By Wayne Dorris, CISSP, business development manager, cybersecurity, Axis Communications, Inc.
What does “security” mean in the context of a school? Until recently, the first things that came to mind were probably physical security technologies like surveillance cameras, metal detectors, access control stations, and even just good old fashioned locks.
But the recent COVID-19 crisis has changed that: because of the nationwide shift toward remote learning that the pandemic has prompted, schools have been forced to reevaluate their cybersecurity policies and requirements as they work to keep their data safe amid increased reliance on videoconferencing, learning management portals, and other online educational tools.
Distance Learning Tools in the Spotlight
One of the first security concerns to gain public attention was the vulnerability of the web’s most popular videoconferencing tools. Zoom, in particular, gained notoriety for the problem of “Zoom Bombing,” where random individuals would be able to drop into meetings run by others without being invited.
With much of the population working from home and relying on remote web conferencing tools, Zoom saw a massive spike in daily users, 10 million in December 2019 to 200 million in March 2020—a dramatic increase that put the previously small problem of Zoom Bombing into the public eye.
Zoom has, fortunately, implemented additional security controls specifically designed to combat Zoom Bombing, but these controls are optional and must be selected by the user. This underscores the need for effective training.
It isn’t fair to pick on Zoom, of course—in fact, Zoom’s problems highlight one of the biggest struggles facing both schools and businesses specializing in remote learning tools. Such a massive spike in remote users over a short period of time means that IT departments lacked the time to evaluate the security controls for remote learning products, and the makers of those products may not have had time to refine those controls for such heavy use.
Learning management systems (LMS) are a great example of this. Used to store grades and enable students to remotely turn in homework, LMS have long been a convenient tool for schools; however, they have generally had the benefit of operating within the safety of the school’s network. And although a bored student might occasionally attempt to hack their grades, LMS platforms have generally not been in the crosshairs for cyberattackers.
Today, students and teachers must log into LMS platforms remotely, and although some teachers may have school-issued laptops with VPNs, schools were caught off guard by the crisis, and often did not have enough VPN licenses to cover all staff and students. Many also realized that they did not have enough laptops to accommodate their students, forcing many to use their own devices—whose security the school has little control over—and creating a potential opening for cyberattackers.
Unfortunately, a savvy hacker needs just one inroad to a network, and the last thing a school needs is its surveillance cameras or financial records compromised by one poorly secured student device. Laptops are hardly the only inroad, either: although physical security tools like cameras and access control stations play a smaller role at a time when remote learning is the norm, these devices are also vulnerable. Any device connected to the internet has the potential to be used as an initial launch point for an attacker.
Fortunately, there are policies that schools can implement to greatly reduce the threat of cyberattack. Taking steps like restricting web browser access to connected devices, establishing strong password policies, and mandating multi-factor authentication can make VPNs, surveillance cameras, and other tools even more secure.
Effective mail filtering technology can also go hand-in-hand with training designed to help teachers and administrators recognize phishing and other social engineering attacks, which are a popular way for attackers to gain a foothold within networks. These recommendations are advisable at any time, but they are essential at a time when remote working is the norm.
Physical Security and Cybersecurity Go Hand-in-Hand
The need for more comprehensive cybersecurity polices is clear, and schools are beginning to recognize the need to address the vulnerabilities revealed by today’s remote learning reality. As developers work to patch known issues, schools themselves are using tools like VPNs to help secure their own digital ecosystems while updating their own cybersecurity policies to reduce the likelihood of attack. The current crisis has served as a good reminder that physical security and cybersecurity go hand-in-hand, and schools that strengthen their cybersecurity policies while students learn remotely will enjoy additional benefits when classrooms are once again full.