The pandemic has seen teaching migrate online like never before, with remote learning the norm for millions of UK learners for months during lockdown.
Consequently, educational institutions are at greater risk than ever of having their data attacked, compromised and locked out by criminals ready to exploit cyber weaknesses.
For their part, pupils and students must be aware of the threats they may encounter online, sometimes, shockingly, from their peers.
While Safer Internet Day, marked globally on 8 February (the 22nd of its kind), provides a focus for educators and learners to check that their cyber security is intact, for those advising on such matters, online safety is a constant pursuit.
Natives should not be naive
Equipping young people with knowledge of how to stay safe online via formal education is widely regarded as appropriate. However, “This runs counter to the ‘myth of the digital native’, which implies young people naturally or automatically acquire digital literacy,” states Dr Peter Macaulay, lecturer in psychology at the University of Derby.
In the university’s recent study of 329 children aged 8–11, children generally reported feeling safe online and perceived they had good awareness of online dangers and how to avoid them (subjective knowledge), but they tended to be poor at articulating for themselves exactly what those dangers were and how they personally could avoid them (objective knowledge).
Feeling safe versus being safe
These findings suggest some children may think they know how to stay safe online but lack – or at least may be unable to articulate – objective knowledge which could actually keep them safe.
Consequently, there is a need to assess children’s objective knowledge of online safety and dangers and to provide e-safety education for children currently lacking it.
Schools and educational establishments should more closely address the views of children through qualitative or mixed–method approaches to provide a narrative of depth and insight on children’s online activity, particularly addressing their emotions when they come into contact with online dangers.
“Whether it’s to help develop digital skills or for accessing education, the internet plays an integral part in children’s and young people’s lives,” says Melanie Thomson, online safety representative at RM.
Indeed, for most, being online has been especially important in helping facilitate a sense of normality during 2020 and 2021.
However, the internet also presents risks, with research from RM finding that 27% of schools noted an increase in online safety instances as a result of pupils being at home for extensive periods during 2020.
Good news – help is at hand for less–privileged schools via the UK Safer Internet’s free sessions.
“Dealing with online safety is complex and there’s pressure on schools from parents, local authorities and the government, so it is important that teaching staff are provided with additional support to handle this,” says Melanie.
Currently, RM found 55% of schools ensure teachers receive online safety education annually, while 14% cover online safety termly. Alongside this, teachers remain updated with online safety issues via CEOP (80%), through their local authority or multi–academy trust (59%) and child–protection charities (58%).
Melanie believes training and practical advice should be layered with education and security technologies for the best chance of keeping children safe online.
While these technologies come at a cost and teachers will do their utmost to monitor for causes for concern, the right Department for Education and Ofsted standards-compliant technologies can ease time pressures by identifying issues, alerting teachers to risks in real– time.
Find ways for feedback
Early intervention will be one of the most important e-safety aspects in education in 2022, according to Tootoot co-founder and CEO Michael Brennan. Michael identifies early alert filtering and monitoring systems such as Smoothwall and Impero as providing insights into what learners are searching for and viewing.
“Children and young people have been confined to their homes’ four walls for much of the last 24 months,” says Michael. It is, consequently, critical for leaders in education to understand the importance of finding ways to listen to their students’ views, feedback and concerns in a more regular way through face-to-face and technology channels.
Danger up and down
Just as the pandemic has seen several waves rise and fall, data reflects ebbs and flows in online danger, Michael highlights.
Tootoot’s 2020 impact report saw a 74% increase in cyberbullying-related concerns reported by children and young people to their schools, and a 29% increase in e-safety-related concerns compared to 2019. Consequently, mental health concerns rose by 61% while stress and anxiety levels increased by 36% during the same period.
Encouragingly, as we emerge from the pandemic, Tootoot’s most recent impacts report (2021) identified a 48% decrease in cyberbullying-related reports compared to 2020.
“It is hoped that by returning to the school environment there will be a reduction in digital safety concerns,” says Michael.
Strength in numbers
Michael has advice for establishments, particularly those with limited funding and weaker security infrastructures seeking to better equip themselves against ransomware attacks.
Ransomware is a form of malware used to attack an establishment and hence lock it out of its data systems with a ransom demanded to re-establish access.
“There is good technology out there at affordable prices,” says Michael. “The best advice for such establishments is to speak to neighbouring institutions, to enable them to understand what others are doing.”
This may also enable group procurement at reduced costs.
Last year, Ofsted reported on the normalisation of peer-on-peer sexual harassment offline and online in response to the ‘Everyone’s Invited’ campaign. “Educational establishments need to prioritise wellbeing and emotional support alongside online safety education programmes ensuring students are able to act with resilience and in an appropriate manner online,” said David Wright, director of UK Safer Internet Centre at the South West Grid for Learning (SWGfL).
