The biggest cybersecurity risk faced by schools comes from the pupils themselves, according to new research from the Information Commissioner’s Office (ICO).
In what it described as a 'worrying trend', more than half of cyber incidents at schools were caused by students. More than a third of incidents involved pupils guessing weak passwords or finding them jotted down on bits of paper.
These teen hackers are most commonly English-speaking males, although around 5% of all 14-year-old boys and girls admit to ‘hacking’ in some capacity. The reasons given include dares, notoriety, financial gain, revenge, and rivalries.
Heather Toomey, principle cyber specialist at the watchdog, warned the trend has the potential to snowball into more nefarious activities.
“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organizations or critical infrastructure."
Nearly a quarter (23%) of incidents were caused by poor data protection practices, including staff accessing or using data without a legitimate need, devices being left unattended, or students being allowed to use staff devices.
One-in-five were caused by staff sending data to personal devices, and 17% by incorrect set up or access rights to systems such as SharePoint.
Students are playing with fire
One-in-twenty incidents, however, came from insiders using sophisticated techniques to bypass security and network controls.
In one example, a student accessed a college’s information management system via a staff login, then viewed, amended, or deleted personal information belonging to more than 9,000 staff, students, and applicants.
The system stored personal information such as name and home address, school records, health data, safeguarding and pastoral logs, as well as emergency contacts.
In another, three Year 11 students unlawfully accessed a secondary school’s information management system, which held personal information belonging to more than 1,400 students. When they were caught, they said they'd just been trying to test their cybersecurity skills and knowledge.
Pete Luban, field CISO at AttackIQ, said the ICO research shows the education sector needs to strengthen its cybersecurity practices.
"There are a couple of takeaways from this news. The most important is that educational institutions must do a better job of protecting sensitive information," he said.
"Proper cyber hygiene protocols, such as strengthening passwords and removing student access to them, would solve a large portion of the problems,” he said.
"For the smaller portion of incidents that required more advanced technical skills, schools need to evaluate their cyber defense systems and implement proactive measures that are able to close the gaps that students were exploiting," Luban added.
Luban said it’s critical for schools to make it clear to pupils that hacking isn't just a prank, and that there can be significant consequences.
"Reinforcing data protection principles and individual data rights not only makes students aware of the potential punishments for conducting cyberattacks, but also decreases the chances that they themselves are breached as a result of cyber malpractice,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers breached a 158 year old company by guessing an employee password
- How is AI being used in education?
- The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
-
What businesses need to know about data sovereigntyWithout a firm strategy for data sovereignty, businesses put their data and reputations at risk
-
Anthropic says MCP will stay 'open, neutral, and community-driven' after donating project to Linux FoundationNews The AIFF aims to standardize agentic AI development and create an open ecosystem for developers
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
