As schools prepare for the 2020-21 academic year, cyber threats continue to be a significant challenge facing the education sector. With many institutions preparing to rely heavily on virtual learning as the COVID-19 pandemic continues, the topic of cybersecurity should be one of the top priorities in planning for the new year.
Ransomware & Cyber Hygiene
Under normal circumstances, schools across the country are lucrative targets for cyber-attacks. The COVID-19 pandemic has magnified the many vulnerabilities of educational systems. In the past 30 days, there have been over 5 million reported malware attacks on education institutions according to the Microsoft Global Threat Activity tracker. This is far more than the next most effected industry, business and professional services, which sits at just under 850,000 attacks. This drastic difference can be attributed to the education sector having many endpoints, and with those endpoints being spread out amid widespread distance learning, it is a prime target for hackers looking to profit.
Even before the COVID-19 pandemic, ransomware was undoubtedly one of the biggest threats facing the education sector. As schools increasingly rely more heavily on technology, the need for the institution’s entire population to maintain proper cyber hygiene is higher than ever. This means regularly changing passwords, ensuring all hardware is secure at all times and staying vigilant when browsing the web to avoid threats like phishing schemes. A ransomware attack on a school can shut down everything from building operations, to payroll, to teacher curriculum plans. To prevent your institution from a potential halt in operations, having a thorough cyber hygiene plan in place and ensuring all are aware of this plan is critical.
Third-Party Privacy Concerns
Privacy concerns stemming from the use of third-party applications and services also pose a significant risk to the education sector. Just recently, Blackbaud, one of the most popular cloud hosting providers in the industry, fell victim to a large-scale ransomware attack in May which locked the company out of their servers and all customer data. The company paid off the hackers and stated that no personal customer data was misused or distributed in any way. However, many schools have been left to manage the notification process and breach response themselves.
The sudden shift to a remote learning environment has also created significant security oversights when it comes to third-party application use and policy. A recent article from Wired highlights some of these vulnerabilities due to schools incorrectly utilizing platforms, such as SharePoint. These oversights can lead to things like personal records and account information becoming public and available to all users within the system.
As classrooms quickly turn digital, finding an appropriate platform for students and teachers to meet is critical. One of the platforms that surged in popularity as a result of the COVID-19 pandemic is Zoom. As Zoom took off in popularity, the vulnerabilities within the platform were quickly brought to light.
Among the troubling trends within Zoom is a practice called “Zoom Bombing.” Zoom bombing is a practice in which hackers hijack Zoom calls and share violent, pornographic and other inappropriate images while blocking victims from taking back control of their calls.
In addition to the risk of hackers taking control of calls are vulnerabilities in the company’s privacy policy. An article from Forbes lays out Zoom’s privacy policy, which allows the platform to collect and share user data with third parties. This data includes things like instant messages, cloud recordings, files and whiteboards. This creates a large privacy risk for schools that may be using or considering the service for remote learning.
The security and privacy concerns surrounding third-party platforms should serve as a cautionary tale for the education sector. Knowing the security risks as well as all privacy policies for each platform utilized is critical in keeping both people and data safe.
Compliance and Protecting Personal Data
Protecting medical data in the age of COVID-19 will be critical as schools now more than ever need to ensure they are HIPAA compliant. As many schools turn to third party software to track COVID-19 symptoms, exposure and case status, there needs to be a plan in place to ensure this data does not fall into the wrong hands.
The following basic steps from the US Department of Health and Human Services are a good starting point in protecting electronic medical data.
- Implementing access control tools such as passwords and pins. Limit access to electronic health data only to authorized personnel.
- Encrypt all electronic health data so that only individuals with appropriate software can access and read.
- Implement an audit trail feature, which will track who gained access to the files and the time of access.
Taking security measures to protect this important data as well as ensuring your institution is HIPAA compliant will be increasingly important going forward as we prepare for another year in the midst of the COVID-19 pandemic.
Distance Learning Accessibility Issues
As many schools prepare to continue distance learning in the new year, several challenges are facing lower-income students and students in areas without high-speed internet access. According to the Los Angeles Times, more than 40,000 Los Angeles high school students did not remain in contact with their teachers after March 16th, when COVID-19 forced schools to shut down. The overnight shift to distance learning caused students without internet access or a home computer to fall completely behind.
To keep students online and engaged, a plan may need to be put in place to provide students with the necessary technology to participate in distance learning. There are many school districts across the country working to provide these tools to students, including Charleston County, who loaded busses with a Wi-Fi signal and drove them into neighborhoods for students who needed it.
In schools and districts where providing appropriate equipment is not possible, some are bringing students back to campus in waves to prevent the overpopulation of buildings but still allow for face-to-face learning opportunities for those who need it.
Keeping students engaged will be a challenge on its own. With no real concrete end in sight for the COVID-19 pandemic, a continuity plan for students in need is something schools will need to have ready to go entering the new school year.
Questions?
We understand that safety and continued academic success for all students is the top priority for all schools. To achieve this goal, maintaining a thorough plan for all cybersecurity risks is paramount and RCM&D’s education practice is here to help. With the help of our dedicated cyber practice, we are here to help craft this critical portion of your back to school plan. Talk to your trusted advisor today to find out more about ensuring your school is ready to handle education’s unique cyber challenges.