How cybercriminals will continue to exploit the chaos in education

The impact of the pandemic risks "scarring the life chances" of young people, but remote learning is bringing its own set of problems.
7 August 2020

Remote learning is a stand-in solution in a ruptured education sector. Source: Shutterstock

  • The education industry was thrown into disarray this year, with a state of normality nowhere in sight
  • Schools and colleges had to embrace remote learning ‘overnight’, but the stakes are high, and the transition has had its issues
  • Not least of these is cybersecurity and data privacy. The education sector has become the most-affected industry

When lockdowns began, universities and schools — like every other physical organization — had to slam their doors shut. Facing a void of in-person education for an indeterminable amount of time, the solution was quickly identified in remote learning. Lessons, lectures, seminars, and tutorials were shifted online overnight.

This strategy worked well in the world of work, where many businesses were already experienced to varying degrees in flexible working or, at least, were largely equipped with the enterprise-grade tools to make it happen. 

In the white-collar world, there were immediate teething problems but, by and large, business rolled into a state of new, virtually-enabled normality.  

In education, however, the transition to remote learning has been much more of a challenge. The stakes of ineffectiveness or failure here are not simply financial, but risk “scarring the life chances of a generation of young people.”

Online teaching needs more than basics. Lecturers or teachers need access to a computer that supports teaching software; they and all of their students need a reliable internet connection. The shift to remote learning has also highlighted an economic problem, whereby lower-income families may be excluded from the same learning experience, given their lack of access to the right hardware or services. 

But for those students fortunate enough to be able to access online courses or video-conferenced lectures and seminars, there is another problem: security. 

The cybersecurity issues of remote learning

As noted in The Guardian, those who have returned overseas to be with their families during the crisis, for example, may be subject to different data protection laws than are assumed where they study. Privacy, or even freedom of speech, may not be guaranteed for ideas and personal data. This is a serious problem for universities, intended to be homes for free and open academic discussion and debate. 

In the same vein, this freedom may be compromised when institutions are suddenly reliant on and contributing to the revenue of solutions created by Big Tech companies, such as Microsoft Teams, where data — including conversations and ideas — are swept away, however impermanently, to data centers in Eastern Washington or elsewhere. 

But the education industry faces a more malicious threat; the pandemic has assured us that cybercriminals are indiscriminate about their targets. More than 20 universities and charities across the UK, US, and Canada reported themselves victim to a supply chain cyber-attack via compromised cloud provider Blackbaud

The breached provider, which eventually paid the attackers, waited weeks to warn its clients that data had been stolen, which, in some cases, included the personal details of existing staff, students, and other parties.

Ransomware is a growing issue in the education sector. The growing threat of attacks to individual schools in the US prompted the FBI to issue a security alert about the growing risks, especially in regard to vulnerabilities created by a reliance on remote staff connections using Remote Desktop Protocol (RDP) accounts on internal school systems. 

Cybercriminals were likely to increase targeting of K-12 schools “because they represent an opportunistic target as more of these institutions transition to distance learning,” the FBI said. 

“K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyber attacks.”

A growing cybersecurity problem

The education sector has long been a target for cybercriminals to exploit, but the problem is getting worse — US schools and districts publicly disclosed 348 cyber incidents in 2019, three times more than 2018 — but the pandemic has kicked the hornet’s nest. 

According to Microsoft’s Global Threat Activity tracker, 61% (nearly 4.8 million) of malware encounters reported within the past 30 days took aim at the education sector, making it the most affected industry. The business and professional services sector came in second with just under 1 million incidents.

‘’Even before the COVID-19 outbreak, school districts already faced serious cybersecurity challenges,” said Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams.A lack of dedicated funding and skilled personnel made it hard for educational institutions to keep data secure and improve privacy-related defenses.” 

Gurinaviciute continued: “Hence, many schools make essential primary setup errors and put little effort into overseeing old existing vulnerabilities. It comes as no surprise that, during the COVID-19 crisis, hackers and scammers found those vulnerabilities so easily.’’ 

But schools and students also face potential risks from third-party edtech firms that fail to appropriately secure data in their platforms. 

‘’Systems have to be set up with adequate authentication and controls. Otherwise, they can become vectors for attack,” said Gurinaviciute. “Without proper implementation, tools to access school networks remotely – even VPNs, password managers, and remote desktop protocols — can all be hacked to gain unauthorized access and steal sensitive data.’’

With schools and universities facing continued uncertainty, with potential further outbreaks or even second spikes of the coronavirus looming, the education sector cannot think about folding its new reliance on remote learning yet. 

As millions of teachers and students will once again make remote access attempts from a slew of devices this fall, cybercriminals will swarm to the opportunity once again. Those who have learned hard lessons must now enact them, and the rest of the industry should take note, ensuring staff and students are thoroughly and consistently trained in IT solutions they are using and are taking the steps to ensure cybersecurity and data privacy compliance remains airtight. 

Conversations should arise not just about internet connections and devices, but about the integrity of the software being used and implications, as well as the data privacy rights of all users. 

‘’Edtech and its infrastructure is not given the importance it is due,” continued Gurinaviciute.  

“As governments attempt to address the public health crisis around the world and contain the spread of COVID-19, there is a very large chance criminals will continue to exploit this chaos, and that there will be another spike in cyberattacks against vulnerable targets.

“Educational institutions should focus on protecting their open networks and managing devices they don’t have control over.”