All sectors are grappling with security. The FBI reported a fourfold increase in daily online crime complaints in the months following the start of the pandemic compared to before it. One challenge is that many individuals are working from home for the first time, so the traditional approach of keeping untrusted devices off organizations’ networks is ill-suited for the new wave of threats from unpatched home computers running on unsecure home networks. In addition, with staff no longer working in proximity to one another, employees are more susceptible to phishing attacks because they are less likely to confirm a suspicious email with a colleague or have access to in-person IT support. Finally, with more activities moving online, IT has become even more mission-critical than in the past, which means organizations are more willing than ever to pay attackers when they are hit with ransomware.
On top of these issues, the education sector faces some unique challenges. First, it is a top target for attackers. According to Microsoft Security Intelligence, the education sector accounted for 60 percent of all reported enterprise malware in June. The FBI even issued an alert to K-12 schools in late June, warning them of an increase in ransomware attacks during the pandemic as schools transition to distance learning.
Second, the education sector often uses older systems. One of the biggest vulnerabilities is the continued use of Windows 7. Microsoft ended support for this operating system in January, which means it is no longer issuing patches for new security vulnerabilities. Unfortunately, as many as 10 percent of U.S. schools are still using Windows 7 machines, which makes them particularly vulnerable to new exploits. In addition, many students may be using these older machines at home, particularly since it is common for children to be using older, hand-me-down devices.
Finally, schools must contend with the fact that they must support many inexperienced users. Both educators and students are often unfamiliar with many of the online tools they are now using for distance learning. Indeed, the wave of Zoombombing incidents in classrooms can at least be partially attributed to users poorly configuring the security settings for their meetings. Likewise, many students may be bringing school-issued computers into their home for the first time and may not understand all the security risks. Schools must also meet the challenge of providing usable security for younger users who may struggle with following best practices such as using complex passwords.
Few states have taken steps to address these issues, and school reopening plans have largely been silent on the question of cybersecurity for distance learning. This needs to change, and states need to dedicate money and resources to ensure students can learn in a secure environment. Some of these changes will require investments in new technology, such as replacing outdated devices and enabling single sign-on and two-factor authentication (such as facial recognition or tokens) so students and teachers can log on to e-learning applications more easily and securely. And some of these changes will require investments in more training and support for teachers, staff and students to learn and practice good cyberhygiene. Importantly, these efforts should equip schools with the resources to address emerging issues such as online bullying, hate speech and misinformation to ensure students are as safe in a virtual classroom as they are in a traditional one.
One step in this direction would be for states to develop and share best practices for education cybersecurity, perhaps through organizations like the National Association of State Chief Information Officers or the Council of Chief State School Officers. Ignoring this problem may be tempting — there are so many other important priorities to safely reopen schools, and administrators are already stretched thin — but if millions of children will be spending their days online this school year, it is a challenge states will need to address soon.