4/08/21
Online technologies are an integral part of day-to-day life in schools, even more so in Sydney at the moment with the recent re-introduction of remote learning. As schools’ reliance on technology has increased, so too has the risk of falling victim to a cyber attack. The education industry is a common target for cyber attacks, but with good cyber security infrastructure and knowledgeable staff and students, schools can lower their risk of falling victim to an attack.
There are many global definitions of what constitutes a cyber attack, however, the Australian Cyber Security Centre defines a cyber attack as a deliberate attempt to gain access to computers or networks with the intent to manipulate, disrupt, or destroy them or the information contained within them.
Some of the most common types of cyber attacks include phishing, adware and ransomware. The success of these types of attacks can often be a result of the victim’s lack of awareness. It is estimated that cyber attacks cost Australian businesses $29 billion each year, making cybercrime a significant threat to individuals, businesses and schools.
Since the introduction of remote learning due to the onset of the COVID-19 pandemic last year, schools have relied more heavily than ever on technology to ensure continuity of education for Australian students during lockdowns. As such, our increased reliance on technology has increased our susceptibility to cyber attacks.
There have been several reports of cyber attacks in schools across the country in recent months. Most prominently, the NSW Department of Education experienced a cyber attack just hours after it was announced that schools should expect a return to remote learning as a result of Greater Sydney’s latest COVID-19 outbreak. Several internal systems were deactivated as a result of the cyber attack, causing significant disruption to preparations for remote learning in Term 3.
Last month, shortly after a significant ransomware attack hit a New Zealand education group operating over 100 kindergartens, the Te Pūrongo Whakakitenga Data and Insights Report found that cyber attacks had risen 17 per cent between the first and second halves of 2020 . Furthermore, the 2021 Sophos State of Ransomware in Education report revealed that the education sector faced the largest number of ransomware attacks, with 44 per cent of organisations affected internationally.
As School Governance has previously reported, instances of cyber attacks in the education sector, particularly against schools, were on the rise, even before the onset of remote learning. There are many reasons that cyber criminals target schools. These include:
One of the most important ways schools can combat cyber attacks is to ensure that its staff, IT department and students understand and practise good cyber security.
Students spend much of their time online and this has increased over the past year, as students are joining classes online for remote learning. Therefore, it is necessary for students and their families to understand potential online threats, as well as how their online behaviour can affect their privacy.
Schools can assist students in understanding:
With staff accessing school systems remotely using personal computers and home Wi-Fi networks, there is increased opportunity for cyber criminals to gain access to school systems and databases. Hackers can take advantage of the uncertainty of transitioning to remote learning, as well as the inferior security arrangements many people have at home.
It is important for staff to understand how adequate security can prevent cyber attacks. Schools can review staff understanding of steps that they can take to protect their operations by:
Schools ensuring that their staff have confidence in their understanding of how cyber attacks can occur, and how they can be prevented, contributes to a safe and supportive learning environment for students.
Schools need to be aware that a successful cyber attack can constitute a data breach, and may be considered a Notifiable Data Breach under the federal Privacy Act 1988 (Cth) if:
If a Notifiable Data Breach occurs, the affected individual(s) and the OAIC must be informed.
However, it is important to note that not all data breaches occur as a result of cyber attacks. The OAIC’s Notifiable Data Breaches Report found that, while 58 per cent of data breaches are a result of malicious attack, 38 per cent are due to human error. Therefore, establishing and embedding effective privacy policies and processes is integral to ensuring an effective defence against cyber attacks.
Katie Riley