The COVID-19 pandemic has forced many industries to operate virtually to some degree. Almost two years later, as COVID variations pop up and spread, the workplace continues to be in flux. But most businesses have adjusted, operating with a new definition of “business as usual.” Some organizations now use a hybrid model, others have all staff back on-site, and still, others function in a combination of ways that suit their needs. 

Education, however, is a very large and complicated sector. It involves children as young as four and graduate students in their 30s, as well as teachers, administrators and a wide range of support staff. It encompasses small elementary schools and huge university campuses and schools in rural, urban, suburban, reservation, and military-base settings. So when in-classroom teaching abruptly ceased in March 2020, it was especially chaotic and disruptive. Educational institutions at all levels scrambled to figure out how to hold classes online. K through 12 schools faced serving populations with limited access to the internet and students who lacked any type of mobile device as well as affluent students with the latest devices and high-speed connections. Colleges and universities closed their campuses, sending students home. Teachers, unaccustomed to delivering lessons virtually, cobbled together materials not designed for remote-learning platforms on school networks not set up for that type of traffic. 

As with the business sector, the education sector has overcome some of these challenges and functions in the e-environment. But as new COVID variants make returning to in-classroom learning unrealistic for thousands of students at all levels, the bottom line is that students — as well as educators — continue to depend on mobile devices and laptops to access online classrooms, submit/grade assignments, research/check homework topics, and more. 

Unfortunately, both students and staff likely lack basic security awareness, and their IT departments may not have the resources to properly secure their fleet of devices. K through 12 school computer systems as well as those run by colleges and universities, may also be using out-of-date software and equipment that do not receive vendor-provided security patches or bug fixes and are no longer eligible for technical support, making the institutions vulnerable to cyberattacks.

Hackers and other bad actors thrive in this type of confusion and are quick to take advantage of a large pool of vulnerabilities. Below are three cybersecurity threats the education sector will face this year as well as suggestions for how to thwart them.

1. Student/educator-driven vulnerabilities

Most students were probably already comfortable using some sort of device for fun or educational purposes before the pandemic sent them home — surfing the internet, downloading games and videos, visiting websites, and so on. But once they began attending online classes while their parents were now working remotely, the home network they shared became a potential welcome mat to malicious actors. Though some schools provide devices to students, many use devices they share with family members. If a student clicks on a malicious link in a phishing email, for example, it could release malware that could potentially affect their now shared home network. Or it could install malware that infects their home system, locking it up, potentially accessing financial information, and worse. Some live-conferencing classroom settings are easily infiltrated, allowing malicious actors to harass attendees, sneak in pornographic images, and harvest personal information that students are sharing that they then publish online.

What schools can do: Though educational institutions cannot protect students’ home networks, they can make video conferencing safer by making sure students are using the most up-to-date remote meeting applications, requiring students to sign in using their real names, and setting up policies that prevent students from entering a classroom before the teacher and making sure the teacher is logged in until all the students log out.

2. Ransomware attacks

As #1 above describes, the education sector is ripe for cyberattacks, and malicious actors have been busy targeting it. The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and other agencies receive reports of ransomware as well as malware and distributed denial of service attacks against K through 12 institutions, and they release alerts warning of these dangers. Malicious actors attack school systems to slow or halt access to remote classrooms and steal and/or threaten to leak confidential student data unless the attacked school system pays a ransom. These bad actors use social engineering methods such as phishing emails or fake websites to gain passwords and credentials and exploit open or exposed remote desktop protocol services to gain access to school networks. Both methods allow them to plant ransomware or malware.

What schools can do: CISA created a tip sheet that lists best practices for K through 12 school systems to follow to prepare for or prevent likely attacks. These include staying on top of software and operating system updates, changing system passwords, monitoring privacy settings on social networking sites, and configuring firewalls to try to prevent these phishing emails from coming into the system in the first place.

3. Student debt scams

Pandemic-related cyber scams reported to the FBI quadrupled in the first few months of the pandemic. So it’s a good bet that once student borrowers are required to start paying on their student loans again (the Biden Administration paused payments in March 2020 and announced it was extending the pause through May 1, 2022), they will face an increased amount of fraud and scam attempts from fraudulent student loan forgiveness programs. Bad actors might try to exploit borrowers by posing as loan servicing companies to obtain personally identifiable information, financial details, legal power of attorney, passwords, and other credentials. They could also attempt to exhort fees for services to reduce or end student loans. 

What students can do: The U.S. Department of Education (ED) lists these three ways that students can spot these loan forgiveness scammers. These include being wary of unsolicited offers from private companies that offer to help for a fee — the ED offers real student loan forgiveness programs or ways to lower payments at no charge through the student’s original loan provider. Students should not share their Federal Student Aid (FSA) password with anyone — the ED will not ask for it — and be immediately suspicious if they are asked for it. If they do give it out, they should log in to their FSA account and change it immediately. If students think they’ve been scammed, they should immediately contact their bank to stop payments to the fraudulent company and contact their original loan servicer to alert the servicer about their situation.