From education to employment

Alexa, how can I educate my students about online safety this Christmas?

Matt Radolec

Cyber Discovery is a free, extra-curricular programme, delivered by SANS Institute for the UK Government, that is open to students aged 14-18 across England, Scotland and Northern Ireland.

It uses games, challenges and role playing to teach the basics of cybersecurity in a safe and fun setting. By encouraging students to think about cybersecurity early, the aim is to ensure the safety of our nation by bolstering our defences now.  

Students have until 7 January to register and complete the series of fun assessment challenges.

If they score highly enough, they will be invited to take part in the next phase, which offers hundreds of similar challenges designed to teach students the basics of cyber security in a fun and exciting way.

‘Tis the season to be jolly… if you’re a cybercriminal.

Christmas is a time for giving and receiving, and every year without fail kids draw up their gift wish lists, which may include the latest tech gadgets such as smartphones, gaming consoles, tablets, ‘intelligent toys’ and a plethora of apps to fill their new devices.

However, many of the tech gifts that we’re buying for our loved ones – particularly if they’re connected to the internet – aren’t as safe as we think.

And if students aren’t aware of the potential risks – and parents don’t have the right knowledge or awareness themselves – then Christmas could turn into a technology disaster for all involved.

Recent research commissioned by SANS Institute looked at the attitudes and behaviours of 1000 UK parents and 1000 UK students aged 14-18 towards cybersecurity, and found that some UK households may not be equipped with the right skills to fend off cyber criminals, either at Christmas or in the longer-term.

Beware those dodgy apps!

41% of students who believe their devices are insecure said this was a result of never reading privacy policies in full or never checking the security of the apps they download (52% of students). 

Could these students potentially be putting their devices at risk, and into the hands of cyber criminals by downloading dodgy apps?

Disconnect? Parents educating kids

46% of students who have heard of cybersecurity, said they heard about it from their parent or guardian. However, only 28% of parents who have heard of cybersecurity said that they themselves are ‘very aware’ of it.

If parents are not confident about their knowledge or aware of the potential risks that come with connected devices, then chances are that teenagers may not be practising good security hygiene either.

What’s more, only 39% of parents who believe that the devices their children own or have access to are secure, report that they regularly check their children’s devices.

But cybersecurity is for life, not just for Christmas; and parents and children need to be aware of online risks all year round. Cybersecurity awareness has a wider impact too.

As a nation, we are facing a critical shortage of cybersecurity skills, and with today’s young people poised to become our future workforce, the nation desperately needs to recruit more knowledgeable professionals into the cybersecurity industry to stop the bad guys from holding our technology – and our lives – to ransom.

The best way to do this is to catch students at a younger age, and educate them about cybersecurity and what a career in the industry could bring.

“People mistakenly believe they are not a target for cyber attackers. But the truth is, if you use technology in any way, you have value to hackers,” commented James Lyne, Head of Research and Development at SANS Institute.

“It’s fair to say that many young people are now more digitally literate than their parents, so we’re encouraging the younger generations to take a more active role in their own cyber education – and maybe even that of their parents!

“Security is not just about protecting personal devices, though. It could ultimately be as important as helping to protect the country at large. This is why it’s important to share knowledge and reinforce the right type of behaviours online so that we’re not leaving ourselves exposed to the idle hands of hackers – at Christmas, or otherwise.”

Following the news around hackers stealing more than $800,000 from Cape Cod Community College last week through an email phishing scam Cyber Security expert Matt Radolec offers the following comment:

There has been another hack where the human element was exploited.  When will people learn we must not provide access to computers to anyone, especially if it’s a large university or other public organization, where security minded individuals are often the minority?

All jokes aside, humans are the weakest element of any security program and there is no shortage of people at a university. 

Students, Faculty, and Staff of these large institutions are working around the clock making there be a huge priority for 24/7 convenient access to technology. 

This constant easy access opens many avenues of attack or threat vectors for these public institutions. Often security controls which would be found in similarly sized private organisations don’t exist in the public sector, whether due to complexity or lack of funding. 

This creates gaps in defensive posture which attackers know to exploit. 

All though the exact details of this attack aren’t clear a few likely pitfalls in this space come to mind:

1. Lack of security/control on the compromised endpoint

If a student, faculty or staff of the university was using their own machine, they may not have the same security controls, like anti-malware which may be on a university provided computer. 

2. Lack of security awareness by the compromised user

There is so much education going on at institutions there may not be enough of a focus on how to avoid social engineering scams, especially those well-crafted phishing emails.

3. Lack of security controls to protect the money

If institutions treated their information systems like they would a bank vault, surely $800,000 wouldn’t have walked out the door.  Most public organizations have a near wide-open access model to ensure all users can access and share information rapidly to drive innovation.

This comes at the price of overlooking the least privilege model completely and perhaps forgetting to secure internal systems while still allowing for easy collaboration between students and teachers. 

Organisations should treat their computer systems like they are physical assets which need protecting, make sure all the right security controls are in place all the time, educate all users or how attackers are after their information, and provide a defence-in-depth program built on the concept of least privilege and limiting who can access what when.

Matt Radolec, Security Architect Manager at Varonis


Related Articles

Responses