Karlsruhe, 31. May 2022.“School hacked”, “Pupils’ accounts hijacked”, “Pupils’ data leaked” – these are the headlines in the media when schools are affected by a cyber-attack or a data breach. Data security is one of the most important aspects of digitalization of education, but it still poses some challenges for schools. Many schools feel left alone with the issue: What risks are data of pupils, teachers and parents exposed to? How can schools protect themselves? The school platform Sdui and the German Society for Cyber Security (DGC) within their new cooperation want to elaborate on the topic of cyber security. At Learntec in Karlsruhe, experts Philip Heimes (Sdui) and Philip Saladin (DGC) spoke about data security in schools.
Security is a particularly sensitive topic in schools because it involves information and the safety of children. In the analogue world, we take security measures for granted: we don’t let strangers into the classrooms; for example, the school building is locked at the end of the day and important documents are safely stored in the secretary’s office. In the realm of education digitalization, however, this is not yet a matter of course. As an expert, what do you understand by cyber security in schools?
Philip Saladin: Generally speaking, cyber security is about protecting data. In the school sector, this means in particular: Personal data such as name, year of birth, place of residence of pupils, grades, entries of class register, report cards or timetables. All this information is stored as data on hard drives, servers or in a cloud. The digital communication that takes place within the school community is all sensitive data.
It is part of the everyday life of schools that data is collected, processed, transferred, stored, archived and deleted. Therefore, it is also the school’s responsibility to protect this data from misuse!
Philip Heimes: That’s right. Protecting data from third parties is a basic need today. Cyber security in schools must have just as high a priority as other analogue security measures that we take for granted. Printed report cards, for example, would never lie around openly where everyone potentially could get access to it. We would regard careless handling of personal data as a massive violation of a child’s personal rights.
The reality with digital data, on the other hand, is that such violations often happen. Most of the time, this happens without malicious intent. Often, those involved do not even know that they are taking risks with their actions and exposing themselves to danger. Ignorance and the feeling of being left alone with such issues in the huge field of school digitization is a problem. We, Sdui and the DGC, therefore want to elaborate on the topic of cyber security. We want to help schools and stakeholders make everyday school life safer. Cyber security measures must become a matter of course in everyday school life, like locking the front door!
The times of home schooling in the pandemic are largely over. How important and significant is the topic of cyber security currently in schools ? Isn’t the topic overrated in view of the many other challenges schools face?
Philip Heimes: I think it is no longer appropriate to reduce the topic of school digitization to video conferences during home schooling. We see in around 5,000 schools that use Sdui that the handling of digital data runs like a thread through everyday life. Today, no one asks WHETHER to digitize, but HOW.
In the crisis, schools have become shapers of the digital transformation. Now it is all about making a virtue out of necessity. For me, this means raising the competence in cyber security in order to be able to assess risks. The more importance the topic of security in connection with digitalization gets the better.
Philip Saladin, the German Society for Cyber Security advises companies and public authorities on cyber security issues. In your experience, what are the biggest security risks for organizations?
Philipp Saladin: According to a survey conducted in 2021 by Bitkom e.V., the industry association of the German information and telecommunications sector, 31% of German companies are infected with malware such as ransomware attacks. So-called DDoS attacks, in which attackers deliberately overload certain resources and, for example, tremendously affect the servers with mass requests, equaled 27%. Spoofing, falsifying data to identify as another, and phishing, obtaining personal data with the help of fake e-mails, caused damage in 20 and 18 percent of the companies, respectively.
What do you see as the biggest security risks for schools?
Philip Saladin: The same applies to schools as to companies: People pose the greatest security risk. It starts with passwords that are written on pieces of paper or stuck to the screen as Post-its. In schools, different private devices are also used if there is no central device management. But even USB sticks belonging to others that are used still pose a security risk.
However, the biggest security gaps occur when software updates and security patches are not carried out. As simple as it sounds, I encounter such vulnerabilities every day: more than 50 percent of the highly security-relevant vulnerabilities could be closed by updates.
Philip Heimes: Of course, targeted hacker attacks from outside and inside are also part of the security risks. Schools, for example, are also affected by attacks with ransomware, i.e. malware that restricts access to systems in order to demand a ransom. This can paralyze the entire school because the attackers encrypt the data.
