Cybersecurity in Education
As parents, our children are under our care and protection until they are old enough to look after themselves. It’s our duty of care to teach them everything we know about staying safe in a world full of potential threats. But what if we don’t actually understand enough about many of the real dangers facing them to be effective guides and protectors?
We also place our trust in schools, to provide a holistic and rich education beyond the level that we, as parents, are capable of, but are the schools adequately prepared either?
When I was at school in the 1980’s the world was perhaps a simpler place to navigate, the dangers faced by my generation were better understood by both young and old. We were taught about “stranger danger” and not accepting sweets from people we didn’t know. I remember TV advertising campaigns warning us not to get into the cars of strangers, especially a creepy guy offering to show you his puppy.
Whether these campaigns actually helped or not is hard to say, but what is certainly true is that pre-internet and smartphone, the threats were more obvious and out in the open in the physical world. It was the creepy guy hanging out at the school gate, the dangerous gang of older kids pushing you to try smoking or drugs or to steal things. Being bullied often meant physical altercations, real bruises and name calling. All these dangers, of course, are still prevalent today and are just as damaging and worrisome for parents and teachers alike.
However, there are new and more insidious threats facing children today, threats which evolve so quickly they can be difficult to keep track of. Invisible threats hiding in our kids’ complex online worlds, far away from the prying eyes of parents or teachers. By the time our children hit early teens or even pre-teen age, many (if not most) parents have already lost visibility and control over who their kids interact with and what they see and are exposed to online. The children’s knowledge at this point begins to outpace the majority of parents or even teachers. This means that we effectively lose any ability to protect or educate our children about the online dangers that even we as adults don’t fully comprehend.
The problem we face is so complex and changing so rapidly that we cannot simply pick a list of static topics to teach and boil it down to a simple message like “stranger danger” and hope that is enough. We need to augment the existing curriculum with something more dynamic to teach children to identify and evaluate threats more effectively. They are the pioneers into this vast online world, they will visit places and interact with each other in ways that we adults will never understand or experience.
Many schools do have programmes in place to help children learn about responsible use of social media, spotting fake news, cyberbullying and much more, all of which are hugely important. However, as valuable as this is for general awareness in education, many curriculums fail to identify and address the current risk exposure and knowledge of the individual beyond the obvious standardised teaching. The companies that we work with will typically require a tailored and constant level of vigilance and testing against their staff through such means as annual assessments, phishing tests, regular social engineering training and risk scoring.
What if a school could offer such a responsive and dynamic level of cybersecurity education and protection to children as they progress through school; wouldn’t that be a game changer and competitive advantage for any school to offer?
In order to better prepare children we can learn from some of the most innovative cyber security practices employed by corporates and specialists to look at how these experts are protecting leading corporations. Take the training concepts designed for industry leaders and executives which teach them how to identify and react to threats against their companies, and adapt them into a set of tools to arm children with the knowledge they need and that is relevant to them.
One of the areas which is often overlooked is individual exposure. Our children have grown up with the Internet, to them this is normal life and they think nothing of sharing anything and everything with the world. Their digital footprint is huge and growing at an exponential rate, often with little regard to the future consequences or how seemingly innocuous information could be used against them directly or indirectly.
Take a Baseline
When asked to perform an assessment of the risks which face an individual in the corporate world, we begin with a risk evaluation report. This can include anything from technical checks on computers and devices, networks, firewalls and websites as well as social media exposure, cybersecurity knowledge, social engineering risk, passwords, multi-factor authentication use and more. The resulting analysis provides a score to help identify and enumerate the various types and levels of risk to which individual is most exposed.
This provides the baseline, the individual can then understand in clear terms where their personal exposure and vulnerability lies technically, socially and in their knowledge gaps. From this we can begin to build a programme of improvements and education tailored to the individual.
Adapting this for children we need to make it fun, engaging and relevant to them to “gamify” it. We don’t necessarily need to look at every game they play, every site they visit or social app they engage with. The concepts of good security hygiene are applicable across all platforms, be that Minecraft, Roblox or the deeper darker corners of the internet. The evaluation of the individual risk factors and deficiencies is the starting point to show them that they don’t know what they don’t know and to facilitate a wider discussion about security and the kinds of risks they will face and, just as importantly, what to do about them.
Bleeping Computer recently published an article entitled “Minecraft is hackers’ favourite game for hiding malware”; similar reports are frequently published about Roblox scams as well as other games, especially those with in-game currency. Roblox is a particularly interesting example as in order to understand how to spot socially engineered scams the children need an understanding of the in-game economics and how they shape the motivations and methods of the attackers. This quickly gets complicated, but the underlying concepts of how these and other social engineering attacks are executed are not so difficult to grasp. Children as young as 5 or 6 are already roaming freely around online worlds like Roblox, so starting their education when young is absolutely critical and will help to embed good security habits from the outset.
We should also factor in the risk evaluation of the teachers themselves, how aware are they of their own deficiencies and exposure. Rarely in the corporate world do we fail when conducting phishing or social engineering attacks if they are effectively planned and executed, even when coupled with regular training and protected by the latest technical countermeasures. A poor score should never be a stick to beat people with, but rather a tool to stay ahead of the criminal curve. The bad actors are always learning and evolving and so should we, especially where our children are concerned.
If you need help or advice related to this topic please get in touch with us here