(This post, “The Hacker Stole My Homework!” from BlackBerry Vice President UKI and Nordics Keiron Holyome, was originally published in the Oct. 2023 edition of Education Today. Excerpted with permission – access the article and related content here).
The Hacker Stole My Homework!
“The hacker stole my homework!” While previous generations of teachers would have stared incredulously at students who offered up such an excuse, today, the statement is anything but farfetched.
The 2022-23 school year was a cyber struggle for U.K. schools. The Vice Society, believed to be behind numerous ransomware attacks on educational institutions across the U.K. and U.S., leaked children’s SEN (special education needs) information, pupil passport scans, staff payscales, and contracts from 14 U.K. schools onto the dark web after refusal to meet the hacker’s ransom demands. Separate attacks during the summer term – exam season for many – saw schools in Wiltshire and Dorset unable to operate screens and systems, while hackers demanded ransom payments for restoring access. As well as impacting teaching, everything from canteen payments to administrative operations was inaccessible. And, as the University of the West of Scotland headed into summer break, a ransomware attack that shut off IT systems and affected student applications reportedly demanded £450,000 for the return of confidential data.
These are just a few examples, though the National Cybersecurity Centre (NCSC) estimates that three-quarters of U.K. schools and colleges actually experienced a cyber breach. Its recent report articulated that U.K. education institutions are more likely to have identified cybersecurity breaches or attacks in the last 12 months than the average U.K. business. Furthermore, higher education sites are more likely to be targeted than schools and be more severely affected.
What Data Does Our Schools Hold That’s of Value?
The data that today’s schools are collecting and storing is valuable and vast. Whether it be details on individual students, test scores, financial transactions, or entrance criteria – through to vulnerable children registers, truancy, and child health records – each could be extremely damaging if published and it doesn’t take a PhD to figure out the possible downstream effects.
Malicious actors might not only gain from a ransomware payment to restore access to IT operations. They can also sell identity and financial information to the highest bidders on the dark web, extort further money through blackmail of individuals and their families, or threaten to expose suppliers’ data.
Why Are Our Educational Institutions Coming Under Attack?
Unfortunately, schools are a soft target. IT support is often limited, budgets are tight, and many use standard software provided to the education sector. If a vulnerability is found in that software, it won’t take long for the criminals to hear about and exploit it.
Similarly, the threat environment for most schools has rapidly expanded over recent years to embrace remote learning, parent-teacher apps, mobile devices, and a host of other connected learning technologies. With budget constraints meaning students are encouraged to use their own devices, more connections with often-unsecured devices dramatically expand the surface area for attack.
But, the main reason that schools are a soft target boils down to culture.
Other industries, such as finance, healthcare, or retail, that also deal with people and their personal information, are heavily regulated on privacy and data protection. They invest in their technology backbone as a competitive advantage and know their reputation is directly linked to their ability to keep private information safe.
Schools don’t necessarily want to embrace such stringent measures. They don’t want web filters to block research or surveillance to curtail creativity. They want the freedom to move files around departments and establishments to provide the kind of joined up environment for continued education that also supports and is supported by external services.
And, while employees are typically the weakest link in any enterprise’s cybersecurity chain, the enterprise sector invests a lot in training. The same is particularly difficult to enforce among students who are likely more susceptible to an attractive phishing lure or unauthorised app download. The advent of generative AI increasingly strips away the common indicators of spelling errors and poor English, replacing known scam indicators with convincing deepfake videos, flawless emails and tempting, personalised offers.
With the value of the data high and the walls paper thin, hackers have all the incentive they need to mount an attack. And, in many past cases, schools have paid the ransom.
How Can Schools Protect Themselves From Attack?
While it’s tempting to look the other way and simply hope you’re not targeted, ‘hope’ is not a strategy you can count on. The good news is that schools don’t have to do it all themselves. Automated cybersecurity solutions that leverage the predictive advantage of artificial intelligence (AI) can support institutions of all sizes in overcoming the challenge of insufficient resources, without blowing the budget or compromising the fluidity of internal information flows.
To help keep costs down, for example, Managed Security Service Providers (MSSP) offer various level (and price) options for support to deploy endpoint protection solutions. Or a subscription to a 24/7 externally-monitored MDR (managed detection and response) service can augment the capacity and skills of stretched internal IT resources. By securing endpoint and network security systems through an MDR service, schools, colleges, and universities can have access to enterprise-grade solutions and round-the-clock cyber experts at a fraction of the cost.
Like putting in the revision for a final exam, if educators put the groundwork in now and take the necessary steps to properly secure their data, the future will remain bright and full of possibilities for the nation’s academic community and with any luck, “The Dog Ate My Homework” excuse will resume its rightful place in schools across the country.
For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.
Related Reading
- Predictive AI in Cybersecurity: What Works and How to Understand It
- CylanceENDPOINT — Endpoint Protection Powered by Cylance AI
- Inside the FBI and DOJ Takedown of Qakbot, the “Swiss Army Knife” of Malware
- New Report Reveals Increase of Unique Malware and Sudden Surge of Public Sector Attacks
- Cybersecurity and the Future Workforce: What College Students Tell Us
