Major cybersecurity flaws in Florida schools leave students vulnerable
Securing the school system’s proper funding has always been a struggle, but the implications of this issue have never been more evident than now. While other students enjoyed their summer carelessly, a 17-year old Jaggar Henry appeared in front of the school district’s board in the Polk County, Florida. He explained some of the significant security flaws that he managed to find in the school’s system.
However, as Henry cautions, these types of cybersecurity oversights are common to most school districts across America and need to be addressed as soon as possible. With the COVID-19 crisis still in full swing, students across the US will be logging on to their school networks from homes, leaving millions of computers and mobile devices vulnerable to a variety of security threats.
Schools have a history of lax online security measures
Due to a lack of funding, very few schools in the US are able to hire or even consult IT experts to modernize their equipment and implement the latest security measures. The few staff members with basic IT knowledge were usually tasked with overseeing system setup and maintenance procedures.
These insufficient resources lead to various errors, ranging from the comically outdated devices to failures to install the latest patches. While these issues continue to be neglected, security experts encourage schools to look for ways to upgrade their systems.
The Coronavirus and the Switch to Online Classes
To get some insight into the severity of the situation, we only need to look at the staggering number of students who have been affected by COVID-19. According to a recent UNESCO report, over 1 billion students have been affected by the crisis, equating to around 61% of the entire student body worldwide.
Most of these students have migrated to online classrooms, especially in the US, where most states have mandated school closures. The massive influx of new online users to already poorly secured school networks has created a fertile ground for cybercriminals.
According to Microsoft Intelligence, there have been 4.8 million malware attacks in the education sector in the last thirty days. This accounts for a whopping 60% of all such reported attacks in that period, with the next two hardest-hit industries being Business and Professional Services, accounting for nearly 10% of malware attacks, and Retail and Consumer Goods with 9.6%.
The Discovery of Major Security Flaws
To the Polk County School District’s credit, they were conscious of the issue and did take steps to improve their online security far before the COVID-19 crisis. Back in 2017, the Polk County School Board set aside an impressive $4.1 million for their Student Information System (SIS).
With $218,000 covering two years’ worth of professional database analysis, and another $120,000 for a dedicated programmer for the same two years, it seemed that they had all their bases covered. However, as Henry rightfully suspected, there were faults with the SIS and the school district’s enrollment system, Delta.
As early as 2018, Henry found a troubling issue – he was able to change an ID number within the app that served as a reference code for each student, allowing him to access the other students’ private data. Alarming as it was, this flaw required some skills to be exploited, unlike the next issue Henry came across.
Both students and teachers shared files on SharePoint, but the problem was that everyone on the platform had the same permissions and could access all the files. It wouldn’t have been a serious problem, but all students’ login data was dumped into a simple spreadsheet for anyone to see.
What Can Be Done Improve Cybersecurity in Schools?
For one thing, students like Henry should be encouraged to try and poke holes in the schools’ systems. Both the students and the staff should be encouraged to use necessary security measures, helping them discover reliable VPN or anti-malware tools. Limited funding is not always an issue as there are plenty of free options to consider.
Finally, the school staff must consult IT professionals and be educated on online safety etiquette to avoid embarrassing oversights that a child could expose. We are in for several more months of restrictions due to COVID-19, and as most schools will be closed, it’s important to allow students to attend classes online without fear of their personal information being stolen. There is much to be done on this front, but with more students like Jagger Henry stepping up, we may see some dramatic cybersecurity improvements in schools nationwide.
Story by Kate Williamson