker explains that because schools store personal information, such as health records and financial details, such data makes them very attractive to criminals who use Ransomware. This particular type of cyber attack has had a big impact on the education sector in the past year.
“Because expertise in IT is low, there should be training provided specifically to educate about cyber risks. Schools can subscribe to industry-based websites that give alerts about threats. There is information about cyber security issues available. Management needs to be aware of what threats are mostly likely to damage a school. An attack can close down a business. Not many schools have recovery plans. It’s important from a governance point of view to know your cyber risk vulnerabilities and to be looking carefully at policies. A level of escalation needs to happen,” says Parker.
While both primary and secondary schools face the same threat types, the response capability may differ according to schools size and resources. Commonly schools lack clear governance, lack escalation, and lack a coordinated approach to managing their cyber security issues, according to Parker.
“Schools are simply unaware of their vulnerabilities, and this fact is acute in secondary schools where students are more IT savvy and using more apps. Social media use presents enormous cyber risks for secondary schools compared to primary schools.”
“Schools need a strong risk framework that outlines reasonable use of connected devices and especially where email use is concerned or where there is change management. They also have to educate kids around risks in using social media and its potential cyber risks,” he says.
The cost of data breaches, and the new legal obligations under ISO27001, are forcing schools to think differently about their data and the importance of protecting it. For schools and other organisations that store a lot of it, the implications of not reporting a data breach that has sabotaged the privacy of individuals can be very expensive indeed. If an organisation becomes aware there has been an ‘eligible data breach’ it must notify the Privacy Commissioner and affected individuals. If someone has gained unauthorised access to systems within an organisation, disclosed data or caused the loss of personal information, it can seriously harm individuals.
Ben Harper is a professional Data Breach Compliance Navigator for Hal Group, whose expertise lies in cyber security. He says Ransomware has evolved.
“Ransomware is a commercial industry now and those running it want to build commercial trust,” he explains.
“There are many organisations willing to pay a ransom because it’s cheaper than not doing business for a day or longer.”
Harper doesn’t agree with paying ransoms but he understands why people comply with demands.
“People still do the most innocent things, like come in to work with a USB they picked up on holiday, or email files from work to their personal email at home and back, and we need to invest in training them,” he says.
“Boards still assume that people will behave correctly but they will still invite malicious software without meaning to, through a USB, attachment or via dropbox.”
As more high school students share material and search for information online through studying, then the more schools can expect to be a target by those who use malicious tactics for financial gain.
Harper describes attackers as agnostic when it comes to the size of a school or business type, but warns hackers are still capable of targeting data that holds information.
“They look for data with numbers of a 15-digit sequence for example, because it would equal a credit card for them.”
He estimates the cost per stolen record to be $155-195 per single file in a data breach, but admits anyone can talk numbers around a highly subjective topic.
“Does the cost per record translate to meaning a student? Talking to ‘Tier 1’ clients is very different to explaining the data breach costs to SMEs. If you’re an SME and you get ‘ransomed’ and your system is blocked, I tell clients that it costs an average $1000 per laptop user in your organisation to remove the ransom.”
“If you’re a school and you have fifty users it will cost $50,000 to pay the ransom to get the system unblocked. It’s a realistic estimate.”
The assessment however, doesn’t take into account the harm that a breach can cause individuals whose privacy is violated, nor reputational damage for a school in the wake of a cyber attack.
What should you do if you think there is a data breach in your school?
It depends on the circumstances, but the notification must include recommendations about the steps individuals have taken in response to the breach. You must notify The Australian Information Commissioner (Commissioner) about eligible data breaches.
- Notify individuals to whom the data breach relates
- Notify only individuals at risk of serious harm
- If notifying individuals is not possible, make a notification public on a website and publicise it via social media or other avenues
The exception to this is if effective 'remedial action' has been taken before the breach causes serious harm.
Brian Parker explains that more segregation in a school’s network can help to mitigate some of the exposure to cyber threats for those schools who use a large number of connected devices.
“Networks differ for schools, but I see some are moving to a cloud environment to ensure they have business continuity in the event of disruption from either a fire or a cyber attack,” he says.
All schools should adopt a best practice over a common practice approach.
“Learning about the types of cyber threats is important in developing a strong cyber risk framework that includes the end-users (in this case students). The trick is ensuring a level of escalation and making it a governance priority,” says Parker.
Ben Harper urges schools to do two important things to protect themselves. One is to drive education and training among schools so that data is seen as a digital asset that warrants security best practices.
“The other is to look at cyber insurance,” he says.
He suggests schools think of cyber insurance in the context of competitive advantage, and estimates that while $1,000 of cyber insurance may be able to provide $1million in cover, the reality is that premiums will start to multiply exponentially in the next five years.
“The trigger point arrives when we have greater transparency from clear case studies that emerge through mandatory reporting. Everyone accepts it’s a topic to discuss right now. When a situation occurs where a school has had reputational damage that can’t be recovered, because of a data breach in which a student’s private information has been compromised, only then will schools tackle the issue of cyber security as a collective,” he says.
Harper expects more cases will come to light, and will drive a reallocation of school funds towards cyber security and cyber insurance.
“Schools will accept it as a cost of doing business sooner rather than later. There is a litany of examples of data breach damage already, and sadly schools will have the most to lose because we are talking about children, we’re talking about very private matters from healthcare records to Alumni and their donations. The incentive of attackers will be to go after the top end of town and private schools.”