As covid-19 continues to affect how we carry out our day-to-day activities, many are now considering how best to manage having children return to school, either virtually or in-person or a combination of both. This past spring saw most students sent out of their physical classrooms to learn from home and left parents and teachers needing to figure out new technologies and procedures to enact the drastic change. Now, with classes resumed, some will continue with virtual learning while other students work in their classrooms. Either way, students, teachers, and academic institutions will be facing a new set of cyber challenges.
A critical element in how we have remained connected throughout this crisis is video communication technologies, such as Zoom. Zoom will most likely be a standard tool that schools rely on in the coming months. Like any convenience afforded us by technology, however, Zoom is not perfect. Once school started, Zoom suffered outages in multiple parts of the world, leaving many scrambling to connect.1 The company was able to fix the problem quickly, but to many it felt like a sign of things to come. Preparing for the worst, and hoping for the best, is a good strategy when dealing with video communication tools.
With that in mind, it is also important to take security precautions when handling this type of software. Since Zoom is fairly ubiquitous now, cybercriminals are taking advantage of the fact that so many people are familiar with it and using it on a regular basis. From Zoom-related malware to people attending meetings unannounced, there have been issues that compromise confidential information. As it continues to be tested, Zoom is in the process of improving its security and privacy policies. In a Security Plan Progress Report, the company explained that it now implements passcodes, waiting rooms, and “screen share for host only” set as the default; the company has also improved data control for some users.2
While Zoom-related attacks may be a threat, everyone involved—educators, institutions, parents, and students—should also be made aware of the increased risk of phishing and ransomware attacks. It should be clearly communicated how information from schools will be sent, what type of information can be expected, and how personal information will be requested. Establishing expectations in advance may prove instrumental in preventing clicks on malware links or the sharing of credentials with threat actors. Ransomware attacks are also expected to be a primary threat, as a recent cybersecurity newsletter pointed out: “Cybersecurity professionals expect a spike in ransomware attacks against school districts and universities this fall as new hybrid learning environments go online and unpatched equipment… is reconnected to school networks.”3
Managing access controls and school-owned devices will also be critical as students work remotely. Simple security best practices such as the use of VPNS, multi-factor authentication, avoiding public WiFi, securing endpoints, strong passwords, encryption, and updating software when necessary can also mitigate the cyber risks likely to be prevalent in the coming months. Relaying security information and guidelines clearly to students and families—including the advice to slow down before acting on any emails that request personal information—helps to protect students, staff, and school assets.
This fall will be unlike any in memory for many of us as we navigate unprecedented issues to ensure safe and effective learning environments, both in-person and remote. Building a security culture within organizations is always important, but emphasizing security in our own homes and school may be overlooked. Preparation, information sharing, and balancing security with convenience are essential in making the most out of what technology can offer us.
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
Notes
1 https://www.cnn.com/2020/08/24/us/zoom-outage-worldwide-trnd/index.html
2 https://zoom.us/docs/doc/Ask-Eric-Anything-7-01.pdf
3 https://www.bankinfosecurity.com/as-classes-start-schools-face-ransomware-risk-a-14895