With ‘back to school’ season upon us, teachers, parents and students around the world are struggling to get to grips with a hoard of new COVID-19 policies. Lots of schools are adopting hybrid models, providing both in-person and virtual learning, requiring parents to make childcare arrangements for when their children are not invited to school. There are debates ongoing around whether children should have to wear masks (both in class and on school transport), new drop-off and pick-up arrangements, and lots of new rules and regulations in place to ensure safe physical distancing between students, parents and teachers.
With all of this going on, there’s one risk - heightened significantly by the coronavirus pandemic - that schools might easily overlook: cyber.
School districts worldwide have some significant cyber security shortcomings, according to Joshua Motta, (pictured), CEO of Coalition, a technology-enabled cyber insurance and security firm servicing the US and Canadian markets. Schools often lack the dedicated funding and the skilled personnel that most for-profit businesses or larger organizations have to continuously vet and improve their defenses. As a result, many schools have made basic security errors, according to Motta, or they’re using outdated technology with unpatched vulnerabilities, thus “propping the door open for hackers and scammers”.
“When you factor in the COVID-19 pandemic, now all of a sudden schools are opening up remote access into these networks,” Motta commented. “The road has been paved for the hacker from the internet into these networks that were already maybe not in the best state [before they were opened for remote access]. So, the coronavirus pandemic is really going to have major cybersecurity implications around the world for educational institutions.
“With back to school, we expect a significant uptick in claims for our education policyholders. That's something that we've been working on diligently at Coalition over the past couple of weeks - to really do a deep dive into all of our policyholders who are in the education sector, scanning their security, going through things, reaching out to them when we're seeing issues, and just making sure that they're prepared, because we absolutely expect an uptick in claims to correspond with going back to school.”
The types of issues Motta expects are nothing out of the ordinary – if you’ve got a finger on the pulse of cyber security trends. There will likely be an uptick in tailored phishing attacks and scams preying on the fear, uncertainty and behavioral changes that teachers, parents and students are going through as a result of the pandemic.
The stakes are also “higher than ever” for ransomware attacks, according to Motta. He explained: “Pre-pandemic, there wasn’t always a significant need for a school’s network to be open across the internet. Maybe they weren’t entirely secure inside of the network, but it was a local network with physical access, so the risk wasn’t so severe. But with the pandemic making remote network access a requirement, it’s these remote desktop protocols or these remote access configurations that I believe the vast majority of ransomware attacks will exploit. We definitely expect to see an uptick in ransomware targeting schools.”
When it comes to mitigating cyber risk in schools, there’s no single comprehensive source of advice for what they should do. According to Motta, it’s best to start with basic cyber risk mitigation that applies to all organizations, whether they’re for-profit, non-profit, education or otherwise. That includes things like segmenting the network so that only the parts necessary for remote learning are accessible over the internet, and making sure that remote access is properly secured and that appropriate controls are in place.
“One of the best ways to secure educational institutions, as it turns out, is more education,” Motta told Insurance Business. “We need to educate teachers, parents and students – especially younger students – on how remote learning is going to work, and how the school is going to communicate. We need to make schools aware of the potential threats to students, whether it’s phishing scams or even the Zoom bombing that we saw emerge in the US a couple of months ago. It’s just providing more education so that people can be vigilant, they can be on the lookout for suspicious emails.”
One point Motta was keen to stress is that it’s barely realistic to expect educational institutions to overhaul their entire cybersecurity in the space of a few months, especially in the middle of a global pandemic. To be realistic, and acknowledging that a cyber incident could occur, one of the most practical things that educational organizations can do is make sure they have back-ups, so they can restore their functions in case something does go wrong.
“Beyond the back-ups part, they need to focus on how to limit the potential breach or compromise of student data,” the Coalition CEO added. “Again, now that these networks are connected to the internet, that's more of a concern. So, going through and making sure that they're only storing data that’s absolutely necessary, and doing what they can to limit permissions in their network and limit access to sensitive student data is going to be important.
“Finally, they need to assess their vendors. One of the ways in which educational institutions are scrambling to make remote learning work is by relying on third-party vendors. They're relying on technology providers to get these services, and if they're not diligent about the platforms they're choosing, they could inadvertently be exposing their students to more risk, even though they may feel like they're solving the core issue, which is how to how to pull off a hybrid education scheme.”