(Israel21c) – Our kids being the tech mavens that they are, you’d think that they’d know all about cyberattacks and how not to fall prey to one. They don’t. And for a very simple reason: No one talks to them about it.

“Parents aren’t aware of the risks and therefore can’t explain them to their children, so the kids don’t act responsibly on their phones in terms of cyber,” explains Oleg Brodt, the chief innovation officer for cyber at Ben-Gurion University of the Negev.

“For example, they download apps from unsafe sources, they press links that come from people they don’t know, and they take photos that can often embarrass someone or even their future selves, and all this is happening on their mobile phone, which is very hackable.”

Neither teachers nor parents are familiar with the issue, let alone the solutions, he notes.

As the new school year starts, we caught up with Brodt, who heads research and development at Cyber@BGU, the umbrella organization for cybersecurity research and collaboration at BGU, to learn more on the issue of cyberattacks in the field of education.

No black hoodies

Brodt says we need to differentiate between schools and universities, as well as between two types of attackers.

“In the movies, we see the hacker as a character in a black hoodie, but that’s not actually how it is. These are full-fledged organizations. They’re crime organizations with a CEO, a CFO, a human resources manager and employees who happen to specialize in cyberattacks.”

These organizations specialize in ransomware attacks, in which hackers encrypt their victims’ data or threaten to leak it unless they get paid a stated amount. And since they’re out for money, they tend to choose victims who can pay them: private companies, large organizations and, at least in the United States, colleges, private schools and public-school districts.

According to a recent report, this year the data of children from around 1,200 schools across the US was published by ransomware groups.

“In the States, we’re seeing significant growth of attacks on schools. Schools there are undergoing digitalization processes and they have the ability to pay money,” Brodt says.

In Israel, schools aren’t as vulnerable to cyberattacks because they’re less digitized in general, but they do suffer from data leakage. This can happen when education personnel use apps that aren’t well-protected. Only recently, data from an app used in schools for Covid tests was found to be easily accessibly online, including the children’s names, ID numbers and medical status.

Israeli universities take greater cyber-protection measures but often these aren’t enough. Bar-Ilan University, for example, is dealing with a ransomware attack that encrypted the research of some faculty members and led to leakage of personal data of students and employees.

Unlike schools, universities are susceptible to attacks from both ransomware groups and state actors.

“If the attacker is a ransomware group, then it can attack the university and encrypt whatever it can to obstruct the university’s regular activity. If it’s a state actor, then clearly what interests it is valuable research, for example research that can be used for security purposes,” Brodt says.

“It remains mostly undisclosed to what extent these attacks happen in Israel, and what data was stolen, like in the case of the Chinese espionage campaign that hit Israeli institutions in 2019-2020,” he notes.

“In the US, we keep seeing attacks on academic institutions, both ransomware attacks and others. About a decade ago, Americans started seeing attacks on their high-tech companies. It was called Operation Aurora and has been attributed to the Chinese, who tried to obtain commercial secrets from private companies such as Google as well as from universities.”

Important tips

Here are Brodt’s top tips on how to be cyber savvy.

1. Don’t click links from people you don’t know.
2. Don’t download apps from anywhere that isn’t an official app store.
3. Always activate two-factor identification in your apps. A password isn’t enough; you also need another means of identification. That way, even if the password leaked – and there’s no shortage of passwords leaking from all kinds of apps – it still won’t be possible to access the app.
4. Operate on the assumption that everything on your phone can be leaked or has been leaked. That means all your passwords, messages, emails and photos could easily be out in the open. So don’t store embarrassing photos or write embarrassing emails on your phone.