The biggest cybersecurity risk faced by schools comes from the pupils themselves, according to new research from the Information Commissioner’s Office (ICO).
In what it described as a 'worrying trend', more than half of cyber incidents at schools were caused by students. More than a third of incidents involved pupils guessing weak passwords or finding them jotted down on bits of paper.
These teen hackers are most commonly English-speaking males, although around 5% of all 14-year-old boys and girls admit to ‘hacking’ in some capacity. The reasons given include dares, notoriety, financial gain, revenge, and rivalries.
Heather Toomey, principle cyber specialist at the watchdog, warned the trend has the potential to snowball into more nefarious activities.
“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organizations or critical infrastructure."
Nearly a quarter (23%) of incidents were caused by poor data protection practices, including staff accessing or using data without a legitimate need, devices being left unattended, or students being allowed to use staff devices.
One-in-five were caused by staff sending data to personal devices, and 17% by incorrect set up or access rights to systems such as SharePoint.
Students are playing with fire
One-in-twenty incidents, however, came from insiders using sophisticated techniques to bypass security and network controls.
In one example, a student accessed a college’s information management system via a staff login, then viewed, amended, or deleted personal information belonging to more than 9,000 staff, students, and applicants.
The system stored personal information such as name and home address, school records, health data, safeguarding and pastoral logs, as well as emergency contacts.
In another, three Year 11 students unlawfully accessed a secondary school’s information management system, which held personal information belonging to more than 1,400 students. When they were caught, they said they'd just been trying to test their cybersecurity skills and knowledge.
Pete Luban, field CISO at AttackIQ, said the ICO research shows the education sector needs to strengthen its cybersecurity practices.
"There are a couple of takeaways from this news. The most important is that educational institutions must do a better job of protecting sensitive information," he said.
"Proper cyber hygiene protocols, such as strengthening passwords and removing student access to them, would solve a large portion of the problems,” he said.
"For the smaller portion of incidents that required more advanced technical skills, schools need to evaluate their cyber defense systems and implement proactive measures that are able to close the gaps that students were exploiting," Luban added.
Luban said it’s critical for schools to make it clear to pupils that hacking isn't just a prank, and that there can be significant consequences.
"Reinforcing data protection principles and individual data rights not only makes students aware of the potential punishments for conducting cyberattacks, but also decreases the chances that they themselves are breached as a result of cyber malpractice,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers breached a 158 year old company by guessing an employee password
- How is AI being used in education?
- The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
-
Kaseya targets new growth with double C-suite appointmentNews Anthony Anzevino joins the security vendor as chief revenue officer, while Pratik Wadher takes the role of chief technology officer
-
Mobile app security is a huge blind spot for developer teamsNews Organizations are overconfident about their mobile app security practices, according to new research, and it’s putting enterprises and consumers alike at risk.
-
Mobile app security is a huge blind spot for developer teams – 93% are confident their applications are secure, but 62% reported breaches last year
News Organizations are overconfident about their mobile app security practices, according to new research, and it’s putting enterprises and consumers alike at risk.
-
LNER warns customers to remain vigilant after personal data exposed in cyber attackNews LNER has warned customers to remain vigilant for social engineering attacks after a cyber attack on the rail operator exposed personal data.
-
Jaguar Land Rover u-turns on cyber attack containment claims, admits ‘some data has been affected’News Jaguar Land Rover (JLR) has admitted some data may have been accessed by hackers following a cyber attack which severely disrupted production.
-
Everything we know about the Plex data breach so farNews Plex advised users to sign out of any connected devices that are currently logged in and enable two-factor authentication if they haven’t already.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
FBI warns 'indiscriminate' Salt Typhoon hacking campaign has hit organizations in more than 80 countriesNews The Salt Typhoon hacker group has waged several major campaigns against US telecoms companies and critical infrastructure operators – now it's ramping up attacks globally.
-
Salesloft Drift hackers had access to company GitHub account for months before attacksNews Hackers behind the Salesloft Drift breach had access to the company’s GitHub account for several months before waging a flurry of attacks, the company has revealed.
-
Gen Z has a cyber hygiene problemNews A new survey shows Gen Z is far less concerned about cybersecurity than older generations
