Source: Post Primary Teachers Association (PPTA)
Keeping schools cyber-resilient and secure increasingly involves blurring the line between teachers’ work and home lives
I completely understand the reluctance to use your personal device for school purposes …. however, I heard all about cyber-attacks in schools and that feels like even more of a risk. – Melanie Webber, PPTA President
Cyber crime does not know boundaries and cyber criminals do not look for victims, they look for opportunities.[1] In a world that is experiencing an increase in cyber-attacks, we need to ensure our schools are cyber-resilient and secure. The changing digital landscape and adoption of cloud technologies provides an opportunity to achieve and promote cyber-resilience.[2] It also seems to blur the line between work and home.
Melanie’s comments above were in response to members’ concerns about the increasing encroachment of our work lives into our personal spaces, privacy concerns and the stress caused for schools and teachers who have been victims of a cyber-attack. This set the PPTA Te Wehengarua National Office professional team to research the concerns and advice.
Cyber-attacks more sophisticated
New Zealand is recognised as a country vulnerable to cyber-attacks[3] and they affect NZ schools frequently. Attacks are becoming more sophisticated all the time – and less discerning about their targets. Sjouwerman (2021) states that “the majority of successful cyber-attacks start with a person intentionally or unintentionally fooled into clicking somewhere they shouldn’t”[4] and he highlights that people have a bad habit of reusing the same passwords in multiple places.
Hutt Valley High School was the victim of an attack in early 2020 and has been proactive about communicating with other schools about minimising the chance of a hack, including backing up systems, outsourcing network support to a company that has experience running complicated networks, and having cyber insurance.[5]
2FA can prevent up to 99% of untargeted attacks
The Ministry of Education (MOE) advises that some of the simplest ways to ensure good protection for school accounts is to enforce strong, unique passwords and set up two-factor authentication (2FA) on key accounts.[6] The MOE Digital Security team believes that using any method of 2FA (sometimes called multi-factor authentication) increases your defence against the most common
online attacks, in fact Microsoft and Google state it can prevent up to 99% of untargeted attacks from happening.[7]
Obviously, we’re provided with laptops to be able to use in school. Is it an encroachment to expect staff to use their personal devices for school purposes? – Member question
It is difficult to carry out the job of teaching and learning without using a computer and improving cybersecurity in schools is a team effort. Requiring authentication can protect from having your identity “stolen” and then unlawful and/or damaging activity being carried out using this stolen identity. It does not seem unreasonable for schools to be asking members to use their cell phone for authentication to provide safety and security.
I’m concerned about having to install a work-related app on a private phone – Member comment
The apps you use on your personal device is a personal choice however, the Microsoft or Google Authenticator is highly recommended for teachers for their own personal emails or personal social media (like Facebook) as well as school. Authenticator uses no bandwidth and grants no access to the school, where school email may involve using data to download email or require school IT policies to be enforced on the device.
“There should be agreed policy for ‘how this data will be used’, what about privacy” – Member concern
Schools should communicate with staff about any software they suggest using. Schools are required to be open about what data is collected as part of any service and the purposes that data can be used for. This may be done per service or under a common ICT Policy/school wide Privacy Policy. [8]
If a school has set up the Authenticator App with the default settings, you should only need to authenticate once at school (and once if using the laptop at home). The password generation key is held on the device (secure enclave) and Google or Microsoft do not have access to that.
“I am much less happy about having an app that is collecting GPS information…” – Member concern
Authenticator apps do not require or generally use GPS tracking to work. You do not need to have any other apps (e.g., Outlook) on your phone to use an authenticator app. The school can set a policy that states you must be in New Zealand to access school data.
If you are using the App just as a passcode generator, you should not have to grant GPS access for the application. Both Google Workspace and Microsoft Office365 allow you to use either Google or Microsoft Authenticator to generate the one-time codes for basic authentication so a user should be able to choose which application to generate one-time passwords.
“I did ask the IT guy if there was an alternative to the app…” – Member comment
You can request that the authentication is via a text message however Google Authenticator is more secure therefore is preferred over text based one-time passwords. Text message based 2FA uses similar security protocol, but the text message (SMS) is generated by the server and sent to the phone. The text message that is sent can be intercepted or compromised (SIM-jacking), which is why most modern security standards do not suggest or offer it. Using SMS based one-time passwords is however better than having no 2FA at all.
“What if you don’t have a phone?” – Member question
Hardware tokens (such as YubiKey) or a school provided phone can provide a solution for those reluctant to have the authenticator app on their personal phones, but with added cost and complexity. One reason that TOTP (Time-Based One Time Password) Apps are more popular is that they are “free” on the phone, whilst hardware tokens incur the challenges of procurement and replacement if lost. TOTP or authenticator apps do not need data to work and don’t access any other parts of your phone.
If a member does not have access to a cell phone, then the school should provide one which has minimal credit – sufficient to receive a txt each time authentication is required. This can, however, be a considerable inconvenience – you need to keep the phone charged and with you for the infrequent times authentication is required.
“We certainly need to be looking carefully at any further encroachment of our work lives into our personal spaces.” – Member opinion
We have to reach a balance between our personal and professional lives. We also need to find a balance between the practicality of making sure the data we hold about our schools and students is safe and this balance will always be a challenge. Given authentication apps do not track location, use data, or give access to other apps or information on a phone, they are a convenient way to maintain security, using a tool that is already available to our members with no additional cost. Information on what 2FA is for staff.
If you have concerns about using an app on your mobile phone, talk to your principal about using text-based 2FA or getting some security keys (such as YubiKeys) to use instead.
The MOE Digital Security team is running a pilot using Yubikeys and how to use them for 2FA. They want to get feedback on how well their support/instructions work. If you are interested in participating in the trial or have any concerns or questions about securing systems or managing IT in general, email the team at cyber.security@education.govt.nz.
“My school was the victim of a cyber-attack in 2020 and we lost EVERYTHING, it was an actual nightmare.” – Member comment
Strong unique passwords and using 2FA to log in are the best things you can do to protect your systems. For other advice on responding to an online incident, the Ministry has advice online at www.education.govt.nz/ict-incidents
Teachers and students use the internet to connect with each other, share information, and learn and we want that to be as safe a space as possible. PPTA does not endorse any particular ‘authentication’ system and maintains the right of teachers to decline to use personal devices for such processes.
[1] https://securitybrief.co.nz/story/new-zealand-named-amongst-most-vulnerable-countries-at-risk-of-cyber-attack
[2] https://www.education.govt.nz/school/digital-technology/your-schools-ict-network/te-mana-tuhono/
[3] https://securitybrief.co.nz/story/new-zealand-one-cyber-five-apac-countries-most-risk-cyber-attacks
[4] https://www.forbes.com/sites/forbestechcouncil/2019/12/23/seven-reasons-for-cybercrimes-meteoric-growth/
[5] https://www.stuff.co.nz/national/education/125676970/cybersecurity-threats-against-schools-on-the-rise-report-finds
[6] https://www.education.govt.nz/school/digital-technology/
[7] https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
[8] https://privacy.org.nz/privacy-act-2020/privacy-principles/3/