Michelle is a Consulting Actuary at SIGMA Actuarial Consulting Group, Inc. in Tennessee, USA. As part of the Certified Cyber Insurance Specialist (CCIS) course, she completed a complex assignment on cyber risk in the education sector.
There are approximately 130,000 public and private K-12 schools in the US with the public schools normally being operated by geographical state and local districts. Most of these systems are college preparatory but many have technical schools included. Many schools have both before and aftercare programs as well as sports and extracurricular activities. Additionally, many have school nurses and counseling centers. Therefore, the general risk profile covers a wide range of traditional property casualty risks (property, workers compensation, general liability, professional liability, automobile liability etc) as well as emerging cyber and technology risks.
School systems are becoming increasingly reliant on digital technology. Changes are rapid both from a teacher/staff perspective and student perspective. For example, staff today are often assigned individual laptops, grading and attendance systems are often online and accessed remotely by teachers and parents, employees receive a large volume of emails both internally and externally and electronic teaching materials are also stored on systems. From a student perspective, there may be school issued computers as well as digital textbooks.
The increasing reliance on technology in the educational sector has led to a growing cyber attack surface for school systems. With more devices and applications being used in schools, there are more access points for cybercriminals to exploit.
One of the primary concerns for school systems is the security of student data, which includes sensitive information such as names, addresses, social security numbers, and academic records. This information is a valuable target for cybercriminals, who can use it for identity theft, financial fraud, or other malicious purposes.
What are the key concerns relating to Cyber Risk in the Education Sector?
Remote Online Learning
The pandemic forced students worldwide to adapt and move to remote learning. School systems are now using online platforms for remote learning and virtual classrooms, which can further increase the attack surface. These platforms are often outside of the school’s direct control, which can make it difficult to monitor and secure them adequately.
Lack of Budget and Resources
Schools also face unique challenges when it comes to cybersecurity. They often have limited budgets and resources, making it difficult to invest in advanced security measures. As a result, schools may not have the same level of protection as larger organizations, making them an even more attractive target for cybercriminals.
New Emerging Technologies
It is important to note that the pandemic significantly shifted learning to include virtual platforms, and in many situations those shifts are here to stay. Looking to the future the emerging technologies of Virtual Reality, AI, robotics, and augmented reality tools are frequently mentioned in educational articles. According to an article on EdTech, the panelists at a recent session on emerging technology indicated that:
“drones, robots, VR and browser-based tools can empower students to become creators by building their analytical and computational skills. These technologies also expose them to industry-standard tools.”
Because of the large numbers of students and staff in any school system the attack surface is quite large. Phishing emails could be both targeted at groups and individuals. Laptops of both staff and students could be lost or stolen. Students could possibly have access to staff computers if login and logout procedures are not carefully followed with unattended staff computers.
Third Party Risks
School systems also have many third-party risks. For example, the district IT services at some individual schools are provided by outside vendors. Grading and attendance platforms are often from third party software providers as are digital textbooks. Physical school security is often outsourced.
Case Study: Cyber Risk in the Education Sector
In early 2022, Albuquerque Public Schools (APS) had to close for two days due to a targeted cyber attack. The attack compromised the Student Information Center, which is used for attendance, emergency contact with families, and ensuring students are picked up by authorized adults. APS noted that cyber attacks on school districts across the country have increased fivefold since 2019. The increased use of virtual learning has made school systems more vulnerable to attacks, which is a growing concern for school districts. Hackers may target schools because they often have limited budgets and cannot afford the same level of security protocols as the private sector. APS quickly responded to the incident by implementing new procedures to prevent future attacks.
In addition to the Albuquerque event discussed above, the Los Angeles School System (the nation’s 2nd largest school system) was attacked recently. Also, in 2022 approximately 5,000 schools suffered cyber-attack implications when a third-party Finalsite (a private web hosting service) was attacked.
The attack surface for school systems is large and the databases they maintain have significant personal information. Several recent events have illustrated that schools are increasingly being targeted. It is unlikely that these trends will change because while schools have limited budgets, they are growing an increasingly larger digital presence. Schools have to balance cybersecurity with accessibility, ensuring that technology is readily available to students and teachers. This can make it more challenging to implement security measures that do not hinder the functionality of educational systems. Cyber insurance professionals working with clients in the education sector must make sure that they are up to date on recent incidents, digital trends and their implications for cyber risk if they are to maintain a competitive advantage.
Want to read more about our CII-accredited Certified Cyber Insurance Specialist (CCIS) Course? Click here.