One of the common issues raised by many educational institutions in South Africa is inadequate security measures.
In this document, we investigate the impact of Cybersecurity on the security system sustainability of the education sector. According to (Kritzinger, 2017), the following statistics regarding school learners and their cyber activities (in South Africa) were reported:
- 82% of learners have access to the internet from inside their bedrooms.
- 35% of learners hide their online activities from their parents.
- 15% of learners use their cell phones during school hours, even if this is against school rules.
- 61% of parents and teachers do not monitor learners' internet use.
- In the case of 62% of learners, no parental guidance software is installed to regulate the children's internet access.
- 63% of learners access inappropriate internet material.
- 93% of learners believe that possible dangers and threats are associated with internet use.
These stats prove to us how exposed we are to cybercrime. For example, teachers/lectures not monitoring the learner's internet usage makes the institution's system vulnerable.
Several higher learning institutions have fallen victim to cyber-attacks, both locally and internationally. Examples include the University of Mpumalanga experiencing an attack on its bank accounts (Mungadze, 2021). At the University of Johannesburg, a first-year student’s personal information (PI) was mistakenly leaked via email to all the students on the database.
In 2021, Harvard University was forced to dismiss all of its hybrid classes after a ransomware attack compromised its network (WOLFF, 2021).
Cyber risks affecting the education sector
Cybersecurity must be prioritised in educational institutions. Cyberattacks in Education are no less common or devastating. They appear to be increasing yearly as breaches in schools and higher learning institutions are frequently reported.
In recent years, we've seen news of recent cases, including the attack on our local institutions in Mpumalanga (Mungadze, 2021) on its bank accounts. According to (Villiers, 2021) there were link-based ransomware attacks on schools in the Eastern Cape, which resulted in at least two schools being locked out of their data for nearly a year.
This is accomplished by cybercriminals employing links that appear to be from a reputable website, but the unsuspecting mail user is unaware of the dangerous link and the effort to obtain school or parent data, which is then encrypted and can only be decrypted with the attacker's decryption key.
Unfortunately, while Cybersecurity within the Education Industry is required to defend against financial loss and disruption, it is also critical to protect students (some of which are minors) from threats such as cyberbullying. As a result, the industry must do all possible to secure its applications and systems, and endeavour to mitigate any potential problems.
What are the cyber threats to the Education sector?
In recent research from Mimecast, 61% of respondents to an annual State of Email Security survey said they had experienced a ransomware attack in the last 12 months. Of those respondents, 52% paid for the ransomware, but over a third never recovered their data. Anyone can be the target of a ransomware attack. However, many are not ready as they lack effective plans for zero downtime or processes to recover quickly.
Symantec research suggests that throughout 2020, 1 in every 4,200 emails was a phishing email.
Phishing is a type of cyber attack where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware. Lack of cyber awareness in Education institutions has seen a rise in these attacks.
60% of data breaches in 2020 involved an Insider.
Students are overzealous and always experiment and try to hack into systems. Some of the students try to hack into examination systems to manipulate exam results.
Hacking activists break into systems for political, social or religious reasons; mainly to propagate their messages or exposed believed injustices. They see Education as a ripe target as they can reach a wide audience of staff, students and parents. Global hacktivist group Anonymous was believed to have launched cyber attacks on Russia.
Like hacktivists, the Education Industry is a prime target as nation-states' attacks (state-sponsored cyber attacks) see them as strategic and reach a wide audience. The NotPetya ransomware in 2017 was targeting Ukraine and in 2020 there was a SolarWinds hack against United States systems.
Why is Education a target for cybercrime?
Cybercrime attacks vary on the intentions of the attackers. Listed are reasons why attackers would attack the education sector.
- The Education Industry entities process and store a high volume of confidential/valuable information (a goldmine for hackers). With the huge volume of personal information collected and processed, institutions are at risk of non-compliance with emerging data privacy laws and regulations. In terms of POPIA (Protection of Personal Information Act), schools and universities have the same risks and obligations as corporates and a responsibility to ensure that staff admin, parent and scholar data is all secure and free of risk with mail protection.
