Should we be teaching cybersecurity in school?
09 09 2019
It will soon be 2020, and human beings are still the weakest link in any cyberattack. Too many of us still lack digital health training, and are unwittingly exposing themselves to easily avoidable risks. But cybersecurity is an issue of national importance, so shouldn’t it be taught at school?
The world is divided into two categories: those able to walk resolutely past a discarded USB stick, and those who will calmly plug it into their computer to see what will happen. Clearly, we all have different understandings and responses when it comes to cybersecurity.
However, the aforementioned USB stick is just one example. After all, some people have little awareness of the risks they are taking, and cause their company endless problems by circulating their personal data on the internet, illegally downloading files, using a plethora of smart objects... or simply replying to an email. “In terms of cybersecurity, there’s a sad lack of a consistent approach across French society”, says Sylvie Blondel, Human Resources Director at Stormshield. “I remember a train journey I took, where the passenger next to me had got up from their seat, leaving their computer switched on and the current session open… People aren’t aware of the risks, because it’s a world that we see as purely virtual. But the virtual world can have an impact on real life.”
In terms of cybersecurity, there’s a sad lack of a consistent approach across French societySylvie Blondel, HR Director, Stormshield.
And contrary to popular belief, any data is a potential target for hacking. Or blocking. “Firstly, some people think their data is of no interest or value, so no-one will take the trouble. And secondly, in some attacks, the attackers aren’t even interested in your data, but simply in blocking your activities”, warns Xavier Prost, Training Manager at Stormshield. “And then thirdly, you could even be collateral damage in an attack which is not aimed directly at you - but will lock you out anyway because you don’t have enough protection. As they lock or steal your data, these cyber attacks will prevent you from conducting your business.” Ransomware, spyware, scareware, trojans, credential stuffing... computer viruses can take many different forms as they infect your networks and devices. But would you have fallen into the trap if you had been properly informed?
Maths, history, geography, sports and... cybersecurity?
What if it all started in school? If we want to make sure everyone understands the essentials of cybersecurity, and change (bad) habits, shouldn’t we start raising awareness as early as possible? After all, the process of preparing children for tomorrow’s world includes a digital education. And just as some schools run coding and computer literacy classes, there could be good arguments for holding “digital health” classes to teach children to adopt good cybersecurity practices. “I really believe schools have a role to play in cybersecurity education; not only to teach how the internet works, but also to discover new potential areas of work”, Sylvie insists. However, some objections need to be overcome first... “Parents are often reluctant because they believe their children are already overexposed to screens. But I think that rather than trying to get rid of screens, we should be providing education about them. Children are already immersed in that world, so they might as well learn how to use it and discover exactly how it should be done!”
And the “Thumbelina” generation, described a few years ago by Michel Serres, is starting early. A Statista study looking at the proportion of 8-14-year-olds using a mobile phone in France in 2018 emphasises the extent to which the device is ingrained in their habits. This is confirmed by Florian Bonnet, Product Management Director at Stormshield, who volunteers at primary and secondary schools to educate the youngest children in cybersecurity issues. “This work has taught me that more than 90% of children are online, and no one social environment is more exposed than any other”, he notes.
Smartphones (their own, or their parents’), games consoles, televisions, home computers... all ways in which kids are exposed to screens every day. According to a 2018 digital survey, the percentage of smartphone-carrying French children in the 12-and-over segment has risen sharply since 2011 (+58 points), reaching 75% in 2018. They have also mastered the art of downloading new apps, playing online games and communicating on social networks that are (at least theoretically) closed to them. “Children are every bit as skilled at their parents - and possibly even more so - at creating multiple accounts and circumventing age restriction rules to create accounts on social media or accessing sites and media that are officially closed to them”, Florian warns.
And if you think parental control filters will be enough... think again! The parental controls implemented on set-top boxes and computers are often not “granular” enough. Instead, they are often too restrictive at times when students need to do online research for their homework. The result: they often end up being disabled.
And most importantly, children have their own way of seeing things. Although they might be reluctant to lend their pen or eraser to a friend, they will still willingly share their internet connection and login details with others! “When I talk to them about the risks, they often answer, “Yes, but I’m careful... I only share things with friends!”, Florian smiles. Ah, yes... friends! My friend’s friend’s friend’s friend... But how well do they really know their friend? At that age, the concept of friendship is flexible, and therefore very broad. To say nothing of the USB sticks picked up on the way to school and handed around, which sometimes end up connected to their parents’ PCs...”
Children: a key target for cybercriminals
As you’ll already have realised, when it comes to cybersecurity, awareness among children is a flexible concept, even though some campaigns seem to have paid off. “Children are aware mainly of risks associated with child pornography or cyber-bullying”, notes Florian, “but they are extremely naive when it comes to cyberattacks.”
When targeting children or teenagers, attackers develop ruses (free games, or free extras for their favourite games, etc.) to encourage them to click on links.Florian Bonnet, Product Management Director, Stormshield
Cybercriminals make use of this, and tailor their methods. “In situations where they would usually send phishing emails or simple links in the hope that the end user will click on them, when targeting children or teenagers, attackers develop ruses (free games, or free extras for their favourite games, etc.) to encourage them to click on links”, warns Florian.
Having read this far, no doubt you’re considering the option of simply cutting off all of your children’s internet access. If so, think again. “They’d find a way around such a ban in any case. And by depriving children of access to the internet, we deprive them of an enormous wealth of information and communication options”, Florian claims. “And that’s where we, as cybersecurity professionals, have a role to play. And that role is to educate our young people about the risks they face.”
