Technology and education are now firmly intertwined. While this is expected from universities who use the latest tech to teach their students and conduct research, now even the smallest primary schools have tech firmly rooted in their daily lives. The benefits of this are endless; technology certainly enhances the education sector.
However, as Voltaire (and Uncle Ben) said, ‘With great power comes great responsibility’ — and the same is true for the education system. While the use of technology makes them more powerful, it also brings a number of risks. Research shows that threat actors are increasingly targeting educational establishments. Therefore, education systems need to take responsibility in order to correctly protect themselves from this growing number of cyber dangers — most notably insider threats.
The stereotypical image of this type of threat is a malicious internal actor, seeking some form of revenge for being overlooked or similar. Just as dangerous, however, is a benevolent yet naive individual within an organisation who finds themselves duped by a malicious external actor, looking to gain sensitive information through social engineering tactics.
Modern technology can provide educational organisations with the ability to gain insights into who’s accessing the personal information stored on their systems, providing instant response capabilities to stop data breaches. Such technology can also help educational organisations track both departing employees and rogue students, who may leak sensitive information to nefarious external individuals — whether accidentally or purposefully.
Threat actors target educational establishments for a variety of reasons. However, the main target access to a treasure trove of personal information of minors — including names, ages, and addresses — which is valuable for cyber criminals both to ransom and to sell illegally on the dark web.
Modern technology can provide educational organisations with the ability to gain insights into who’s accessing the personal information stored on their systems, providing instant response capabilities to stop data breaches.
The Times highlighted recently that the number of serious cybersecurity data breaches reported by universities had doubled over the last two years, with a massive 1,152 breaches reported in 2016-17. These are a goldmine for hackers, whose prize hauls included sensitive information in areas such as missile research and energy, with the bulk of attacks being traced back to nation state actors, such as Russia, China and the Far East. Lower down the ladder are the opportunistic criminals out to make a quick buck to line their pockets, such as selling student emails on the dark web.
In terms of how exactly an insider threat might manifest within an educational organisation, dangers can be as simple as a laptop being left logged in or passwords written on a post-it note. This enables anyone — whether a student, teacher, or operations staff — to access confidential information on that computer or compromise a social media account. This can be as nefarious as phishing attempts from external threats and bribed employees — student and teacher emails like are typically very easy to guess, with such details often appearing on an organisation’s website.
Additionally, it’s worth remembering that access to an educational organisation’s information can often be gained through its supply chain. By nature, these establishments often work with lots of third-party vendors with various contracts for the likes of IT equipment, textbooks, building and renovation work, not to mention supply staff, recruitment, and training. As such, considering the data they hold, it’s paramount not only to trust these third-party companies but to have the appropriate protection in place should something slip through the cracks.
Keeping up with the “state of the art”
Stretched budgets are a fact of life in the education sector. Not being awash with funds, it’s very tempting to hang on to tech equipment until it collapses and dies. This often leads to a dangerous situation, common within many public sector and third sector organisations, where outdated tech is used to store and secure large quantities of extremely sensitive data.
The upcoming General Data Protection Regulation (GDPR) makes things even more difficult. All schools and colleges need to look carefully at the regulation to work out how to ensure compliance, or otherwise they will find themselves faced with fines. There are the reputational repercussions to consider too; not least because noncompliance can be flagged up as a sign of poor data management in Ofsted reports, affecting their all-important reputations. What’s more, this level of public scrutiny will no doubt lead to a loss of faith among parents, infecting the school’s standing and potentially its funding.
It’s worth remembering that access to an educational organisation’s information can often be gained through its supply chain.
A sprawling IT estate?
How many individual apps form part of your establishment’s IT infrastructure? Chances are, it’s more than you think. Netscope found that the number of cloud-based apps in use within medium to large organisations can easily reach the 300-400 mark. It’s also estimated that as many as 10% of business-critical apps and 23% or organisations’ data is not visible to IT staff. In other words, staff are choosing and using a lot of software without official permission. This is known as shadow IT, which offers easy hiding places for the insider; as such, it’s vital to shine a new light on the whole IT estate.
Educational establishments are especially prone to this problem. Faculties and individual departments tend to develop their own ways of working, often considering it a hassle to wait for official go-ahead before downloading the latest collaborative tool or lesson planning aid. The fact is, an unchecked IT estate can pose countless risks.
Software that tracks (non-invasively) the actions of staff online and the transfer of data can eliminate these shadows. User and entity behavior analytics (UEBA) can alert educational establishments to odd behaviour, or the attempted transfer of confidential materials. For example, alarm bells should ring if a sports teacher is accessing emergency contact details from the science lab at 3am. Without this software, you don’t have this warning and will be left playing catch-up.
Strengthening your defences
All organisations — schools and colleges included — need to view compliance as an ongoing process. The starting point involves thorough data mapping; gaining clarity on precisely what data you hold, where it resides, its purpose and how long it needs to be retained. This way, both rogue staff and external forces can’t operate in the dark.