Karlsruhe, May 31, 2022 “School hacked,” “Student accounts hijacked,” “Student data public” – these are the headlines in the media when schools are affected by a cyber attack or data breach. Data security is one of the most important aspects when it comes to the topic of educational digitization, but it still confronts schools with a number of challenges. Many schools feel left alone with the issue: What are the risks for the data of students, teachers and parents? How can schools protect themselves? The school platform Sdui and DGC want to raise awareness with their new cooperation on the topic of cyber security. At Learntec in Karlsruhe, experts Philip Heimes (Sdui) and Philip Saladin (DGC) talked about data security in schools.
Security is a particularly sensitive issue in schools, because it involves information and the safety of children. In the analog world, we take security measures for granted: We do not let outsiders into the classrooms; the school building is locked at the end of the day and important documents are locked in the secretary’s office, for example. In the digital realm, however, this is not yet a matter of course. As an expert, how do you define cyber security in schools?
Philip Saladin: In general, cyber security is about protecting data. In the area of schools, this includes in particular: Personal data such as name, year of birth, place of residence of students, grades, class book entries, report cards or timetables. All this information is stored as data on hard drives, servers or in a cloud. All digital communication within the school community is also part of the sensitive data.
It is part of the everyday life of schools that data is collected, processed, transferred, stored, archived and deleted. Therefore, it is also the school’s responsibility to protect this data from misuse!
Philip Heimes: That’s right. Protecting data from third parties is a basic need today. Cyber security at schools needs to be just as important as other analog security measures that we take for granted. Printed out report cards, for example, would never lie around openly for anyone to see. We would consider careless handling of personal data to be a massive violation of a child’s personal rights.
With digital data, on the other hand, it is still common for precisely such careless breaches to happen. Most of the time, this happens without malicious intent. Often, the people involved don’t even know that they are taking risks with their actions and exposing themselves to danger. Ignorance and the feeling of being left alone with such issues in the vast field of debt digitization pose a problem. We, Sdui and DGC, therefore want to educate on the topic of cyber security. We want to help schools and stakeholders make everyday school life safer. Cyber security measures must become a matter of course in everyday school life, like locking the front door!
The pandemic times of home schooling are largely over. How important is the topic of cyber security in schools today? Is the topic perhaps overrated in view of the multitude of other challenges facing schools?
Philip Heimes: I think it is no longer appropriate to reduce the topic of school digitization to video conferences in home schooling. In the approximately 5,000 schools that use Sdui, we see that the handling of digital data is a common thread running through everyday life. Today, no one asks WHETHER to digitize, but HOW.
Schools have become shapers of the digital transformation during the crisis. Now we need to make a virtue out of necessity. For me, this means creating competence in the area of cyber security in order to be able to assess risks. The issue of security in connection with digitization cannot be valued highly enough.
Philip Saladin, DGC advises companies and public authorities alike on cyber security issues. In your experience, what are the biggest security risks for organizations?
Philip Saladin: According to a survey conducted in 2021 by Bitkom e.V., the industry association for the German information and telecommunications sector, the greatest risk for German companies is infection with malware such as ransomware attacks in 31 percent of cases. So-called DDoS attacks, in which attackers deliberately overload certain resources and, for example, bring servers to their knees with mass requests, affected 27 percent. Spoofing, the pretense of a false identity, and phishing, the obtaining of personal data with the help of fake e-mails, caused damage in 20 and 18 percent of companies, respectively.
In your view, what are the biggest security risks for schools?
Philip Saladin: As in companies, the same applies in schools: Humans pose the greatest security risk. This starts with passwords that are written on pieces of paper or stuck to the screen as post-its. In schools, different private devices are also used if there is no central device management. But even third-party USB sticks that are used still pose a security risk. However, the biggest security gaps occur when software updates and security patches are not installed. As simple as it sounds, I encounter such vulnerabilities every day: More than 50 percent of the highly security-relevant vulnerabilities could be closed by updates.
