Almost half of UK teachers believe their students know more than them when it comes to IT. That’s according to recent Sophos research commissioned by YouGov.
Amidst reports of a data breach or hack every other day now, and with cyber criminals targeting more vulnerable organisations, it’s only a matter of time until cyber criminals unlock the gold mine that could be schools.
Also, from 25 May 2018, all British schools will need to comply with the General Data Protection Regulation (GDPR). The penalties for non-compliance are both financial and reputational, and with the new research showing that many schools lack even the basics in online security, the time to act is now.
Security by numbers
Of the 348 head teachers, deputy heads and other senior teachers Sophos surveyed, 18 per cent cited students being able to manipulate the school’s IT system (by hacking into the server to take or change data) as an area of major concern. A further 34 per cent identified data loss as their biggest IT security issue. However, despite increased awareness of the risks due to the proliferation of high profile hacks, leaks and cyberattacks in the media, over 52 per cent don’t believe their school has a system for monitoring students’ online activity, and only a quarter (27 per cent) of teachers are aware of any form of encryption in place to protect data.
There’s no doubt about it – this is a serious gap in the armor. Yet, there continues to be complacency among teachers when it comes to online threats. 80 per cent state they are confident in their school’s ability to protect students online while at school, but for the share of respondents that believed there is basic and essential security measures in place, this simply cannot be the case.
Why you should care
In addition to the human, and very real, risks posed by a lack of online security systems in schools, the impending arrival of the GDPR means educators need to prioritise data security now or risk facing hefty fines come May 2018.
The new legislation places greater legal requirements on both schools and their suppliers with regards to data protection. The penalties are far more severe than the current data protection act and raises the maximum penalties from £500,000 today to a staggering €20,000,000. This is in addition to any negative press coverage or loss of confidence from students, parents, and staff that inevitably would result from a serious data breach. All of which could contribute to the closure of the school.
Many of the schools Sophos work with juggle multiple priority projects competing for limited funds. This is the reality of the UK education system, but unfortunately it does put them at even greater risk when it comes to online crime. Often cyber criminals will spread their net wide, meaning that anyone could fall foul of an attack, and others target specific sectors that appear vulnerable such as schools and healthcare providers. In a lot of cases, years of underinvestment in IT and data protection within schools has left them without the layers of security needed to combat today’s complex threats, making them particularly susceptible to targeted attacks, phishing or ransomware.
The cost of building up these layers can be a large investment and quite time-consuming, however when this is compared to the monetary and reputational cost once a breach has happened, it is a small price to pay. Also, with the heavy cost of non-compliance looming, alongside the burgeoning role of technology in schools, it’s not worth ignoring the risks.
How to prepare
The good news is that schools can take a few simple steps to mitigate the risk: awareness, training and prioritisation.
For those who do have IT security measures in place already, this starts with a simple awareness campaign: Make teachers aware of what the security measures are and how they play a role in protecting students and data. Once they understand the role and value of security they too will start to prioritise it.
Of the teachers questioned in the Sophos survey, 47 per cent identified additional training and 34 per cent identified more tools for monitoring student activity online as measures that would make them feel more confident in their ability to protect students from online threats.
Many of the teachers’ fears, such as phishing (22 per cent) and lack of security caused by students using their own devices on school networks (21 per cent), can be overcome with basic security training. For example, phishing attacks are one of the most common ways for cyber attackers to gain confidential information, however there are tips and tricks which can help staff and students spot what is real, and what could be a risk to security.
Whether it’s by organising additional staff training, or even building this into IT lessons, both staff and students need to be educated on how to spot red flags, so IT teams at schools can be confident that there is a basic level of understanding amongst teachers and staff when it comes to security. After all, you’re only secure as your weakest link.
Not worth the risk
Data is always valuable and should always be protected, but some private details relating to students and children must always be kept confidential and therefore needs to be appropriately protected.
Cyber criminals feed on vulnerability, as shown by the huge WannaCry ransomware attack this year, so it is certainly only a matter of time before schools are the next target. However, it’s not just about protecting data, schools also need to be getting prepared for GDPR which will make cyber security not just a consideration, but a requirement.
The risk and fear of a cyber attack is very real. However, with the right measures, software and knowledge, this risk can be minimised or even avoided completely. There needs to be an onus on schools to protect themselves from cybercrime and put their students first. To avoid further dents in school budgets, it’s time to make IT security a priority for schools.
Oliver Wells, Education Manager at Sophos
Image Credit: Štefan Štefančík / Unsplash