Too far behind – What the NSW Education cyber incident tells us about Australia’s readiness

Share:

Share on facebook
Share on twitter
Share on linkedin
NSW Education has been hit with a significant cyber crisis. With the COVID-19 instigated lock downs in full swing, this incident only heightens questions about the coherence of Australia’s cyber security strategy in the education sector.

NSW teachers in ‘state of paralysis’ after cyber attack

Public school teachers and principals could be without access to their online learning materials and email accounts until next week, after a cyber attack hit the NSW Education Department just hours after the state government directed schools to return to remote learning.

Educators have been locked out of the department’s online portal and unable to access their calendars, remote learning resources and communications since Wednesday evening, when the department deactivated its systems as a precaution while investigating the attack.

The error message on the department’s portal.
The error message on the department’s portal.

On Thursday, department secretary Georgina Harrisson said she was confident online access would be restored by the “start of term three”, which begins on Tuesday, and assured families home learning would not be impacted.

Sydney schools were on Wednesday told they would be teaching remotely for the first four days of term three as the state government extended the city’s lockdown until Friday, July 16.

Cyber security expert Troy Hunt said organisations usually took their services offline when they were worried third parties had breached security controls and accessed confidential data. He said:

You take the system offline to prevent the attacker accessing any more. You want to be confident there’s no-one in your network, and whatever vulnerability they exploited is now patched, before you go back online,” he said. “[How long that takes] will really depend on the nature of the breach.

NSW Teachers Federation president Angelo Gavrielatos said there would be a “state of paralysis” among the workforce until their online access was restored because they were effectively shut off from digital resources they needed to prepare for next term. He further said:

All afternoon the frustration is growing, the stress levels are increasing. They cannot do the job that’s required of them, for as long as this is not rectified.

An Education Department source familiar with the attack said the outage was initially reported as scheduled maintenance, in line with security advice. Systems were still down at the time of this Gridware note.

Maintaining data security in the education sector in the COVID-19 era

State and territory education departments, schools and teachers have worked hard to lift the use of technology since the coronavirus pandemic began last year.

But without doubt one of the key areas in which the sector (far more than small business, health and other sectors) is still very far behind is cyber security.

The current technology approach in our schools has led to a patchwork of systems and processes that pose a significant risk in terms of cyber security as well as creating significant inequity when it comes to access.

This isn’t just the case locally in Australia. The same story repeats itself internationally. A 2020 UK National Cyber ​​Security Centre audit demonstrated — for instance — that schools will continue to be a target for cyber attacks with 83% of schools audited experiencing some form of attack in the last 3 years.

Schools harbour extremely sensitive data

Schools capture information about students and families which is private and sensitive. They maintain records relating to health and wellbeing, as well as financial information. At times, they also store information regarding sensitive information pertaining to families including court orders, separation and marital information, etc.

The impact on individual students and families if information is released into the public domain can be serious, whether this occurs accidentally or deliberately. 

The expansion of the user base for technology as COVID-19 forced schools to move to remote learning last year presented significant challenges in terms of how cyber security is managed. In our view, these still have not been mitigated and conquered.

This is not the same in other sectors. From small business to health care and obviously in the big end of down, the importance of cyber security is much better understood and is being taken seriously, with most organisations focused on maintaining the confidentiality of data far more than in previous years.

In education, the level of maturity is significantly lower, and the risks are particularly pronounced.

The expansion of the user base for technology as COVID-19 forced schools to move to remote learning last year presented significant challenges in terms of how cyber security is manage

One major reason is that individual teachers or Principals (rather than IT specialists) are often responsible for evaluating student learning products. While some states and territories are taking steps to increase the level of understanding and competence in this regard, the level of maturity is still low.

Just as schools are unlikely to have the in-house resources required to implement and maintain large-scale systems, they are also unlikely to have the cyber security expertise to vet and select trusted providers of services to support them.

To succeed in cyber-education, bigger questions must be answered first

The last year has shown us that advances can be made rapidly through the sheer force of necessity.

But incidents the world over have also taught us the double-edged sword that is cyber-acceleration in a COVID-driven world.

The danger is that changes are sporadic, ad-hoc and reactionary rather than strategy. For the most part, this hasn’t changed, and the recent incident is indicative of just that.

The impact is the creation of vastly different student experiences, sometimes along socio-economic lines. This was evident in some schools transitioning seamlessly to remote learning because they were already well advanced in the use of technology to support learning outcomes, while others really struggled.

Australia’s education departments have a real opportunity to shape a new era in the connection between technology and human endeavour, starting with the building blocks of tomorrow: students.

The need for coherence in the education’s cyber security strategy is paramount. The current crisis is indicative of just this

But to get the most out of technology from an education sector perspective, some important questions need to first be answered, including:

  • Where and when should technology be used in the education process?
  • Is technical proficiency now a mandatory skill that we expect kids to set them up for the world of the future?
  • Is technology use more relevant for some subjects than others? 
  • What skills and capabilities do educators and teachers need to have to use technology effectively?
  • Do specialists now need to be employed in every school setting to create the most appropriate and secure technology ecosystem, given the centrality of technology to the education process?
  • Are the tools and apps currently being deployed at state-wide levels by Education departments robust enough, and has the requisite cyber expertise been used to choose the most cyber-appropriate ones?

The need for coherence in the education’s cyber security strategy is paramount. The current crisis is indicative of just this. The alternative, as a recent PwC report aptly articulated, is to “continue down the current path, which has led to a patchwork of systems and processes that pose a significant risk in terms of cyber security as well as creating significant inequity when it comes to access”.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.