Working with teachers to demystify cybersecurity
For his part, Xavier Prost believes that “if we want to reach all children, the initiative also needs to be implemented at government level. Companies can work alongside authorities in these areas to identify key messages to be understood and then disseminated in schools. But the message must be conveyed by the State, and by public bodies.”
If teaching teams are not familiar with best practices themselves, they will not be able to pass them on to their students.Xavier Prost, Training Manager, Stormshield
This comes down to training teachers, who are themselves often unaware of the basic principles of digital health. “I’ve observed that we often ask students to do research on the web, or to watch films or documentaries, without specifying which sites they can find them on”, warns Florian Bonnet. “And the children then just happily look up the first site that will give them the information. But is that site secure? And is the information correct? They have no idea...”. Xavier Prost is very clear: “I think we need to start from scratch. Teachers themselves often have too little awareness about the subject. And if teaching teams are not familiar with best practices themselves, they will not be able to pass them on to their students.”
Stormshield has been working for a number of years to raise teachers’ awareness of cybersecurity issues via the Stormshield Institute programme, whose training courses are approved and recognised as SecNumEDU - Continuing Education by France’s Agence nationale de la sécurité des systèmes d’information (ANSSI) agency. In addition to training for the teachers and free access to virtual machines, institutions may - if they so choose - become Stormshield certification centres. “Our goal is for institutions to be able to incorporate cybersecurity independently into their curriculum and strategy”, explains Xavier Prost. “In recent years, we’ve seen a surge in interest for cybersecurity. Three years ago, we had six partners. Now we have around fifty. In particular, we’ve signed a national partnership to train BTS teachers how to use our products and implement a security and filtering policy to protect corporate networks.” Some channels are now designing cybersecurity into their own programmes. But these are specialised higher education courses... in other words, too late to educate children.
A “Cyber Licence” along the same lines as France’s “Pedestrian Licence”
“We need to set up a cyber-education system! Primary school children in France take a permis piéton (“pedestrian licence”) to learn road safety; then, in secondary school, they take their “computing and internet” (B2I) certificate. Why not create a cyber licence?”, asks Florian Bonnet. But when you’re educating the youngest children, what age do you start from? Sylvie Blondel believes that this education should start as young as possible, using age-appropriate teaching and explanations. “Digital education is more than just surfing the internet; it’s about giving children the keys to an understanding of how it all works, to help them to discover the careers of tomorrow. I think this approach needs to start fairly early, and no later than the last year of primary school, but I believe we can also develop a play-based teaching system for even younger children, attracting their attention and laying the first foundations of digital culture for the youngest children.” “The subjects to be covered at primary age will be different from those covered at secondary school. Different messages need to be identified based on age and usage (cyber-bullying, online management of identity and private life, use of social media, etc.), then this knowledge must be built upon over time” adds Xavier Prost.
Initiatives already exist for educating students in digital technologies at primary level, similar to France’s Permis Internet pour les enfants (Internet Licence for Children). This kit, launched by France’s Gendarmerie nationale, national police, Prefecture of Police and the AXA Prévention association, is intended for final-year primary children. It presents condensed advice and real-life stories to raise awareness about Internet risks: scams, violent images, privacy, fake news, etc.
A number of countries have already incorporated cybersecurity into their programmes, such as the United Kingdom, which provides training to children from age 10, or Australia, which organises School Cyber Security Challenges in high schools.
Educating children at school... and at home!
But the process of educating children in cybersecurity issues actually begins... at home! “Children need to be educated from the moment they start accessing the internet. And because they can most easily access it at home, that’s where the support needs to be provided. So the family environment must work in conjunction with the school in playing this role”, points out Xavier Prost. After all, cybersecurity education is, in a general sense, part of security education. “Let’s take the example of the Highway Code and France’s Permis piéton pedestrian licence”, Xavier continues. “The responsibility of teaching children to walk on the pavements or look before crossing lies initially with the parent... The school assists in this task, and formalises this learning. In the same way that we explain to our children that they shouldn’t talk to strangers in the street, we should teach them not to talk to strangers on the internet. What we learn in the real world also applies to the cyber world.”
“People don’t realise how vulnerable we’ve become, and the extent to which everything we do online leaves a trail we have no control over, because our data are stored in other countries. And that can have an impact. What we need to teach in schools, and elsewhere, is that the virtual world comes with real-life consequences. Explaining that to children is important... and also to parents, who are often light-years away from facing these issues.” Without succumbing to paranoia, we need to be sufficiently aware of these issues to be enlightened (and not captive) users of the cyber world.
Is cybersecurity the new sexy?
Cybersecurity is not only a security issue, it also presents us all with an opportunity. France does not have a sufficiently large pool of cybersecurity skills. “One of the ways to fix this is to start discussing digital and cybersecurity issues at primary school level. In Israel, cyber profiles are identified from age 14 onwards”, stated ANSSI’s Guillaume Poupard in an interview with the Usine Nouvelle publication in January.
“There are plenty of vacancies in cybersecurity”, confirms Sylvie Blondel, a well-placed observer of the shortage of talent in this domain. “However, educational advisors and careers guidance staff are not necessarily familiar with such jobs, which are often recent developments and seen as highly technical. Considering that we are still at the very beginning of the digital revolution, it is critically important to inform younger children about such jobs. In addition, working in the field of cybersecurity is fairly “sexy”, since it is a job whose purpose is to protect people. This may appeal to younger generations, who are looking for more meaning in their work.”