Kids hacking for kicks are causing security headaches at schools
ICO analysis of education sector breaches found schools and colleges are being careless – and pupils are taking advantage
The biggest cybersecurity risk faced by schools comes from the pupils themselves, according to new research from the Information Commissioner’s Office (ICO).
In what it described as a 'worrying trend', more than half of cyber incidents at schools were caused by students. More than a third of incidents involved pupils guessing weak passwords or finding them jotted down on bits of paper.
These teen hackers are most commonly English-speaking males, although around 5% of all 14-year-old boys and girls admit to ‘hacking’ in some capacity. The reasons given include dares, notoriety, financial gain, revenge, and rivalries.
Heather Toomey, principle cyber specialist at the watchdog, warned the trend has the potential to snowball into more nefarious activities.
“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organizations or critical infrastructure."
Nearly a quarter (23%) of incidents were caused by poor data protection practices, including staff accessing or using data without a legitimate need, devices being left unattended, or students being allowed to use staff devices.
One-in-five were caused by staff sending data to personal devices, and 17% by incorrect set up or access rights to systems such as SharePoint.
Students are playing with fire
One-in-twenty incidents, however, came from insiders using sophisticated techniques to bypass security and network controls.
In one example, a student accessed a college’s information management system via a staff login, then viewed, amended, or deleted personal information belonging to more than 9,000 staff, students, and applicants.
The system stored personal information such as name and home address, school records, health data, safeguarding and pastoral logs, as well as emergency contacts.
In another, three Year 11 students unlawfully accessed a secondary school’s information management system, which held personal information belonging to more than 1,400 students. When they were caught, they said they'd just been trying to test their cybersecurity skills and knowledge.
Pete Luban, field CISO at AttackIQ, said the ICO research shows the education sector needs to strengthen its cybersecurity practices.
"There are a couple of takeaways from this news. The most important is that educational institutions must do a better job of protecting sensitive information," he said.
"Proper cyber hygiene protocols, such as strengthening passwords and removing student access to them, would solve a large portion of the problems,” he said.
"For the smaller portion of incidents that required more advanced technical skills, schools need to evaluate their cyber defense systems and implement proactive measures that are able to close the gaps that students were exploiting," Luban added.
Luban said it’s critical for schools to make it clear to pupils that hacking isn't just a prank, and that there can be significant consequences.
"Reinforcing data protection principles and individual data rights not only makes students aware of the potential punishments for conducting cyberattacks, but also decreases the chances that they themselves are breached as a result of cyber malpractice,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers breached a 158 year old company by guessing an employee password
- How is AI being used in education?
- The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
-
Sectigo taps Clint Maddox to lead global field operationsReviews The appointment follows a year of strong momentum for the security vendor as it expands its global channel footprint
-
Microsoft has a new AI poster child in AnthropicOpinion Microsoft is cosying up to Anthropic at a crucial time in the race to deliver on AI promises
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
-
90% of companies are woefully unprepared for quantum security threats – analysts say they need to get a move onNews Quantum security threats are coming, but a Bain & Company survey shows systems aren't yet in place to prevent widespread chaos