- Financial gain is another motivation for hackers to launch an attack on an educational institution. While public schools may not be as vulnerable, private institutions like Universities/Colleges, which handle a massive amount of student fees, are a major target for hackers. It is common for students or parents to pay fees online, typically sending a large amount of money to cover a whole term or year of tuition. Without sufficient protection or preparedness on the side of the educational sector, this creates a vulnerability for hackers to exploit.
- Interfaces with many industries and is seen as a launchpad to other lucrative entities
- Limited cyber budgets to protect against large-scale attacks, for instance, Banks, NSFAs, research institutions etc.
- Scarcity of cybersecurity skills. Most institutions do not have dedicated teams for cyber security.
- Overly bureaucratic processes make it very difficult for institutions to keep up with the pace of digital evolution.
- Perceived lack of security. Most institutions use legacy/outstanding systems and infrastructure.
- Huge reliance on third parties and contractors. Supply chain attacks are rising (the vendors like Microsoft, Kaseya, Solarwinds etc. have been targeted by cyber-attacks)
- Lack of coordinated and structured response to cyber risks across government departments.
- Lack of cyber awareness among students and education staff
- Hacktivists target the Education Industry if they don't like its policies. In addition, they can reach a wide audience with their messages.
- Overzealous students who want to experiment with IT systems - hacking for fun. Students hacking systems to manipulate exam results or access examination questions before the exam.
Why is university an appealing target:
University is especially vulnerable for several reasons:
Higher learning institutions possess large quantities of sensitive, personally
University campuses are designed to be accessible to all, allowing information to be freely shared. This implicates that schools have their doors open both physically and digitally.
Students and staff may increasingly be using unsecure wireless networks to connect to campus remotely. This unsecured and untrusted connection can allow people to be easy prey to hackers.
Higher learning institutions possess large quantities of sensitive, personally
What cybersecurity laws and regulations that the Educational sector needs to comply with?
- Laws for protecting students' personal and educational information.
- The General Data Protection Regulation (GDPR)protects the personal data of European Union (EU) residents and addresses the transfer of their data outside the EU area. If an SA-based institution educates or employs EU citizens, it must comply with GDPR requirements.
- POPIA (Protection of Personal Information Act)is South Africa's data privacy law that became effective on 1 July 2021. It governs when and how organisations collect, use, store, delete and otherwise handle personal information. POPIA also applies to all local and foreign organisations processing (i.e. collecting, using or otherwise taking) personal information in South Africa.
- Protection for students' financial data.
- The payment Card Industry Data Security Standard (PCI DSS) is a proprietary standard created by major credit card companies, including Visa and Mastercard, that governs the handling of credit card information. Schools and universities that receive card payments for educational purposes must meet PCI DSS requirements.
- Other applicable cybersecurity laws and frameworks
- National Cybersecurity Policy Framework (NCPF) is the South African policy framework adopted by the cabinet in 2012. Its purpose is to create a secure, dependable, reliable and trustworthy cyber environment that facilitates the protection of critical information infrastructure whilst strengthening shared human values and understanding of Cybersecurity in support of national security imperatives and the economy.
- The Cybercrimes law was signed on 6 June 2021 by the president. This law places obligations on organisations to report cyber-attacks within 72 hours. If a security breach hits an educational institution, they must report this attack to the South Africa Police Services.
Penalties institutions could face for non-compliance with emerging cyber laws and regulations:
- Non-compliance with POPIA may result in complaints, Information Regulator audits and/or orders, administrative fines as well as civil and/or legal proceedings. POPIA fines and penalties vary depending on the offence, with a maximum of 10 years in prison or a R10 million fine.
- The penalties for a breach under the GDPR can be a fine of up to 4% of their annual global turnover or €20 million. Non-compliance with the GDPR act could also result in warnings and reprimands being issued, temporary or permanent ban on data processing imposed, rectification ordered restriction or erasure of data and suspension of data transfers to third countries.
