The sophistication and complexity of cyber attacks around the world has increased with more technology and software available to make life easier.  However, these positive technological advances come with the inherent risk of hackers or cyber attackers emerging and finding ways into users' computer systems.  The increased and commonplace use of computers in the 21^st century comes with an important reminder for schools to be aware of cyber security risks.

What are cyber attacks?

Cyber attacks occur when there is an attempted or actual incident by hackers to damage or destroy a computer network or system.  The definition of cyber attacks has evolved to include the use or direction of computer technology or networks to commit or facilitate the commission of traditional crimes, such as fraud and forgery.

The financial impacts of a cyber attack are significant.  In ASIC Report 429: Cyber resilience: Health Check, ASIC stated that cyber attacks cost the global economy more than $400 billion.  In 2013, Symantec estimated the cost of cybercrime in Australia alone at $1.06 billion.

Cyber attacks on schools

School Governance has previously reported on the capacity of students to "hack" their own school. Refer to our article Privacy Update: Student Hackers.  That article explained that "it is imperative that schools have clear policies and procedures regarding the use of and access to their IT and online environments. It is also essential for parents and students to know, understand and accept that there are serious penalties that may apply to students who attempt to hack into or manipulate school IT systems and that these penalties involve more than just school sanctions."

A recent spate of security breaches on education related computers and networks, including some by students, is a reminder that the threat of a cyber attack is constant and that schools need to be proactive in protecting their IT and online environments.

Recent events include:

• in Canada, a Vancouver high school suffered network service degradation after a student successfully compromised a teacher’s email account and spammed out emails to over 50,000 email addresses.  The student was later expelled.
• in England, a research and educational network was victim to multiple Distributed Denial of Service (DDoS) attacks over a period of a year.  The attack caused networks to slow and degrade.
• in Japan, a 16-year-old student downloaded an attack tool and carried out an attack on the Osaka Board of Education server resulting in 444 elementary secondary and high school websites going offline. The student launched the attack due to his frustration with his school. He now faces up to three years in prison and a fine of 500,000 yen ($4,500).
  

5 things schools need to know about cyber security

In light of the recently reported hacking incidents, schools should remember these "5 key" cyber security rules.

1.  Personal information is worth money

In this digital era, information is ‘gold’ and people will pay for the personal information of others.  Hackers these days have the ability to either obtain, use or sell information obtained through a hack or cyber attack. They can even blackmail a school, as a school district in New Jersey (US) found out. The district experienced a cyber attack when their school system was held hostage for bitcoins.  The cyber attack, specifically known as a 'ransomware attack', paralysed their computer systems.  The hacker behind the attack requested 500 bitcoins (roughly $125,000 USD) in exchange to restore their systems.  The school district had to operate as if they were back in 1981 until systems were restored.

The hacking of a school system can involve several issues of which schools must be aware.  Schools hold very important personal information about their pupils, their staff and their parents which needs to be protected.  Accessibility to this information can allow hackers to gain access to:

• bank account details or credit card information of parents;
• school financials;
• school bank account information;
• student academic results, transcripts and behaviour issues;
• students’ address information;
• students’ birth record information;
• students’ tax file numbers;
• parent information such as addresses and phone numbers, emails, dates of birth, level of education and nationality;
• employee information such as addresses and phone numbers, bank account information, tax file numbers, resumés, working with children checks; and
• student and employee medical information.

2. A cyber attack is a data breach

It is important to note, due to Section 6C of the Privacy Act 1988 (Cth) (Privacy Act), government schools are exempt from the requirements under the Privacy Act.  However, each state and territory has legislative and policy requirements set down by respective state and territory education departments on how schools need to store and dispose of personal information.  For example, in Victoria the Privacy and Data Protection Act 2014 (Vic) and New South Wales the Privacy and Personal Information Act 1998 (NSW), provides protection of personal records containing sensitive information about individuals.

For non-government schools, however, the Privacy Act does apply.  Personal information is defined as information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from that information. Pursuant to Australian Privacy Principal 11, there is a requirement for schools to keep information securely stored.  Any breaches of the Privacy Act can result in significant financial penalties ($360,000 for individuals and $1.8 million for body corporates) being imposed upon the schools.

3. Personal computers need protection

The implementation of proper security measures such as installing anti-virus and firewall software can help resist and reduce possible cyber attacks or hacking events.  The use of these programs can help detect where the attack occurred and discover any system vulnerability, therefore reducing a possibility of of a cyber attack or hack from crippling computer networks.  Other basic tips that can keep school networks safe include:

• Passwords: use of complex passwords, changing them often,  not sharing them or writing them down.  Using password managers like LastPass or 1Password;
• Ensuring that staff do not leave personal computers unattended: if a staff member leaves a personal computer unattended for an extended period of time, they should log out or password lock the screen.  Staff should set computers to automatically lock the screen after a period of inactivity;
• When a teacher leaves a classroom for a break or to attend another lesson, wherever possible, the teacher should take the laptop, tablet or other device with them; and
• Staff must not share or give access to their laptop, tablet, computer or other device to students for any matter at any time.

4. Plan ahead: practice and prepare

Regular tests should be undertaken by IT staff to protect school computer systems against cyber attacks or hacks.  These tests are vital to assess a school computer system’s ability to prepare, respond, recover and prevent an attack.  A cyber attack or hack not only can retrieve information from a system but it can also immobilise it; rendering it useless. It is also important to note that many cyber attacks or hacks in schools take place out of hours, when students are usually at home.

To help guard against a cyber attack, schools can install anti-virus software, restrict access of administrator privileges to certain key staff and change staff passwords on a regular basis.

5. Educate staff on the importance of cyber security

Educating staff and students on cyber security will assist to reduce the risk of a cyber attack.  If employees or contractors are aware of how cyber attacks can occur, this may prevent possible attacks on school computer systems.

Education on cyber awareness can be achieved through professional development workshops, seminars or other courses related to cyber security.  A school district in Raytown, Missouri (US), has implemented professional development workshops, curriculum planning sessions and parent-teacher conferences to make parents, students, teachers and other employees aware of cyber security and risks of a cyber attack.  The district director of instructional technology stated,  “if our student data is hacked, it might be a test score, but it could be a social security number, or their disability information… It can impact them for the rest of their lives”.

In an age where almost everything in schools is done on the computer, it would be prudent for schools to be educated on the risk of cyber attacks.  The ancient proverb aptly states: “forewarned is forearmed”.