Students and teachers alike need to be confident in the reliance and integrity of their education. So how can teachers navigate the rising security threats with the introduction and proliferation of eAssessments and remote learning?
The snap decision made by education bodies worldwide to shift to online learning has exaggerated preexisting security concerns and brought new student privacy issues to the surface, which have only further developed during the ‘digital learning’ age. Having to pivot in such a short time significantly impacted schools’ time for proper planning and research, and many educators had to “make-do” with eLearning solutions that they could get up and running quickly.
This rapid adoption of software, while necessary, has caused a spike in cyber security attacks on education as published by the K-12 Security Information Exchange, a non for profit that tracks incidents within education, putting both students and staff at risk of exploitation.
What are the Rising Security Risks for Students Taking eAssessments?
There is no denying the crucial role technology has played in recent years to support and transform the learning landscape as we know it. But it goes without saying that any adoption of new educational software inherently introduces new security risks. Some of the most common risks to student data security and privacy involved in eLearning include:
Ransomware
Ransomware is a type of malware that prevents the user, in this case, students, from accessing protected assessment or resource base systems and the data held on them. Typically, the data is encrypted, but it may also be deleted or stolen, or the computer itself may be made inaccessible. This can lead to the loss of student work, exploitation of student identity and financial records, and any medical records that may be held on the school network.
Lateral Movement and privilege-seeking
During this attack, the offender will typically navigate within and around the network. By doing this, they will learn how to increase their privileges and identify high-value systems while simultaneously concealing their presence. The aim of this attack is typically one of three, to sabotage and harvest backup data, encrypt entire virtual servers, and deploy further ransomware. If an attacker gains access to backup data, they will have free rein over both student and staff information. By encrypting virtual servers, attackers may disrupt learning processes or remove access to specific resources, which can be highly detrimental to not only a student’s data security, but also their confidence in the systems they are using, and therefore their education.
Class/Meeting Invasion
This is a particularly unpleasant breach for students and teachers alike that is becoming more and more prevalent. In this instance, an attacker will have gained access to a virtual meeting room, an assessment proctoring session, or even a private tutoring session. They will then reveal themselves to cause distress and disrupt a class, often with hate speech, shocking images, sounds, videos, or violent threats. During these attacks, offenders may also use this time to harvest further student information, such as names or IP addresses.
Denial-of-service attacks
Distributed Network Attacks or Distributed Denial of Service (DDoS) attacks take advantage of the specific capacity limits that apply to any network resources – such as a website form, meeting room parameters, or examination session limits. The DDoS attack will then send multiple requests to the attacked web resource – aiming to exceed the expected capacity to handle numerous requests, preventing the systems from functioning correctly. Kaspersky found that the number of attacks that impacted educational resources jumped 550% in January 2020 compared to January 2019.
How can you Mitigate these Risks in the Classroom?
The first step to reducing potential risk is ensuring your students are briefed thoroughly on the possibilities. By improving the knowledge around eLearning cybersecurity and potential threats, you foster a culture of insightful learning that can help students spot risks and self-correct when they may not be following regulations.
Raising awareness and implementing basic cybersecurity hygiene practices for students and staff is another step to successfully mitigating cyber security risks is. This could include training sessions for both students and staff on securely interacting with their ecosystem of personal, private, and school-owned devices and software, touching on VPN use and best practices for passwords.
The third step you can take is guaranteeing that the systems you have in place are fit for purpose and that there are no gaps in your cybersecurity armor. You can do this by taking an inventory of the current software and systems you have in place. For example, it would be beneficial for your students to have access to the following:
- An intensive antivirus on all personal and school-owned devices
- Password management systems to promote safe, secure passwords
- Multi-factor Authentication when accessing sensitive information
- A reporting base, where they can notify staff of potential threats, such as unusual emails or forced login attempts
What have we learned from the past year?
Educating staff and students is crucial for protecting student data security in eLearning. As we advance, education must be paired with the adoption of suitable and specially developed ‘E-learning’ systems optimized with security in mind to prevent future attacks. By building systems that support students, utilizing relevant software, and informing students of their responsibility within cybersecurity, you can build confidence amongst peers and create a safer learning environment.
