From schools to universities or research labs, the whole education sector is a huge pool of sensitive data. It therefore needs to be protected. However, the education sector is struggling to get to grips with the subject of cybersecurity. Background.
In addition to the classic ransom attacks as seen at the University of Corsica (France) last May, the theft of sensitive data is a key motivation behind cyberattacks against educational establishments. This summer, the Epitech IT School noted that personal data had been posted to the web belonging to several students and partners. Last year, in Florida, an attack on a schools group affected more than 50,000 people: pupils and alumni, parents, teachers and non-teaching staff, whose names, dates of birth, contact details, login details, academic information and even health data had fallen into the wrong hands…
Hackers will try anything to access a State’s intellectual property
Educational establishments are also becoming a theatre for economic and military conflicts through their research laboratories. Using phishing to obtain maritime technology or a mass spoofing campaign to connect to online libraries, hackers will try anything to access personal data.
Prime targets, but insufficiently protected
Guillaume Rénier, IT and Information Systems director at Cergy-Pontoise university, explains that “it’s our job to protect the privacy of users, especially students, who leave a considerable trail behind them online”. But also that of other researchers working on strategic and confidential matters and who often need to communicate using collaborative tools. However, it can be difficult to get these experts interested in a subject as abstract as cybersecurity. For this reason, the university has prioritised the deployment of a Wi-Fi network rather than using the external 4G network and is working on securing the use of existing solutions (like Dropbox for example). Working with Stormshield, the university is currently examining a multiple encryption solution for this resource.
Whether we’re talking about potential hackers or simply people with little awareness of the challenges of cybersecurity, both groups are equally dangerousRobert Wakim, Offers Manager Stormshield
There is also an internal risk which is just as dangerous as any external threat. Some students may be tempted to try and gain access to exam papers or to falsify grades. A security audit involving 400 British schools revealed that 20% of them had been hacked by their own pupils! Robert Wakim, Offers Manager at Stormshield, summed up the problem in the following terms: “We find ourselves faced with millions of people who are either potential hackers or people who are unaware of the challenges of cybersecurity. Both groups are equally dangerous”.
How can we improve cybersecurity in our schools?
At a time when connected resources are being increasingly used in classrooms, the education sector needs to face up to new challenges when it comes to securing networks, workstations and sensitive data. With educational establishments increasingly being grouped together under the same IT department, managing these interconnections has become vital.
The initial objective is to ensure that workstations are not infected – for example through the use of USB flash drives brought in by students. However, if one of them did get contaminated, effective network segmentation then plays a key role in avoiding any possible mass contagion. Finally, effective management also means installing virtual vaults, making it possible to encrypt data to limit access to it to only teaching staff or authorised students.
The need to raise awareness
In the education sector just like elsewhere, cybersecurity is largely a people thing. However, some teachers see the IT network is merely a secondary resource: “If it’s not working, that doesn’t fundamentally prevent them from doing their jobs so they don’t pay the same attention to it as a company would”, explains Robert Wakim.
We are starting to see greater awareness within educational establishmentsXavier Prost, head of training and documentation services at Stormshield
“We’re starting to see greater awareness within educational establishments”, observes Xavier Prost, head of training and documentation services at Stormshield. Stormshield supports teachers and students through this awareness-building process with SecNumEDU recognised and quality-labelled training courses - ongoing training provided by the Agence nationale de la sécurité des systèmes d'information (ANSSI - French Network and Information Security Agency). “However, it is often limited to specialised post-baccalaureate courses”. With this in mind, how is it possible to reach a larger number of education teams and students? What if cybersecurity was taught at school?