- According to the PCI Compliance Guide, organisations found to be in breach of PCI DSS could be fined $5,000 to $100,000 per month by payment providers. In addition, the bank may impose other penalties, such as increasing transaction fees or even terminating the relationship altogether. Furthermore, additional fines may be levied for persistent violations, rising over time.
- If an organisation fails to comply with Cybercrime law, it will be held accountable for conviction to a fine or imprisonment for a period not exceeding two years or to both a fine and such imprisonment.
Preventative measures that should be followed to limit security breaches:
- Information Security Policies and Security Standards:
A Cyber Security framework and strategy that provides a framework for an assured cyber security environment utilising a risk-based approach should be formally developed. Furthermore, security standards should be documented, specifying expected security configurations and system parameters. These serve as security templates and ensure secure, consistent and standardised configurations.
- IT Capacity management and planning:
This will assist the university management in establishing current, and future processing needs to optimise the IT infrastructure that makes up the framework of the business.
- Software Upgrades:
There should be an exercise to evaluate all unsupported software (i.e. Windows operating systems, end-user applications, databases, etc.) within the IT environment. The outcome of this exercise should be a software upgrade roadmap that will assist the University IT management with rolling out the necessary upgrades.
- Periodic monitoring of patch Management:
Several external and internal network hosts suffer from patch management issues, where Microsoft and non-Microsoft patches had not been timeously applied. There should be ensuring that required vendor patches are installed when necessary.
- Continuous Vulnerability Management:
Vulnerability management is how vulnerabilities in the IT environment are identified, and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the threat. Universities should implement a process to regularly identify, classify, remediate, and mitigate internal and external network vulnerabilities.
- Monitoring and early detection:
Implementation of a Security Incident and Event Management ("SIEM") solution, which includes activity monitoring to facilitate the detection of patterns which may indicate successful compromise or misuse. This should be configured to perform log aggregation, correlation, alerting, dashboard and reporting for all IT assets, including servers, databases, applications, firewalls, routers, switches etc.
- Training and Awareness Campaigns:
Universities should require end users to go through training that covers what phishing is and how to recognise it. We provide this service, and institutions of higher learning must be willing to invest the time and resources necessary to properly educate their faculties and staff.
- Compliance with Data Privacy laws
Data Privacy laws and regulations exist to ensure the protection of personal information. Universities process a lot of personal information for students and employees and must comply with such laws (e.g. POPIA, GDPR). Universities should appoint an Information Officer, perform privacy impact assessments, and implement a privacy compliance framework.
- Virtual CISO
The justification of a full-time ISO for many businesses can be a costly decision, and the need will be dependent on the size and level of infrastructure. However, a Virtual CISO allows an organisation to leverage the experience and expertise when needed. Our virtual CISO can be assigned to provide advice to support the tactical and strategic direction of the Institution's information security posture in keeping with the culture and context of your Institution. Our Virtual CISO will reduce the practical long-term cost and provide consistent security oversight of a security programme or management communication.
- Kritzinger, E., 2017. Growing a cyber-safety culture amongst school learners in South Africa through gaming. [Online]
Available at: http://www.scielo.org.za/scielo.php?script=sci_arttext&pid=S2313-78352017000200003
- Mungadze, S., 2021. University of Mpumalanga thwarts R100m hack attempt. [Online]
Available at: https://www.itweb.co.za/content/Kjlyrvw1jmmMk6am
- Villiers, M. d., 2021. SA schools targeted by cyber security threats. [Online]
Available at: https://www.itweb.co.za/content/LPwQ57l6aokqNgkj
- WOLFF, J., 2021. Howard University's Devastating Ransomware Attack Can Teach Other Colleges a Valuable Lesson. [Online]
Available at: https://slate.com/technology/2021/09/howard-university-ransomware-attack.html