The pandemic has made things worse
Within the context of an already vulnerable sector, the COVID-19 health pandemic from 2020 has only made things worse.
- • Institutions are more invested for creating physical spaces and infrastructure for bringing students together in-person, as opposed to creating online learning
environments with strong cybersecurity protections. With schools having an ingrained cultural emphasis on physical classrooms, in-classroom teaching technology, outdoor
activities like playing fields, the suddenness of the COVID-19 pandemic and major pivot it required caught the most unprepared for a set of very different requirements.
- • Teachers are trained to manage children in a classroom environment, rather than in a remote learning environment. Many teachers have low competence on the cybersecurity
threats of remote learning technologies, malicious apps, and security standards. To them, these issues are not of high importance, and even in an age when researchers
on cybersecurity threats are targeted, teachers present a much easier attack vector. In fact, an experiment in Mississippi saw 83% of targeted staff open a simulated phishing
message, 48% clicked the malicious link, and 20% entered their credentials in the phishing page.
- • New challenges in how to prove the identity of a student taking a class, sitting an exam, or requesting access to financial information. In fully digital learning
environments, the ability to rely on in-person verification is no longer available.
- • Remote video learning systems were quickly compromised due to weak or non-existent password usage. Threat actors began plotting denial-of-service and ransomware
attacks to hit at the most inopportune and high-leverage times, such as a day or two before a school district was due to begin classes or just before significant holidays
when IT staff were looking forward to time off.
Regulatory obligations increase the risks of cyberattacks and cyber security threats for educational institutions. In the United States, this is led by the requirements of
the Family Education Rights and Privacy Act (FERPA). It confers three rights on the parents of children under 18 (and then upon the student personally when he or she turns
18 or enrolls in post-secondary education), including the right of access to educational reports, the right of modification in the event of error or when changes are needed,
and the right to control disclosure.
There are other regulatory obligations, depending on the nature of the educational institution.
- • Universities providing healthcare to students or that include a medical center will need to comply with the provisions of HIPAA (Health Insurance Portability
and Accountability Act) and its subsequent updates in the United States. HIPAA includes privacy and security requirements covering administrative, physical, and technical
safeguards for health information that is linked to an individual. Stanford University for example suffered several high-profile breaches of health information from three
separate medical facilities associated with the university, and carried costs for HIPAA violations even when they were not directly at fault.
- • Educational providers accepting payments by credit and debit card must comply with the provisions of PCI-DSS (Payment Card Industry Data Security Standard).
Protections are required for payment card information during transmission and storage.