Deutscher Bildungs Server

Did you know that education is one of the top targets for hackers around the world? In all statistics and reports on the subject, the education system is always at the top of the rankings on victims of cyber attacks. Why is that? In an article on the website of the company Infosec, the author summarises some key aspects as follows:

A lot of personal data comes together in the education system that would otherwise have to be stolen from separate institutions, such as birth certificates, social security numbers, bank details or, last but not least, valuable intellectual property. This mixture of sensitive data in an IT infrastructure makes the field of education particularly interesting for hackers.

At the same time, the so-called "human factor", which is usually one of the main causes of security gaps in other areas as well, is particularly sensitive in the education sector: To a large extent, the education sector is dealing with children and adolescents or young people who use a disproportionately large amount of digital media, but at the same time fall into digital traps more easily and are not yet able to assess the consequences of their actions very well.

Another disillusioning reason for the susceptibility of the education system to cyber attacks is, of all things, its relatively open IT infrastructure policy. At public universities, for example, this means that every person who enrolls or every scientific guest has access to the IT infrastructure.

If you add all this to an education system that is always struggling with scarce resources worldwide - both financially and in terms of staff - where in schools, but also at universities, poorly trained teachers often have to take charge of many IT issues - when you put all of this together, it's an ideal target for hackers around the world.

In our web dossier, we provide an insight into the topic of cyber attacks and cyber security in education using a variety of sources such as reports, analyses, statistics and overview articles in various media. Both the topic of "cybercrime within education" and the topic of "education on cyber security" are examined. Furthermore, we provide examples from different countries on how they deal with cybercrime in education and cybersecurity education & training.

We would like to point out that a large part of the information that can be found on the topic so far comes from companies that are themselves active in the field of cybersecurity.

• "Critical security concerns for the education industry. Balancing cybersecurity & compliance requirements in a resource-limited industry" by Susan Morrow (14.07.20)
  https://resources.infosecinstitute.com/topic/critical-security-concerns-for-the-education-industry/
  Published on the website of the  Infosec Institute (Cengage Group)


• "What Are Cybersecurity Education Papers About? A Systematic Literature Review of SIGCSE and ITiCSE Conferences" by Švábenský, Vykopal & ÄŒeleda (2019)
  https://arxiv.org/pdf/1911.11675.pdf
  Published on the Open Access Server "arXiv" at Cornell University. Auhtors' version of the work (~preprint). ITiCSE: Conference on Innovation and Technology in Computer Science Education. SIGCSE: Special Interest Group for Computing Education of the Association for Computing Machinery (ACM).


• "Cyber Security Education. Principles and Policies" ed. by Greg Austin (2020)
  https://doi.org/10.4324/9780367822576
  Book (liable to costs). The abstracts of the chapters are Open Access.

The Live Cyber Threat Map visualises cyber attacks that are just taking place internationally, based on various data. On the right hand side, you can find further information, among others about the 3 most targeted industries. Education ranks in the top 3 rather often. If you have a small screen, the most targeted industries are hidden behind a small white arrow at the bottom of the page. Click there and further on the second of the white little dots to see them.

• Check Point Research: Education sector experiencing more than double monthly attacks, compared to other industries
  https://tinyurl.com/CheckPointReport2022
  
  Summary of the "Cyber Attack Trends: 2022 Mid-Year Report" of the Israeli company Check Point. Check Point's reports and analyses are among the most well-known in the field of cybersecurity. The company itself offers security solutions for enterprises.



• "2018 Education Cybersecurity Report" by SecurityScorecard
  https://securityscorecard.com/resources/2018-education-report
  
  SecurityScorecard is a New York City-based IT company that provides IT security solutions. Among other things, the company published a report on cybersecurity in education in 2018.


• "2022 Data Breach Investigations Report: Data Breaches in Education" by Verizon
  https://www.verizon.com/business/resources/reports/dbir/2022/data-breaches-in-education/
  as of 2014: https://www.verizon.com/business/resources/reports/dbir/#archive
  
  Verizon is a large US telecommunications company. It became known to a broader public in 2008 when the news channel CNN reported that employees of Verizon  had secretly gained access to the cellphone data of President-elect Barack Obama. It became also known as of 2013 with Snowden's first revelations about the fact that the US government routinely demanded the release of all connection data from the provider Verizon. Until June 2014, Verizon also acted as the Internet provider for the German Bundestag (German federal parliament).
  Verizon has published the Data Breach Investigations Report since 2014. It also analyses data protection violations caused by cyber attacks worldwide by industry.
  We provide you with the link to the 2022 report for the education sector. The text of the report is relatively technical, but also offers a comparison to data breaches in other areas (see "Intro into industries").

• "Cyber security posture surveys" by JISC
  2017-19, 2022: https://www.jisc.ac.uk/reports/cyber-security-posture-surveys
  2021 (Highlights): https://tinyurl.com/JISCReportHighlight2021
  
  The Joint Information Systems Committee (JISC) is a UK not-for-profit organisation dedicated to promoting digital technology in research and education". In addition to the Cyber Security posture survey, JISC also published a Cyber Impact Report in 2020 and an updated version in 2022.



