The sophistication and complexity of cyber attacks around the world has increased with more technology and software available to make life easier. However, these positive technological advances come with the inherent risk of hackers or cyber attackers emerging and finding ways into users' computer systems. The increased and commonplace use of computers in the 21st century comes with an important reminder for schools to be aware of cyber security risks.
Cyber attacks occur when there is an attempted or actual incident by hackers to damage or destroy a computer network or system. The definition of cyber attacks has evolved to include the use or direction of computer technology or networks to commit or facilitate the commission of traditional crimes, such as fraud and forgery.
The financial impacts of a cyber attack are significant. In ASIC Report 429: Cyber resilience: Health Check, ASIC stated that cyber attacks cost the global economy more than $400 billion. In 2013, Symantec estimated the cost of cybercrime in Australia alone at $1.06 billion.
School Governance has previously reported on the capacity of students to "hack" their own school. Refer to our article Privacy Update: Student Hackers. That article explained that "it is imperative that schools have clear policies and procedures regarding the use of and access to their IT and online environments. It is also essential for parents and students to know, understand and accept that there are serious penalties that may apply to students who attempt to hack into or manipulate school IT systems and that these penalties involve more than just school sanctions."
A recent spate of security breaches on education related computers and networks, including some by students, is a reminder that the threat of a cyber attack is constant and that schools need to be proactive in protecting their IT and online environments.
Recent events include:
In light of the recently reported hacking incidents, schools should remember these "5 key" cyber security rules.
In this digital era, information is ‘gold’ and people will pay for the personal information of others. Hackers these days have the ability to either obtain, use or sell information obtained through a hack or cyber attack. They can even blackmail a school, as a school district in New Jersey (US) found out. The district experienced a cyber attack when their school system was held hostage for bitcoins. The cyber attack, specifically known as a 'ransomware attack', paralysed their computer systems. The hacker behind the attack requested 500 bitcoins (roughly $125,000 USD) in exchange to restore their systems. The school district had to operate as if they were back in 1981 until systems were restored.
The hacking of a school system can involve several issues of which schools must be aware. Schools hold very important personal information about their pupils, their staff and their parents which needs to be protected. Accessibility to this information can allow hackers to gain access to:
It is important to note, due to Section 6C of the Privacy Act 1988 (Cth) (Privacy Act), government schools are exempt from the requirements under the Privacy Act. However, each state and territory has legislative and policy requirements set down by respective state and territory education departments on how schools need to store and dispose of personal information. For example, in Victoria the Privacy and Data Protection Act 2014 (Vic) and New South Wales the Privacy and Personal Information Act 1998 (NSW), provides protection of personal records containing sensitive information about individuals.
For non-government schools, however, the Privacy Act does apply. Personal information is defined as information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from that information. Pursuant to Australian Privacy Principal 11, there is a requirement for schools to keep information securely stored. Any breaches of the Privacy Act can result in significant financial penalties ($360,000 for individuals and $1.8 million for body corporates) being imposed upon the schools.
The implementation of proper security measures such as installing anti-virus and firewall software can help resist and reduce possible cyber attacks or hacking events. The use of these programs can help detect where the attack occurred and discover any system vulnerability, therefore reducing a possibility of of a cyber attack or hack from crippling computer networks. Other basic tips that can keep school networks safe include:
Regular tests should be undertaken by IT staff to protect school computer systems against cyber attacks or hacks. These tests are vital to assess a school computer system’s ability to prepare, respond, recover and prevent an attack. A cyber attack or hack not only can retrieve information from a system but it can also immobilise it; rendering it useless. It is also important to note that many cyber attacks or hacks in schools take place out of hours, when students are usually at home.
To help guard against a cyber attack, schools can install anti-virus software, restrict access of administrator privileges to certain key staff and change staff passwords on a regular basis.
Educating staff and students on cyber security will assist to reduce the risk of a cyber attack. If employees or contractors are aware of how cyber attacks can occur, this may prevent possible attacks on school computer systems.
Education on cyber awareness can be achieved through professional development workshops, seminars or other courses related to cyber security. A school district in Raytown, Missouri (US), has implemented professional development workshops, curriculum planning sessions and parent-teacher conferences to make parents, students, teachers and other employees aware of cyber security and risks of a cyber attack. The district director of instructional technology stated, “if our student data is hacked, it might be a test score, but it could be a social security number, or their disability information… It can impact them for the rest of their lives”.
In an age where almost everything in schools is done on the computer, it would be prudent for schools to be educated on the risk of cyber attacks. The ancient proverb aptly states: “forewarned is forearmed”.