The Changing Face of Education: Risk, Security and Process Around Distance Learning

The Changing Face of Education
Author: Glorin Sebastian, CISA, CISSP
Date Published: 14 July 2021

The digital revolution has changed many industries, including education. Although digitized learning platforms have made education and information more easily accessible, they have also brought on a rise in cybersecurity and other process risk that must be addressed. These issues are prevalent in distance education from a security, risk and process perspective; however, there are effective methods that can be used to mitigate the risk.

Benefits of Digitization in Education

There are many benefits of digitization in learning and education. Some of the benefits include greater reach, flexibility and lower cost.

Greater Reach
Online course delivery greatly increases the reach of learning and education. Education that once was for a privileged few with online distance learning is now accessible to everyone with access to basic technology irrespective of age, gender or geography. Anyone can enroll in online courses from top universities on learning platforms such as Coursera, Udacity and Udemy. Users can apply for online degrees and even complete graduate and doctorate degrees via online distance education.

Flexibility
Another significant advantage of online distance education is flexibility. Be it working parents, full-time employees or retirees living on a different continent, education and learning can be accessed conveniently anytime via online distance education. This provides greater opportunities without having to choose between education and other priorities such as time with family or working full time.

Cost
Where an average online student pursuing distance education spends approximately US$100 to US$400 per credit hour,1 the traditional on-campus student spends multiple times that cost. The fact that most study materials including books and other reading materials are online is also an important factor when considering learning costs.

Disadvantages of Digitization in Education

Even though the benefits greatly outweigh the drawbacks, disadvantages to online distance education do exist. The main disadvantages are the same issues that affect most digitized portals: endpoint security, privacy and process issues.

Malicious Software
Online education faces threats from malware or malicious software, such as viruses, worms, ransomware, Trojan horses, keyloggers, rootkits, spyware and adware.2

In fact, the most common malicious software that affect online education are riskware and adware.3 With many students using personal laptops for online education and work or personal purposes, there is a high possibility of laptops being affected by malicious software, causing various issues such as affecting the operability of computers and computer networks, hardware failure, and data loss or data theft,4 thereby potentially negatively affecting the quality of the online learning experience.

Hacking and Denial-of-Service Attacks
A denial-of-service (DoS) attack is meant to shut down a machine or network, making it inaccessible to its intended users.5 DoS attacks have proliferated on online learning platforms, especially when using video conferencing applications such as Zoom.6 Ransomware and DoS attacks are to be expected, as schools and universities can be considered easy targets7 because they tend to have fewer security controls8 compared to enterprises. Enterprises typically have internal audit and security teams that review their IT infrastructure and suggest continuous improvements. Most educational institutions have limited resources to devote to IT security. For example, recently a US State of Nevada school district’s wages data were leaked after the school failed to pay bad actors.9 Another example occurred in the State of North Carolina, where a DoS attack that targeted a school district’s servers and encrypted information took down the servers and school Internet, causing school to shut down for days.10 In Virginia, USA, a ransomware attack occurred that obtained a Windows credentials extract from the school district servers, which included sensitive information such as student data and administrative documents.11 Student data on education portals are subject to the US Family Educational Rights and Privacy Act (FERPA) and other US federal privacy regulations, which govern access to educational records by public entities.12 FERPA also clearly forbids the disclosure of confidential student information (e.g., name, student identification number or Social Security number) in a personally identifiable manner, without the student or authorized party’s written consent. Thus, the increased risk of ransomware attacks and DoS attacks is a major threat that online distance education providers need to address.

Spoofing, Fraud and Data Theft
Spoofing, fraud and data theft also pose major issues for online education users. Spoofing, which includes fake portals disguised as a source known to the receiver, is often used by fraudsters to obtain authorization and details of students such as passwords and other sensitive information.13 This could lead to data theft, specifically personal and student data, which could be under the purview of privacy regulations such as FERPA and the US Children’s Online Privacy Protection Act (COPPA).

CONFIDENTIALITY AND INTEGRITY OF SUBMITTED WORK IS ALSO AT STAKE WHEN IT IS SUBMITTED ONLINE.

Confidentiality and Integrity Issues

Confidentiality and integrity of submitted work is also at stake when it is submitted online. It is possible that students could access other students’ data and information including submitted work, which could greatly affect the reputation of the course and the institution providing the learning opportunity. If there are not enough measures to ensure that the student course and personal data are secured, the confidentiality of the student data could be in jeopardy. Universities and other educational institutions should also consider using emerging technologies such as data analytics and blockchain,14 and enable trusted data sharing using a decentralized network of peers accompanied by public ledger. For example, blockchain is of genuine value in the identity and access management (IAM) space; however, there is a consensus that private information should not be stored on public blockchain networks. Rather, only individuals’ unique cryptographic identifiers should be stored and referenced.15 Online education must also be compliant with FERPA and other pertinent state, federal and international privacy regulations.

Conducting Online Examinations
Another important issue with online distance education is effectively conducting online examinations and assessments. Conducting examinations properly is crucial for ensuring the validity of the learning certificate. One solution for conducting online examinations is using an online proctor to ensure that students are not cheating; however, this is challenging, given that the latest technologies such as smart watches and smart goggles make it easier for students to cheat on tests.16 To maintain the integrity of the exam questions, it is necessary to ensure that students do not share details of the exam with classmates. It is not always possible for a live person to proctor an exam, and often universities make use of online proctoring software. However, rigorous studies need to be conducted to ensure that these software are effective in preventing cheating.

Human Error
Forty-seven percent of business leaders say human error, such as accidental loss of a device or document, have led to data breaches within their organizations.17 This is a risk for online distance learning as well. Users need to be aware of the cyberthreats on an online learning platform and ensure that they follow recommended best practices such as using the university’s virtual private network (VPN) when connecting to the university network and using multifactor authentication (MFA) whenever possible.

MANY PRIVACY AND SECURITY ISSUES CAN BE ADDRESSED USING PROPER FORMS OF AUTHENTICATION INCLUDING 2FA.

Solving Security, Privacy and Process Issues

Many steps can be taken by educational institutions to solve security, privacy and process issues, including:

  • Installing appropriate antivirus software—The issues relating to viruses, Trojan horses and worms can be addressed by ensuring that the school or the user has proper, updated antivirus software. Antivirus software is effective,18 but it should not be the only protection for a user’s computer and should be combined with other solutions that effectively protect against cyberattacks.
  • Proper forms of authentication including two-factor authentication (2FA)—Many privacy and security issues can be addressed using proper forms of authentication including 2FA. Even comparatively weak 2FA through Short Message Service (SMS) messages to a phone is effective in preventing 100 percent of automated attacks, 96 percent of bulk phishing attacks and 76 percent of targeted attacks.19 The use of effective authentication and authorization processes can address issues relating to spoofing and ensure the confidentiality of student work and personal data.
  • Remote scanning and prevention of unauthorized software installation—One way of managing cyberrisk is the remote scanning of systems and prevention of unauthorized software installation. Depending on the institution policy of students using their personal devices for learning, it may not always be possible to implement this, but enabling remote scanning, which can be done even for antivirus scans, is an effective method that educational institutions should consider while suggesting effective measures against cybersecurity threats.
  • End user training—End user training is one of the most important ways to thwart a cyberattack. Making sure learners are aware of the cyber best practices relating to access and authorization and proper training for cyberawareness are tremendously helpful. This training could be videos explaining cyber best practices followed by a short quiz to ensure that students understand the topic. This type of training and education helps address the cybersecurity risk associated with online distance learning.

Conclusion

Distance education has been revolutionized by the Internet. It has removed many of the barriers of age, gender, geography and social class that previously existed in education. There are many benefits to distance learning; however, there are also drawbacks, including security, privacy and process-related issues. Having the proper controls with regard to authentication and authorization of the user, using antivirus, using remote scanning of systems, and implementing end user training can help reduce the cyberrisk related to online distance learning and ensure the integrity and confidentiality of the coursework, student achievement and personal information.

Endnotes

1 Best Value School, “Is Attending College Online Cheaper Than Traditional College?” 2 September 2020, http://www.bestvalueschools.com/faq/is-attending-college-online-cheaper-than-attending-a-traditional-college/
2 Geeks on Site, “What Does a Virus Scan Actually Do? We Break Down How Virus Scans Work,” 14 April 2017, http://www.geeksonsite.com/computer-security/what-does-virus-scan-do-how-antivirus-software-works/
3 Secure List, “Digital Education: The Cyberrisks of the Online Classroom,” 4 September 2020, http://securelist.com/digital-education-the-cyberrisks-of-the-online-classroom/98380/
4 Encyclopedia by Kaspersky, “Damage Caused by Malware,” http://encyclopedia.kaspersky.com/knowledge/damage-caused-by-malware/
5 Palo Alto Networks, “What Is a Denial of Service Attack (DoS)?” http://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos
6 Raza, A.; “FBI Says Zoom Video Conference Vulnerable to Attacks,” Koddos Protection, 1 April 2020, http://blog.koddos.net/fbi-says-zoom-video-conference-vulnerable-to-attacks/
7 Guhlin, M.; “Are Schools Easy Targets for Cyber Threats? The Latest Report Says ‘Yes,’” Technotes, 9 October 2019, http://blog.tcea.org/schools-easy-targets/
8 Sebastian, G.; “Evolution of the Role of Risk and Controls Team in an ERP Implementation,” International Journal of Mechanical and Production Engineering Research and Development, vol. 10, iss. 3, June 2020, www.tjprc.org/publishpapers/2-67-1601875985-1477IJMPERDJUN20201477.pdf
9 Melendez, S.; “Report: Hackers Leak Student Data After Nevada School Officials Refuse to Pay Ransom,” Fast Company, 28 September 2020, http://www.fastcompany.com/90557175/report-hackers-leak-student-data-after-nevada-school-officials-refuse-to-pay-ransom
10 Kepley-Steward, K.; “National Guard Now Involved in School Ransomware Attack Investigation,” ABC 13 News, 25 August 2020, http://wlos.com/news/local/national-guard-now-involved-in-school-ransomware-attack-investigation
11 Gatlan, S.; “Fairfax County Schools Hit by Maze Ransomware, Student Data Leaked,” Bleeping Computer, 12 September 2020, http://www.bleepingcomputer.com/news/security/fairfax-county-schools-hit-by-maze-ransomware-student-data-leaked/
12 Morrow, S.; “Critical Security Concerns for the Education Industry,” Infosec, 14 July 2020, http://resources.infosecinstitute.com/topic/critical-security-concerns-for-the-education-industry/
13 Techopedia, “Spoofing,” 5 February 2018, http://www.techopedia.com/definition/5398/spoofing
14 Zyskind, G.; O. Nathan; A. Pentland; “Decentralizing Privacy: Using Blockchain to Protect Personal Data,” 2015 IEEE Security and Privacy Workshops, San Jose, California, USA, 2015, p. 180–184
15 Vanmaele, M.; “Who Goes There? How Blockchain Could Transform Identity and Access Management,” ISBuzz News, 18 January 2019, http://www.informationsecuritybuzz.com/articles/who-goes-there-how-blockchain-could-transform-identity-and-access-management/
16 Brown, D.; “Students Are Still Using Tech to Cheat on Exams, But Things Are Getting More Advanced,” Phys.org, 19 August 2019, http://phys.org/news/2019-08-students-tech-exams-advanced.html
17 Alton, L.; “Employees: Your Strongest or Weakest Link in Cybersecurity,” D!gitalist, 1 April 2019, http://www.digitalistmag.com/future-of-work/2019/04/01/employees-your-strongest-or-weakest-link-in-cybersecurity-06197394/
18 McMillan, R.; “Is Antivirus Software a Waste of Money?” Wired, 2 March 2012, http://www.wired.com/2012/03/antivirus/
19 Doctorow, C.; “Research Shows That 2FA and Other Basic Measures Are Incredibly Effective at Preventing Account Hijacking,” Boingboing.net, 20 May 2019, http://boingboing.net/2019/05/20/screw-security-nihilism.html

Glorin Sebastian, CISA, CISSP

Is an IT risk and security senior consultant at one of the Big Four accounting firms and has more than six years of relevant experience. He specializes in System Analysis Program Development (SAP) IT, and business and security controls.