Dutch educational institutions are increasingly becoming victims of cyber crime. A recent incident involved ROC Mondriaan, a secondary vocational education institute in The Hague region, which had to start the school year with a limp in September after being hit by a hack.
According to research by Kantar, commissioned by IT organisation Breens Network, Dutch education administrators keep underestimating the threat of cyber crime.
Digitisation in education is increasing rapidly, not least as a result of the coronavirus pandemic. The Netherlands has high-quality, digitised processes and an intricate communications infrastructure that many educational institutions were quick to exploit when the health crisis erupted.
Reports of distributed denial of service (DDoS) attacks, digital break-ins and ransomware have also increased in the education sector. In fact, many institutions have to deal with such attacks on a regular basis. This was reason enough for Breens Network, a Dutch IT service provider in the education sector, to investigate the state of security and risk awareness in the Dutch education sector.
“The results are downright alarming,” said Breens CEO Geert-Jan van der Snoek in the foreword to the report. “The question arises whether the education sector is sufficiently aware of the risks. Not only from the perspective of the educational institution, but also from that of the director, and whether one knows what can and must be done to limit the risks. If it turns out that about 60% of educational institutions spend 5% or less of the IT budget on privacy and security, then the answer to that question must be ‘no’.”
Role for government
Kantar’s research painfully exposes what is lacking in Dutch education when it comes to cyber security. The conclusion is that although the management is responsible for the digital security of the systems and data of the educational institution, they are often insufficiently aware of this or ill-equipped to deal with it.
Geert-Jan van der Snoek, Breens
The report also offers directions for solutions. For example, the IT organisation believes the government should play a role in helping educational boards create a sustainable, cyber-secure learning environment.
In the business world, companies are required to include a section in their annual report that shows what is being done to secure systems and create awareness. The government could also require something like this from administrators of educational institutions, requiring them to describe in their annual reports what measures they have taken to create a cyber-secure environment.
It is not only ransomware and hacks that pose a danger to educational institutions. Many schools and universities have to deal with digitally skilled students who can easily bring school systems to a standstill by means of DDoS attacks.
According to the website Veiliginternetten.nl, 3.4% of young people in the Netherlands have penetrated a digital education system at some time. Once in, they are able to change timetables, adjust grades or defraud the system of absenteeism.
In December 2020, Radboud University in Nijmegen had to cancel an exam due to repeated DDoS attacks. These kinds of attacks cause a lot of inconvenience, but it is even more damaging when malicious parties capture sensitive and personal data.
For example, earlier this year, hackers stole the personal data of 56,000 students and employees at Inholland University of Applied Sciences and then offered this data on internet forums. And Maastricht University was hit by ransomware at the end of 2019, resulting in it paying a €200,000 ransom and suffering financial and reputational damage.
Digitisation of education crucial for Dutch economy
The Netherlands views itself as a knowledge economy. To raise the growth potential of that economy to a higher level, education is crucial. The Netherlands is in the European top five when it comes to digital skills and up-to-date curricula in this field. Moreover, the pandemic has further accelerated the digitisation of education. Yet there are still plenty of opportunities in this area that are insufficiently exploited, such as augmented reality, learning analytics and serious gaming.
But an education landscape that is becoming increasingly dependent on digitisation and IT must be sufficiently aware of the dangers that this progress entails. Kantar’s survey shows that four out of 10 institutions have experienced problems in the area of IT security. Microsoft figures show that in absolute numbers, the Netherlands is attacked less than America or China, but proportionately, Dutch education is interesting to hackers in terms of available data. According to Microsoft, 60% of all attacks are aimed at education.
The most frequent attacks in the Dutch education sector concern ransomware, followed by DDoS attacks, malware and failing infrastructure. This results in unnecessary loss of time and energy, reduced accessibility, extra security costs, loss of continuity, recovery costs, damage to reputation, loss of data and ransomware.
Remarkably, 12% of education administrators surveyed by Kantar believe that an attack has had no impact. And while almost half of respondents said they would like to pay more attention to cyber security, 13% said they have no plans at all to improve security.
Of the total IT budget at Dutch educational institutions, an average of 11% is spent on IT. Of this, less than 5% is spent on security. This is a startling difference to the 25% that is spent on IT security in the Dutch business sector. Kantar concluded in its report that underestimation is the main reason that educational boards do not give security the attention it deserves.
Movement towards better security
But it’s not all doom and gloom in the Dutch educational landscape. Something is definitely being done in the sector when it comes to cyber security.
For example, earlier this year, VO-Raad, a Dutch association for school boards and schools in secondary education, sounded the alarm at Google and others regarding the privacy risks for primary and secondary educational institutions that use Google G Suite.
This led to the establishment of the Network IBP (information security and privacy), which is aimed at anyone at an educational institution concerned with security and privacy issues.
Research by VO-Raad, among others, shows that progress has been made in all areas compared to last year. However, more attention needs to be paid to raising awareness among everyone within Dutch educational institutions. Although there has been movement in the Dutch educational sector towards better IT security, more needs to be done to keep cyber criminals at bay.