EdTech veteran Doug Levin doesn’t mean to scare you.
The fact is, no issue is more urgent and more improperly addressed across education and learning organizations. While all segments are at risk, the belief that K-12 institutions are not as concerned about their data, true or not, could see them become a favorite target of attacks.
A recorded 122 incidents in 2018, reported by Levin’s own K-12 Cyber Incident Map, documents the epidemic, the characteristics of the attack and the attributes of the top victims.
Medium-sized public or charter school in suburban areas make for a prime target. The logic could follow as big enough to offer a good data payday, but small enough that security measures are not yet in place. 40% of targets were suburban schools, while 33% were in the 2,500 to 10 thousand students group. Similar ‘Goldilocks’ traits include “Poverty status” (45% of schools have 10 to 20% of their students in poverty conditions). Institutions across the US geography are affected, with the West Coast slightly more represented.
If there is one criticism to be made about the study is that does not offer comparisons to the actual demographics. According to IPEDS 2016, 38% of schools were suburban. It is hard to establish whether they actually are at a special risk. Beyond the education sector, the vast majority of attacks are indiscriminate and automated, and the website does not seem to indicate otherwise.
A similar cloud of unknown answers covers authorship. Automation makes possible thousands of concurrent attacks as well many of the attacks themselves, which in the DDoS type involve a massive amount of serial requests to a system to figure out passwords, or to make the site inaccessible. This same automation also makes it possible to grab a victim’s IP as a source of a new attack, making it even harder to trace its origin.
Attacks can compromise a system, and most commonly steal sensitive data. While financial information could be the most worrisome to let loose, the kind of malicious uses stolen data can have is up to the imagination of the criminal. In a particularly dramatic episode, an English town was forced to pay $10 thousand USD (in Bitcoin) to get their information back. It is both one of the worst case scenarios yet, and also a taste of worse things to come.
Protection is not difficult, but it’s incidence point to a striking organizational culture issue. Cybersecurity is still thought of as a static problem where a system patch or “antivirus” can address, rather than the active technical and social phenomena needed of multiple flanks of defense and management.
This Moodle Practice related post is made possible by: eThink Education, a Certified Moodle Partner that provides a fully-managed Moodle experience including implementation, integration, cloud-hosting, and management services. To learn more about eThink, click here.