The words “hacker” and “cybercriminal” are more likely to conjure mental images of a computer-savvy adult than an unassuming 4th grader practicing multiplication, but according to a recent survey, 15 percent of Americans wouldn’t put it past elementary-age kids to “easily” carry out a cyberattack on their schools.
The survey, conducted on behalf of cybersecurity company Radware, asked 1,000 Americans about their perceptions of how capable students of different ages are of committing cybercrimes.
Fifteen percent of respondents said students between grades 1 through 6 would have no trouble disrupting school operations with a cyberattack. As they get older, students are increasingly more likely to have the skills to carry out an attack, respondents said. Fifty-seven percent answered that a high schooler could “easily” or “very easily” infiltrate a school or university, versus 63 percent of respondents answering the same about college undergraduates.
In the survey, Radware provided examples of possible disruptions, including altering or canceling class schedules, accessing test results and shutting down an entire network.
It’s unclear whether those surveyed believe students today are just that cunning or that schools are simply unprepared, but Ron Winward, security evangelist at Radware, said it’s probably a little bit of both.
“There’s technology, connectivity everywhere — kids are doing everything with their phones,” Winward told EdScoop, noting specifically schools that allow or encourage students to bring-your-own-device (BYOD). “Who knows what they’re doing when they’re out of school? There’s a lot of potential there. … and we aren’t thinking about the ramifications of these things. We don’t even know the ramifications.”
Speaking more generally, he said schools are particularly vulnerable because they often lack the budgets to adequately prepare for and respond to a cyberattack.
“Even if you don’t have a dollar to spend on a security budget, [though], you can still have a response plan,” Winward said. “How you immediately handle the attack is going to affect how you fare. And it’s important to understand what you’re going to do when that stuff happens.”
In a previous report, Radware found that 44 percent of schools don’t have an emergency response plan for cyberattacks, he said.
While he acknowledges students are becoming more technology savvy, Winward said he was surprised that so many respondents — members of the general public — thought elementary schoolers were capable of disrupting school operations.
“I don’t think a 6th grader, or most 6th graders anyway, could attack their school,” he said. “Not intentionally anyway. Maybe unknowingly they could bringing in something that would put the school at risk, but not purposefully.”
When respondents were asked about schools’ ability to protect students’ personal information, privacy and safety, 45 percent answered “I don’t know” instead of assigning a letter grade (A-F).
That may be representative of the average American, but in the Data Quality Campaign’s recent survey of parents of school-age children, 88 percent of parents indicated they trust their child’s school to use the child’s sensitive data appropriately.
K-12 schools and higher ed institutions have been targeted in countless cyberattacks in recent years, including plenty of cases where a student actually was the culprit. In Radware’s recent survey, 24 percent of respondents said they were aware that schools and universities had been affected by cyberattacks.
For example, at least five universities were affected by WannaCry, the global ransomware virus, earlier this year. And Deborah Szajngarten, director of public relations at Radware, mentioned a University of California, Davis, student who posted her name and contact information to a forum called “Jobs for Hackers,” offering to pay someone to change the grade she earned in a course required for graduation.
“I don’t think it would be unheard of for someone to say, ‘I’ll pay you $20,000 to create a fake record that says I went to Penn State University or Northwestern University,’” Szajngarten said in an interview.
In recent years, hackers have repeatedly disrupted school operations at Rutgers University, leading some students there to demand tuition reimbursement, Szajngarten said.
“Rutgers has been plagued with this issue for years,” she said. “And they’re not the only ones. There are many other schools that experience these issues.”
The education industry is perhaps the least prepared for a cyberattack, Winward said. School budgets for a cyberattack are significantly less than that of financial, government, telecom and retail organizations. Still, one way schools and colleges can begin to address this shortcoming is by talking with students about simply, easy ways to minimize risk — like not giving out your passwords or other sensitive information, Szajngarten said.
“I think schools have some level of responsibility to make sure they’re educating students, but it’s hard because most of them don’t know themselves what those risks are,” she said.”It doesn’t [have to] cost money, it’s just awareness. I think that’s something fundamentally missing from modern education today.”