In January 2022, the UK’s Internet Watch Foundation reported a dramatic rise in reports of self-generated (child) sexual abuse in 2021 to 182,000, a 168% increase on 2020 when 68,000 reports involved self-generated material.
Such-generated imagery of children aged 7–10 has increased threefold, making it the fast-growing age group; in 2020 there were 8,000 instances, but 27,000 in 2021 – a 235% increase.
Consequently, SWGfL and the Marie Collins Foundation have collaborated to provide the Home Office-funded Harmful Sexual Behaviour Support Service in conjunction with the Department for Education.
This advises and signposts to further resources to help professionals tackle harmful sexual behaviour.
Cyber security set to spring forward
David believes the pandemic should have changed how schools, colleges and universities protect their data. Statistics from IASME, who operate the Cyber Essentials certification on behalf of the National Cyber Security Centre, indicated 58% of secondary and 36% of primary schools reported a breach, with ransomware attacks constituting the single largest type.
These are often linked to social engineering and look to encrypt user data to prevent access. “With potentially very large clean-up costs, loss of reputation and the potential loss of student work, these must be taken seriously,” says David.
He recommends establishments should be investing in data-protecting systems and processes, such as resilient and air-gapped back-up systems, regular staff training and effective endpoint securities. According to David, “These three steps are ‘must-haves’ for any size of school.”
He advises schools in England to look out for the Department for Education’s Cyber Secure tool, expected to be released in spring 2022.
(Data) Gone (through) phishing
“Phishing, where hackers send fake emails asking for sensitive information or containing malicious links, continues to pose a threat to all organisations,” says a spokesperson for the National Cyber Security Centre.
Phishing can be used as a means to compromise education institutions’ networks to steal data or disrupt an institution’s ability to function. Staff must therefore be made aware of this danger, with the NCSC offering guidance on spotting and reporting phishing messages with which they can familiarise themselves.
Rigour of eight
The NCSC’s spokesperson stresses governing bodies have an important role to play in ensuring their institution has strong cyber security, with the NCSC website setting out eight crucial questions these bodies can ask to help improve their institution’s cyber security.
These questions are split across the themes of information-seeking, awareness and preparedness, and can be used to help governing bodies understand their establishment’s IT estate.
The NCSC also warns against ransomware attacks, stating such attacks during the pandemic have led to the loss of student coursework, school financial records, and data relating to Covid-19 testing.
It encourages all education institutions to follow its mitigating malware and ransomware guidance and consider signing up to its free early warning service notifying organisations of malicious activity.
Finally, it highlights the need for cyber hygiene to be ingrained in UK education sector organisations from top to bottom.
New world, new words
The transformed world created by the pandemic has brought new vocabulary, as explained by Dr John Chapman, Jisc’s head of policy and strategy for its Janet network.
“At the pandemic’s beginning, Zoom and other video-conferencing solutions saw a huge uptake and a number of education organisations experienced spates of ‘Zoom-bombing’ – intentional disruption of calls as a prank or with malicious intent,” comments John.
Very quickly, widespread guidance was issued on how to more securely run events or lessons online, such as not publishing connection details, ensuring meetings were password-protected, and understanding the system’s features such as waiting rooms and the ability to mute and disconnect attendees.
This combination of better security awareness and more appropriate technology use means such disruption is now less common.
Remove remote vulnerabilities
In 2020, Jisc’s Computer Incident Response Team helped over a dozen universities and colleges recover from serious ransomware incidents, with this number increasing in 2021.
Jisc is also aware of many schools having been impacted by ransomware during this period.
One of the main routes in for cyber– attackers is through insecure remote access systems.
“Through guidance issued by NCSC and Jisc, institutions have now adopted more secure remote–access solutions and many have rolled out multi-factor authentication to staff and students,” says John.
Through Jisc’s engagement with senior leaders, it has seen an acceptance that cyber security is an ongoing programme of work, not a job completed once, and all staff and students need to be aware of their responsibilities when it comes to securing their systems and data.
For children and young adults, the online world, like the real world, contains both wonder and danger alike.
While the pandemic has seen travel shut down almost completely, as people have remained confined to their homes, they have increasingly explored the digital globe, learning in new ways while encountering new threats to their safety.
The need has arisen for those teaching them to be proactive in protecting them from these dangers, and it is also vital that pupils and students have a means of reporting their real or anticipated fears.
Both leaners and educators would do well to consider every day as Safer Internet Day.
You might also like: The whole-school approach to safeguarding