The COVID-19 pandemic has forced a vast number of schools, colleges, and universities to move to online learning provision, more speedily than they had perhaps anticipated. Trish D’Souza, who leads our education team, highlights why cybersecurity needs to be at the forefront of each institution’s online provision plan.
Moving to an online-based education model has had a positive effect on a number of students and their learning. It can allow teaching professionals to tailor learning experiences to each learner. This can be implemented from primary level all the way up to higher education. Another benefit is the mass accessibility to resources and knowledge via a digital platform, such that gone are the days of “my dog ate my homework”.
However, the move to online learning can also open the door to cybersecurity risks. A study into cyber-threats in digital learning was undertaken by Kaspersky Security Network (KSN) earlier this year. Two different periods were monitored – January to June 2019 and January to June 2020.
One element that KSN monitored was the Distributed Denial of Service (DDoS) attacks suffered by institutions. A DDoS attack is a cyber-attack designed to disrupt the normal traffic of a targeted server, service, or network by flooding it with internet traffic. Essentially, the attackers overload the institution’s network by flooding it with incoming traffic, which prevents legitimate users accessing the network.
When comparing the number of DDoS attacks that affected educational resources between February to June 2019, and the same period in 2020, KSN found that these grew by a staggering 350-500%. Perhaps those perpetrating these attacks consider education providers are less likely to pick up on or have software in place to limit such attacks, particularly when data processing is outsourced to third parties.
DDoS attacks are just one of the many cyber threats that institutions, employees, and students will face. There are also threats from malware, phishing, and man in the middle attacks, to name but a few. Numerous points of vulnerability will need to be considered, including software, hardware, and network.
The recent Ransomware attack suffered by Blackbaud – one of the world’s largest providers of education administration, fundraising, and financial management software – is another example of the threats faced by academic institutions. It’s clear that millions of people’s personal data, including financial data, was accessed and removed from Blackbaud’s systems.
As academic institutions look to keep pace with the continued adoption of technology and remote teaching, it’s essential that they’re doing as much as they can to protect against cyber threats. This will mean engaging their IT departments and external IT security experts to assess the security of their IT systems, as well as maintaining up to date IT security, whether that is in the form of firewalls or otherwise.
From a legal perspective, some of the big risks to academic institutions which flow from cyber-attacks are data protection breaches, intellectual property infringement, and breaches of confidentiality. When investigating breaches, the Information Commissioner’s Office will investigate the cyber protection and the policies and procedures that were in place to prevent the breach.
Having up to date IT, Bring Your Own Device, and Data Protection policies in place is important, but it’s essential that they are living and breathing documents, and that staff and students are trained where appropriate and know the risks and the steps they must take. The policies should be easily accessible, kept under review, and monitored for compliance.
When looking at new software, whether to facilitate online learning or assist internal systems, it’s vital that effective due diligence is carried out to allow you to carry out risk assessments as well as ensuring your contracts with the suppliers are robust.
The geographic locations of your staff and students will also have an impact on the risk assessments, especially if the supplier or their servers are based in jurisdictions where state bodies have the ability to intercept communications as there are particular obligations under data protection laws that will apply.
If you do suffer a cyber-attack, you should contact a lawyer as soon as possible so that they can advise you through the process to mitigate the impact of the attack.
If you would like to talk to any of our experts about the legal implications of online learning for your institution or if you have suffered an attack, please don’t hesitate to get in touch.