Online technologies are an integral part of day-to-day life in schools, even more so in Sydney at the moment with the recent re-introduction of remote learning. As schools’ reliance on technology has increased, so too has the risk of falling victim to a cyber attack. The education industry is a common target for cyber attacks, but with good cyber security infrastructure and knowledgeable staff and students, schools can lower their risk of falling victim to an attack.

What are Cyber Attacks?

There are many global definitions of what constitutes a cyber attack, however, the Australian Cyber Security Centre defines a cyber attack as a deliberate attempt to gain access to computers or networks with the intent to manipulate, disrupt, or destroy them or the information contained within them.

Some of the most common types of cyber attacks include phishing, adware and ransomware. The success of these types of attacks can often be a result of the victim’s lack of awareness. It is estimated that cyber attacks cost Australian businesses $29 billion each year, making cybercrime a significant threat to individuals, businesses and schools.

Cyber Attacks in the News

Since the introduction of remote learning due to the onset of the COVID-19 pandemic last year, schools have relied more heavily than ever on technology to ensure continuity of education for Australian students during lockdowns. As such, our increased reliance on technology has increased our susceptibility to cyber attacks.

There have been several reports of cyber attacks in schools across the country in recent months. Most prominently, the NSW Department of Education experienced a cyber attack just hours after it was announced that schools should expect a return to remote learning as a result of Greater Sydney’s latest COVID-19 outbreak. Several internal systems were deactivated as a result of the cyber attack, causing significant disruption to preparations for remote learning in Term 3.

Last month, shortly after a significant ransomware attack hit a New Zealand education group operating over 100 kindergartens, the Te Pūrongo Whakakitenga Data and Insights Report found that cyber attacks had risen 17 per cent between the first and second halves of 2020 . Furthermore, the 2021 Sophos State of Ransomware in Education report revealed that the education sector faced the largest number of ransomware attacks, with 44 per cent of organisations affected internationally.

Why Schools?

As School Governance has previously reported, instances of cyber attacks in the education sector, particularly against schools, were on the rise, even before the onset of remote learning. There are many reasons that cyber criminals target schools. These include:

• Data – No matter their size or number of students, all schools hold large amounts of data. This can include sensitive information such as addresses, bank or credit card information, student medical records, and employee information such as tax file numbers and working with children check details. Cyber criminals can sell data obtained from cyber attacks for significant sums of money.

• Disruption – Distributed Denial of Service, or DDoS attacks, are a comment type of cyber attack that aim to cause widespread disruption and a loss in productivity.

• Financial Gain – Cyber criminals can intercept online transactions. For many independent fee-paying schools, paying term fees via an online portal is common practice. Without appropriate security, these transactions present an opportunity for cyber attacks.

• Easy Targets – According to Hayley Turner, Director of Industrial Security, APAC at Darktrace, hackers look for easy targets. As such, due to the education sector’s cyber skills shortage and high click rate for malicious emails, schools are especially susceptible to falling victim to cyber attacks.

What Can Schools Do?

One of the most important ways schools can combat cyber attacks is to ensure that its staff, IT department and students understand and practise good cyber security.

Students

Students spend much of their time online and this has increased over the past year, as students are joining classes online for remote learning. Therefore, it is necessary for students and their families to understand potential online threats, as well as how their online behaviour can affect their privacy.

Schools can assist students in understanding:

• Passwords – Ensure students understand why passwords are important, how to create strong passwords and never to share a password.
• Personal Information – It is important for students to understand what constitutes personal information as well as its value. Schools should teach students to be selective about the personal information that they share online.
• Phishing Emails – Where age-appropriate, schools should assist students to understand phishing attacks and scams by providing definitions and examples.

Staff

With staff accessing school systems remotely using personal computers and home Wi-Fi networks, there is increased opportunity for cyber criminals to gain access to school systems and databases. Hackers can take advantage of the uncertainty of transitioning to remote learning, as well as the inferior security arrangements many people have at home.

It is important for staff to understand how adequate security can prevent cyber attacks. Schools can review staff understanding of steps that they can take to protect their operations by:

• providing staff with adequate information and resources. Resources provided should inform staff about how to identify suspicious emails, links or websites, as well as how to keep their devices up to date with the latest security technology. There are many reputable sources of cyber security information. For example, the Australian Government’s Australian Cyber Security Centre provides in-depth information, reports and resources for individuals, small businesses and large organisations.

• ensuring that staff complete cyber security learning courses on a regular basis, to upskill and test their knowledge. There are many online courses that schools can provide to their staff.

• setting up 2-Factor Authentication for password protected systems. 2-Factor Authentication is the most effective way of preventing unauthorised access to a school’s password-protected systems. Making 2-Factor Authentication mandatory for staff and, where possible, students with mobile phones, is strongly recommended.

• reviewing the expertise of their IT department and the cyber security infrastructure that it has in place. The education sector suffers a shortage of cyber skills so ensuring that their IT staff are up to date with the latest cyber security technology is essential.

Schools ensuring that their staff have confidence in their understanding of how cyber attacks can occur, and how they can be prevented, contributes to a safe and supportive learning environment for students.

Beware: Data Breach

Schools need to be aware that a successful cyber attack can constitute a data breach, and may be considered a Notifiable Data Breach under the federal Privacy Act 1988 (Cth) if:

• there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds

• this is likely to result in serious harm to one or more individuals; and

• the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.

If a Notifiable Data Breach occurs, the affected individual(s) and the OAIC must be informed.

However, it is important to note that not all data breaches occur as a result of cyber attacks. The OAIC’s Notifiable Data Breaches Report found that, while 58 per cent of data breaches are a result of malicious attack, 38 per cent are due to human error. Therefore, establishing and embedding effective privacy policies and processes is integral to ensuring an effective defence against cyber attacks.