Risky New World For Online Education

COVID-19 and the lockdowns have forced educational entities to reshape their delivery models. The switch to online and distance education has been swift and far-reaching. However, managing the inherent risks brought on by a largely online educational provisioning model is one that most traditional schools are altogether unfamiliar with. It’s also a model that is likely to endure for as long as COVID-19 is around and any subsequent pandemics.

Add to these challenges, infrastructural failures – such as load shedding – and it paints a vivid picture of a sector that needs to find agile solutions amid steep adversity.

Zamani Ngidi, cyber solutions client manager at Aon South Africa, says: “Schools and other educational institutions already face significant regulatory pressures and liability exposures. The move to online-distance education brings an entirely new dimension of liability exposure that balance sheets, as well as operational and delivery models, of traditional schools are simply not designed for.

“For the most part, educational institutions do not typically have the large information technology and cybersecurity budgets that most commercial business entities have. This leaves them heavily exposed to cyberthreats as they increasingly venture online for education delivery. A recent example is the ransomware attack launched against an educational institution in the Texas School District in the US, costing the district $50K in cryptocurrency,” explains Ngidi. “Besides the inherent dangers of personal data falling into the hands of cybercriminals, there are also inherent delivery platform risks. Zoom’s woe with pornographic material being displayed via its hacked platform illustrates this point.”

Risky business

Several cyber-risks face the education sector, including:

• gathering, maintaining, disseminating and storing personal private information (POPIA regulations)
• collecting financial and sensitive student-related information
• high dependency on electronic processes or computer networks
• engaging vendors, independent contractors or additional service providers poses a third-party risk to the sector
• maintaining former student data
• holding sensitive intellectual property that potentially has significant commercial value – this is especially relevant to universities
• system failure at point of admissions process
• subject to regulatory statutes

Adopting and implementing better cybersecurity measures is the first line of defence. “You can prevent your educational institution from becoming a statistic by employing the right cybersecurity and governance protocols. Education also plays a significant role in this space. It is crucial for students and staff members alike to be aware of potential risks and to spot obvious attempts in their daily interactions on the web, in emails and on devices connected to the internet and networks,” explains Ngidi.

Security measures

To protect against cyber-risks all or some of the following precautions should be instituted:

Safeguard institution-owned devices: all computers, laptops and smart devices owned by the educational institution should at the very least have a current anti-virus program installed, as well as adware and malware protection. One of the biggest threats to any business is the naivety of people operating these devices, so education is key. Also consider remote filtering technology, especially if devices are being used outside the institution’s network. This technology will channel the device to connect to the internet through a web security gateway that can remotely block harmful sites.

• Bring your own device: with so many students and staff members remotely interacting with the institution’s network, the first line of defence is keeping guest devices separate from the network. This enables the institution to keep data secure on an administrative network, as well as monitor traffic more closely. It is also crucial to implement a secure file exchange solution that can protect against cyberthreats such as phishing scams.
• Multifactor authentication: because passwords alone do not provide adequate levels of security and hackers are able to circumvent physical biometrics, such as fingerprint identification, Multifactor authentication (MFA) is fast becoming the next line of defence.An MFA approach requires individuals to present at least two pieces of evidence – knowledge (something they know), possession (something they have) or inherence (something they are) – to an authentication instrument. For example, using voice recognition plus a PIN or password to authenticate a user.
• Information about scams: Advance Persistent Threat (APT) groups and other cybercriminals are utilising COVID-19 related scams and phishing emails to hack systems and access personal information. Typical examples include phishing emails tailored around news announcements from governmental or health organisations. And criminals are also targeting voice calls (vishing) or SMS (smishing) to get hold of an individual’s credentials or other sensitive information. Keep staff members and students informed of the latest tactics and interrogate any suspicious activity on any of these platforms.
• Social media policy: this needs to be an evolving and living document that adapts to changing social media trends and demands, such as the increased use of video conferencing facilities. Not only does the policy need to stipulate what is deemed as acceptable behaviour from employees and students, but it also needs to explain what the benefits are of becoming an ambassador for the brand and the legal ramifications inherent to social media platforms.

New threats, new approach 

Changing threats demand a changing approach to security. Cybersecurity threats will continue to evolve as the education sector navigates new ways of working and new technology. Educational institutions should ensure they review the relative cyber-risk to their operations and understand that systems that may have been secure before may now be vulnerable.

“Assessing where these risks lie will help educational institutions to prepare and mitigate the emerging threats by putting in place additional protection, such as the use of cyber insurance to help minimise the operational and financial consequences of a cyberattack,” concludes Ngidi.

“You can prevent your educational institution from becoming a statistic by employing the right cybersecurity and governance protocols.” – Zamani Ngidi