Schools clueless about IT security, reveals study

Almost one in two Australian secondary and tertiary schools do not have an IT security awareness program in place and alarmingly, 53 per cent didn’t know what information was taken during a data breach, according to a study commissioned by Symantec.cloud.

The study asked around 500 teachers and administration staff at 168 private and public secondary and tertiary schools across Australia about their IT security landscape and what precautions they had in place to protect students.

It claimed that the education sector was now under “unprecedented pressure” to secure laptops used by students to mitigate the risks of malware and other security threats.

Dr Julian Dooley, associate director, Sellenger Centre for Research on Law, Justice and Social Change at Edith Cowan University told CIO Australia it is a concern that there aren’t more schools with formalised IT security programs.

“In my experience it has been many times higher than [the one in two schools quoted in the survey],” said Dooley. “I do a lot of cyberbulling and technology research and when schools agree to participate they are motivated – these schools have invested a lot of time and effort [in programs].”

According to Dooley, it was worrying that more than half (53 per cent) of the schools surveyed didn’t know what information was taken during a security infringement.

“Equally concerning is what the kids are freely giving up on social networks,” he said. “It [the research] – assuming that is accurate – is an indication of how overwhelmed schools are and how under-resourced they are. The data reflects that they feel that they are out of their depth in this area.”

Edith Cowan University recently collected data from 900 students at schools in Western Australia and found that 90 per cent had multiple accounts on social networks, almost half were sharing passwords, email and home addresses through these accounts.

“We don’t have good evidence that any cyber safety resource works,” said Dooley. “You can implement all these things and get kids being conscious about what they are doing, sharing and how they are using it, [but] there’s no evidence that any of those are effective strategies.

“There’s not enough work done with kids, people coming and going and saying ‘this is what I think let’s run with that’,” he added. “There’s a well-intentioned push to address [security] problems but without fully understanding the nature of the problem, there is a no real follow up.”

According to Dr Dooley, there’s a “funny juxtaposition” between technology and human behaviour in relation to security.

“You can control some of the tech, but you can’t control human behaviour in the same way,” he said. “Students are doing things that might compromise your [security] system. These are the sort of things that are very hard to predict.”

Security issues rarely reported

The Symantec research found that when security issues arose, they were rarely reported to students and their parents. Only 20 per cent of staff received regular reports from IT staff on security, while an alarming 63 per cent of parents and 73 per cent of students respectively never received any reports or information about a data breach.

On a positive note, 87 per cent of respondents had deployed anti-virus software on all desktops. Still, 10 per cent had no protection at all.

Dr Dooley agreed that education was the key to helping students and teachers understand how to spot suspicious email attachments and web links that could potentially infect school networks.

Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia