Blog

Cybersecurity – why schools are not immune to cybercrime

13 Aug 2018

Topics

  • Business Law

Schools are increasingly using online systems to communicate with students and parents; but how can they protect their online systems and privacy and avoid cybercrime incidents? Caitlin Meers, Associate with Snedden Hall & Gallop, explains that the answer lies in awareness and education.

Students and parents can connect with schools and their representatives after hours, online and by social media. This allows schools, parents and caregivers to ensure that they communicate critical information in real time and as soon as possible. With the volume of communications and the variety of communication methods, there is a significant risk that unauthorised personal could steal, misplace or use information. We generally refer to this inappropriate use of personal information as cybercrime. The risk of cybercrime increases when staff use school infrastructure for personal task.

Types of cybercrime

Cybercrime is a significant issue for all Australians. The Australian Federal Police and Commonwealth attorney-general estimate that identity crime costs Australians at least $1.6 billion dollars per year. Approximately $900 million of this relates to stolen via credit card fraud, identity theft and other online scams.

Cybercrime comes in many forms. For example, a company doesn’t adequately secure its customers’ credit card details and those details are later released online. When this happens, criminals can access them and use them for profit and/or gain. Other examples include:

  • malware (malicious software)
  • ransomware (where hackers steal and hide electronic files then post a ransom for organisations to pay to release those files)
  • phishing (where cybercriminals trick you into doing something, such as clicking on a link that looks like it goes to your bank, but doesn’t).

Software-based cybercrime can be sent directly to school email addresses. This can be through bots (a ‘bot’ is an application that performs an automated task), students or parents. They can also be imported into school IT systems by staff and students opening personal material on computers connected to the staff network, or connecting corrupted USB or other external storage devices.

Incidents of cybercrime are generally reported to police and dealt with under the Cybercrime Act 2001 (Cth), Crimes Act 1914 (Cth) and Criminal Code Act 1995 (Cth). Each state and territory often has passed mirror legislation. Where charges are laid, the the Department of Public Prosecutions in the commonwealth, state and territory jurisdictions conducts the prosecution.

Why is it important?

Schools often secure their physical presence by using alarm systems and security patrols. They also record and barcode items of school equipment (for example, laptops and televisions) to limit physical theft. However, as information is increasingly, and exclusively, held electronically, schools must ensure they secure their electronic presence as well.

What is the risk to your school?

Schools are different from traditional businesses. Many businesses, especially those who trade online, will hold key information relating to their customers, which usually includes full names, addresses (either home or postal), credit or debit card information, email addresses and contact numbers. It is clear that any of that information in the wrong hands is a significant issue for the business operator and customer as personal information can be illegally accessed and distributed.

Schools are in a unique and dangerous position, in that they hold a large amount of personal and sensitive information about minors (dates of birth, home addresses, allergies or other medical concerns, and histories of immunisation). Schools are also often provided with information relating to sensitive and highly confidential child custody arrangements and domestic violence orders.

While the risk of release of personal information is a critical one for schools, parents and students, schools also need to ensure they are aware of the risk to their own operations if someone hacks or otherwise interferes with their systems.

The additional risk for schools include the inability to access required personal information; inability to distribute key information to parents and students; inability to access school financial accounts (including the ability to make repayments); and unauthorised disclosure of confidential and internal staffing material.

This is why schools must ensure that they do everything possible to secure their systems.

What can schools do?

There are a number of things schools can do to ensure their online safety:

  • Ensure they have adequate and qualified IT staff. These staff members should implement and manage virus detecting software.
  • Have policies in place for students. These policies advise students about what information they can loaded onto the school’s networks (if any) and any associated risks.
  • Implement a detailed and current privacy policy. This policy should specify how the school will deal with all personal information it holds. It should be available on the school’s website and distributed to all those who provide personal information to the school.
  • Implement employment policies. These policies should advise staff about how they can use the school network and the safe use of technology.

 

How can Snedden Hall & Gallop help you?

If your school does not have IT and privacy policies in place, or you are not sure if they have been tailored to your needs, the experienced Business Law team at Snedden Hall & Gallop can advise you on the best solution for your needs. If you have a specific issue with a school employee’s use of your school network, please call us today for assistance, on (02) 6285 8000 or by email here.