• "Cyber Impact Report" by JISC
  2020, 2022: https://www.jisc.ac.uk/reports/cyber-impact
  
  If the report is too long for you, you can also read a short summary of it in JISC's blog: "Latest cyber impact report underlines ransomware as a huge threat, but financial cost of attacks is still unclear"
  https://www.jisc.ac.uk/blog/latest-cyber-impact-report-underlines-ransomware-as-a-huge-threat-20-apr-2022

• Back to School Security: Cyber Attacks on Education
  https://www.wallix.com/blog/cyber-attacks-on-the-education-sector
  Wallix, French company for Cybersecurity
  
• Check Point gives safety tips for school and semester start (07.09.22) [courtesy translation]
  Only in German: Check Point gibt Sicherheitstipps für den Schul- und Semesterstart (07.09.22)
  https://www.infopoint-security.de/check-point-gibt-sicherheitstipps-fuer-den-schul-und-semesterstart/a32079/
  Infopoint Security, German Information platformfor Cybersecurity
• Technology Education Day: Teaching IT security to the younger generation (22.09.22) [courtesy translation]
  Only in German: Technology Education Day: Junge Generation in IT-Sicherheit unterrichten (22.09.22)
  https://www.infopoint-security.de/technology-education-day-junge-generation-in-it-sicherheit-unterrichten/a32258/
  Infopoint Security, German Information platformfor Cybersecurity
• Education sector most at risk of cyber attack (11.08.22)
  https://edtechnology.co.uk/cybersecurity/education-sector-most-at-risk-of-cyber-attack/
  Education Technology, online magazine from England
• New research suggests universities do not have ‘adequate cybersecurity controls’ (04.08.22)
  https://edtechnology.co.uk/cybersecurity/heis-lack-cybersecurity-controls/
  Education Technology, Online magazine from England
• Why Cybersecurity needs to be a Priority for the Education Sector
  https://swivelsecure.com/solutions/education/why-cybersecurity-needs-to-be-a-priority-for-the-education-sector/
  Swivelsecure, a company for authentication solutions from England

Worldwide

• Country Wiki - Countries' policies on cybercrime
  https://www.coe.int/en/web/octopus/country-wiki
  provided by the Octopus Cybercrime Community, Council of Europe

• US Department of Education – Office of Educational Technology - Cybersecurity
  https://tech.ed.gov/cyberhelp/
• Cyber Threats to K-12 Remote Learning Education
  https://www.cisa.gov/stopransomware/cyber-threats-k-12-remote-learning-education
  From the website "Stop Ransomware" by the US government

• Cyber Security Breaches Survey 2022 - Educational institutions findings annex (UK government)
  https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1064445/Education_annex_-_cyber_security_breaches_survey_March_2022__WEB_.pdf
• Cyber security: programmes and resources for schools and further education (UK government)
  https://www.gov.uk/government/publications/cyber-security-programmes-and-resources-for-schools-and-further-education
• Guidance: Indicators for potential fraud: education providers (UK government)
  https://www.gov.uk/government/publications/indicators-of-potential-fraud-learning-institutions
• Cyber Security for Schools (UK government)
  https://www.ncsc.gov.uk/section/education-skills/cyber-security-schools

• Cybersécurité en France : la délicate question de l’éducation et de la formation (2022)
  https://www.nextinpact.com/article/69563/cybersecurite-en-france-delicate-question-leducation-et-formation
• Cybersécurité : Pix, l’ANSSI et Cybermalveillance.gouv.fr s’associent pour développer les compétences du grand public (2022)
  https://pix.fr/actualites/partenariat-pix-anssi-cybermalveillance/
• Au collège et au lycée, former à la cybersécurité par le jeu !
  https://www.ssi.gouv.fr/actualite/au-college-et-au-lycee-former-a-la-cybersecurite-par-le-jeu/
  ANSSI Agence nationale de la sécurité des systèmes d'information
• MOOC pour s'initier à la cybersécurité
  https://secnumacademie.gouv.fr

• Five years of cyber security education reform in China (2020)
  https://www.taylorfrancis.com/chapters/edit/10.4324/9780367822576-11/five-years-cyber-security-education-reform-china-greg-austin-wenze-lu
  Book chapter, unfortunately  subject to a fee. Eventually, you can ask for a free copy directly with the authors:  https://www.researchgate.net/publication/342863030_Five_years_of_cyber_security_education_reform_in_China
• China’s CyberAI Talent Pipeline (2021)
  https://cset.georgetown.edu/publication/chinas-cyberai-talent-pipeline/

• Cyber Education in Israel  (Information Security Thought Paper)
  https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/information-management-technology/information-security/cyber_education_in_isreal.pdf
  Government of British Columbia (Canada). Comparison to Kanada.

• Magshimim - National Cyber Education Program Israel
  https://rashi.org.il/en/programs/magshimim/
  https://cyber.org.il/about-us-eng/

• Canadian Centre for Cyber Security > Education and community > Academic Outreach and Cyber Skills Development
  https://cyber.gc.ca/en/education-community/academic-outreach-cyber-skills-development
• Cybersecurity Education Portal
  https://ep.technationcanada.ca
  https://technationcanada.ca/en/future-workforce-development/career-finder/education-portal/