Philip Heimes: Of course, targeted hacker attacks from outside and inside are also part of the security risks. Schools, for example, are also affected by attacks with ransomeware, malware that restricts access to systems in order to extort a ransom. This can paralyze the entire school because the attackers encrypt the data. But students themselves can also attack the school and misuse data. Today’s kids are digital natives. So-called script kiddies often know better how to access scripts and programs than what’s on the curriculum in biology.
What can be the consequences of attacks and data leaks?
Philip Saladin: In education, for example, improper processing of such data could conceivably lead to discrimination and restrictions on the choice of education and profession. Or a school is encrypted by means of a ransomware attack and can no longer guarantee the continued operation of the school. Suddenly, it is confronted with ransom payments and a potential breach of the GDPR.
Philip Heimes: There are consequences for school operations and, of course, legal consequences. The worst, in my view, is when children’s personal fates go hand in hand with a security breach – confidential information about a student that then ends up on the Internet, is further disseminated and perhaps even used for bullying. Such cases are unfortunately a reality, and teachers can be affected as well. Anyone who becomes a victim of cybercrime often has to struggle with this for a long time.
That’ s about it for the risks. But how can schools protect themselves? What can every school do for its safety?
Philip Saladin: From our experience, I know that every employee who is trained in the area of security awareness adds value. Very low-threshold tips that can make a big difference are: Never open attachments in emails from unknown third parties. Never click on links that point to dubious websites. When leaving your workplace, always lock your computer. Do not use USB sticks which you have supposedly received for advertising purposes. Tips for IT in particular are: Use a vulnerability scanner, which checks your network environment 24/7. Run software updates and security patches immediately after they are released by the manufacturers.
Philip Heimes: I think a very important step is to create awareness about cyber security in the first place. Everyone in the school community can play a part in making the school data secure. But of course, it’s also a question of budget, because schools don’t usually have the necessary expertise and resources to make the systems secure and continuously monitor them.
However, there are experts for this, such as DGC. Cooperation with external experts like DGC, who can help implement strategies, also lends itself to educational institutions. What’s more, schools should work with digital solutions that take school security seriously. Sdui does that – for us, the issue of security is particularly important when building our platform.
Sdui is a platform for digital communication and organization at schools – what about security on the platform? How is this provided?
Philip Heimes: Sdui is DSGVO-compliant and uses German servers. Schools that use Sdui do not have to worry about where the data is stored and whether a company abroad is accessing student data. Sdui was developed together with schools in Germany and is constantly being refined to meet their needs and in exchange with them. A holistic approach to data security is important to us, which means that everyone involved in the school community – teachers, students and parents – must be able to move securely on the platform and communicate with each other.
Sdui and DGC want to cooperate with each other in the future to raise awareness for cyber security in schools. Why and what does that mean in concrete terms?
Philip Saladin: Sdui and DGC are two strong partners who want to work together to increase awareness for the topic of cyber security. We know the risks of digitalization and can point out solutions. In the future, for example, we want to compile information and tips for schools.
Philip Heimes: Our aim is to enable schools and educational institutions to identify risks themselves and to be able to assess data security themselves. Creating awareness of this is the first step. And also knowing where to get help. We believe it is important not to leave schools to deal with the important issue of data security on their own. After all, we can all contribute to making the Internet a little safer for us and our children every day.
About the interviewees:
Philip Heimes, Chief Technology Officer, Sdui
Philip Heimes was born in Germany and moved to the USA after completing his studies. There he spent many years shaping the education landscape, most recently as Head of Data Interoperability at Power School, the largest American education technology provider. He has also led “K12 Data Interoperability Projects” for the Bill & Melinda Gates Foundation and the Michael & Susan Dell Foundation. He joined Sdui as CTO in February 2022.
Philip Saladin, Head of Sales Switzerland, DGC Switzerland AG
Philip Saladin is responsible for sales at DGC Switzerland AG. In addition to his sales activities, he continues to expand strategic and international sales for DGC. Philip Saladin advises public authorities, non-profit organizations as well as private sector companies on cyber security issues and supports them in improving their cyber resilience.