By: Zamani Ngidi, Cyber Solutions Client Manager at Aon South Africa
The societal value of an educational institution is progressively being pitted against the need for it to maintain its operations in an increasingly punitive and litigious environment.
Covid-19 and subsequent lockdowns have forced educational entities to reshape their delivery models. The switch to online and distance education has been swift and far reaching, however managing the inherent risks brought on by a largely online educational provisioning model is one that most traditional schools are altogether unfamiliar with. It’s also a model that is likely to endure for as long as Covid-19 is around, and any subsequent pandemics for that matter.
Add to these challenges infrastructural failures – such as load shedding – and it paints a vivid picture of a sector that needs to find agile solutions amid steep adversity.
Zamani Ngidi, Cyber Solutions Client Manager at Aon South Africa says: “Schools and other educational institutions already face significant regulatory pressures and liability exposures. The move to online-distance education, brings an entirely new dimension of liability exposure that balance sheets, as well as operational and delivery models, of traditional schools are simply not designed for.”
“For the most part, educational institutions do not typically have the luxury of large information technology and cyber security budgets, to the extent that most commercial business entities have; leaving them heavily exposed to cyber threats as they increasingly venture online for education delivery. A case in point is a recent example of a ransomware attack launched against an educational institution in the Texas School District in the US, costing the district $50K in cryptocurrency,” Zamani illustrates. “Besides the inherent dangers lurking with regards to personal data falling into the hands of cyber criminals, there are also inherent delivery platform risks – Zoom’s woes with pornographic material being displayed via its hacked platform illustrated this point.”
Cyber risk considerations facing the education sector include:
- Gathering, maintaining, disseminating and storing personal private information (POPIA regulations).
- Collecting financial and sensitive student-related information.
- High dependency on electronic processes or computer networks.
- Engaging vendors, independent contractors or additional service providers that pose a third-party risk to the sector.
- Maintaining former student data.
- Holding sensitive intellectual property that potentially has significant commercial value – this is especially relevant to universities.
- System failure at point of admissions process.
- Subject to regulatory statutes.
Adopting and implementing better cyber security measures is the first line of defence against a potential cyber event. “You can prevent your educational institution from becoming a statistic by employing the right cyber security and governance protocols. Education also plays a significant role in this space, as it is crucial for students and staff members alike, to be aware of potential risks and to spot obvious attempts in their daily interactions on the web, in e-mails and on devices connected to the internet and networks,” explains Zamani.
Aon highlights the following considerations for the educational sector:
Safeguard institution-owned devices:
All computers, laptops and smart devices owned by the educational institution should at the very least have a current anti-virus program installed, in addition to adware and malware protection. One of the biggest threats to any business, is the people operating these devices and their naivety regarding cyber risks, so education is key. A further aspect to consider is remote filtering technology, especially in instances where devices are used outside the institution’s network, such as laptops that staff members take home. It will channel the device to connect to the internet through a web security gateway that can remotely block harmful sites.
Covid-19 provides fertile soil for growing new scams
Since the onset of COVID-19, hackers have been working to use the situation to their benefit. Advance Persistent Threat (APT) groups and other cybercriminals are utilising Covid-19 related scams and phishing emails. Typical examples include phishing emails tailored around news announcements from governmental or health organisations. It is not just emails that are vulnerable either – criminals are also targeting voice calls (vishing) or SMS (smishing) to get hold of an individual’s credentials or other sensitive information. While these attacks are becoming increasingly realistic, it is prudent for the educational sector to keep staff members and students informed of the latest tactics and to interrogate any suspicious activities on any of these platforms.
With so many students and staff members remotely interacting with the institution’s network, the first line of defence is keeping guest devices separate from the network, allowing the institution to keep data secure on an administrative network, as well as monitor traffic more closely. When it comes to sending sensitive information, it is crucial to implement a secure file exchange solution that can protect against cyber threats such as phishing scams.
While passwords alone do not provide adequate levels of security and hackers are able to circumvent physical biometrics, such as fingerprint identification as a single layer of authentication, Multi-Factor Authentication (MFA) is fast becoming the next line of defence. This is especially of concern to institutions who employ online learning programmes or methods. An MFA approach will require Individuals to present at least two of the following pieces of evidence to an authentication instrument: knowledge (something they know), possession (something they have) and inherence (something they are). An example is using voice recognition plus a PIN or password to authenticate a user.
Social Media Policy:
The policy needs to be an evolving and living document that adapts to changing social media trends and demands, such as the increased use of video conferencing facilities as a result of the pandemic. Not only does the policy need to stipulate what is deemed as acceptable behaviour from employees and students, but it also needs to explain what the benefits are of becoming an ambassador for the brand and the legal ramifications inherent to social media platforms.
Changing threats demand a changing approach to security
Cybersecurity threats will continue to evolve as the education sector navigates new ways of working and new technology. Whilst the pandemic may have accelerated the pace of change for digital transformation initiatives and remote learning enablement, educational institutions should ensure they review the relative cyber risk to their operations and understand that systems which may have been secure before, may now be vulnerable due to the change in approach.
“Assessing where these risks lie will help enable educational institutions to prepare and mitigate these emerging threats. Through understanding their cyber risk, the education sector can work to prevent it and put in place additional protection, such as the use of cyber insurance to help minimise the operational and financial consequences of a cyberattack. There is no one size fits all approach to cyber risk insurance. That’s why having a professional risk advisor, such as Aon, by your side is an invaluable exercise in protecting your reputation, data, learners, employees and bottom line,” concludes Zamani.
Find out more about how Aon’s Cyber Quotient Evaluation (CyQu) online assessment tool can help your organisation counter the additional threat from remote working.