The pandemic has made things worse

Within the context of an already vulnerable sector, the COVID-19 health pandemic from 2020 has only made things worse.

• •  Institutions are more invested for creating physical spaces and infrastructure for bringing students together in-person, as opposed to creating online learning environments with strong cybersecurity protections. With schools having an ingrained cultural emphasis on physical classrooms, in-classroom teaching technology, outdoor activities like playing fields, the suddenness of the COVID-19 pandemic and major pivot it required caught the most unprepared for a set of very different requirements.
  
  
• •  Teachers are trained to manage children in a classroom environment, rather than in a remote learning environment. Many teachers have low competence on the cybersecurity threats of remote learning technologies, malicious apps, and security standards. To them, these issues are not of high importance, and even in an age when researchers on cybersecurity threats are targeted, teachers present a much easier attack vector. In fact, an experiment in Mississippi saw 83% of targeted staff open a simulated phishing message, 48% clicked the malicious link, and 20% entered their credentials in the phishing page.
  
  
• •  New challenges in how to prove the identity of a student taking a class, sitting an exam, or requesting access to financial information. In fully digital learning environments, the ability to rely on in-person verification is no longer available.
  
  
• •  Remote video learning systems were quickly compromised due to weak or non-existent password usage. Threat actors began plotting denial-of-service and ransomware attacks to hit at the most inopportune and high-leverage times, such as a day or two before a school district was due to begin classes or just before significant holidays when IT staff were looking forward to time off.

Regulatory Obligations

Regulatory obligations increase the risks of cyberattacks and cyber security threats for educational institutions. In the United States, this is led by the requirements of the Family Education Rights and Privacy Act (FERPA). It confers three rights on the parents of children under 18 (and then upon the student personally when he or she turns 18 or enrolls in post-secondary education), including the right of access to educational reports, the right of modification in the event of error or when changes are needed, and the right to control disclosure.

There are other regulatory obligations, depending on the nature of the educational institution.

• •  Universities providing healthcare to students or that include a medical center will need to comply with the provisions of HIPAA (Health Insurance Portability and Accountability Act) and its subsequent updates in the United States. HIPAA includes privacy and security requirements covering administrative, physical, and technical safeguards for health information that is linked to an individual. Stanford University for example suffered several high-profile breaches of health information from three separate medical facilities associated with the university, and carried costs for HIPAA violations even when they were not directly at fault.
  
  
• •  Educational providers accepting payments by credit and debit card must comply with the provisions of PCI-DSS (Payment Card Industry Data Security Standard). Protections are required for payment card information during transmission and storage.