But pupils themselves can also attack the school and misuse data. Today’s kids are “natives“ in digital. So-called script kiddies often know better how to gain access to scripts and programmes than what is on the curriculum in biology.
What can be the consequences of attacks and data leaks?
Philip Saladin: In education, for example, if such data is improperly processed, discrimination and restrictions in the choice of education and profession can be the result. Besides, a school might get encrypted as a result of a ransomware attack and can no longer guarantee the continued operation of the school. Suddenly it is confronted with ransom payments and a potential breach of the GDPR.
Philip Heimes: There are consequences for the school’s operations and, of course, legal consequences. The worst, in my view, is when children’s personal fates are directly affected by a security breach – confidential information of a pupil that as a result ends up being public on the Internet, is further processed and perhaps even used for bullying. Such cases are unfortunately a reality and teachers can also be affected. Those who become victims of cybercrime often have to struggle with this for a long time.
Enough for the risks. Now, how can schools protect themselves? What can every school do for its security?
Philip Saladin: From our experience, I know that every employee who is trained in the area of security awareness is an added value. Very low-threshold tips that can make a big difference are:
Never open attachments in emails from unknown third parties. Never click on links that refer to dubious websites. Always lock your computer when leaving your workplace. Do not use USB sticks which you have supposedly received for advertising purposes.
Tips for IT in particular are: Use a vulnerability scanner that checks your network environment 24/7. Carry out software updates and security patches immediately after they have been released by the manufacturers.
Philip Heimes: I think a very important step is to create awareness about cyber security in the first place. Everyone in the school community can contribute to making the school data secure. However, all of this depend of course on the budget, because usually the necessary know-how and resources in the school are missing to make the systems secure and to check them continuously.
Fortunately, there are experts for this, such as the DGC. Cooperation with external experts like the DGC, who can help with the implementation of strategies, is also a good idea for educational institutions. And: schools should work with digital solutions that take school security seriously. Sdui does that – the issue of security is particularly important to us in building our platform.
Sdui is a platform for digital communication and organization at schools – what about security on the platform? How is it provided?
Philip Heimes: Sdui is GDPR-compliant and uses German servers. Schools that use Sdui don’t have to worry about where the data is stored and whether a company abroad is accessing student data. Sdui was already in touch with German schools when it was developed and is constantly improved to better meet their needs. A holistic approach to data security is important to us, which means that all actors involved in the school community must be able to move securely on the platform and communicate with each other – teachers, pupils and parents.
Sdui and the DGC want to cooperate with each other in the future to elaborate more on cyber security in schools. Why and what does that mean exactly?
Philip Saladin: Sdui and the DGC are two strong partners who want to raise awareness of cyber security together. We know the risks of digitalization and can help find solutions. In the future, for example, we want to assemble useful information and tips for schools.
Philip Heimes: Our aim is to empower schools and educational institutions for them to recognize risks and to be able to assess data security themselves. Creating awareness is the first step. And also knowing where to get help. We think it is important not to leave schools alone with the important topic of data security. Because: we can all contribute to making the internet a little safer for us and our children every day.
About the interviewees:
Philip Heimes, Chief Technology Officer, Sdui
Philip Heimes was born in Germany and went to the USA after his studies. In the USA he spent many years shaping the education landscape, most recently as Head of Data Interoperability at Power School, the largest American education technology provider. He has also led “K12 Data Interoperability Projects” for the Bill & Melinda Gates Foundation and the Michael & Susan Dell Foundation. He joined Sdui as CTO in February 2022.
Philip Saladin, Head of Sales Switzerland, DGC Switzerland AG
Philip Saladin is responsible for sales at DGC Switzerland AG. In addition to his sales activities, he is expanding strategic and international sales for DGC. Philip Saladin advises public authorities, non-profit organizations and private companies on cyber security issues and supports them in improving their cyber resilience.
Sdui simplifies communication and organisation in schools and daycare centres. The aim of the platform is to reduce the time spent on administrative tasks and to make learning more effective and accessible. For this purpose, Sdui develops GPDR-compliant solutions that connect teachers, parents and children. With features such as chat, video calls, cloud, timetable and translations, the platform creates the infrastructure for digital learning. Sdui was founded in Koblenz in 2018 and is now one of the fastest-growing start-ups in the German edtech industry.
As of May 2022, Sdui employs around 150 people and has reached more than 5,000 schools and daycare centres in Europe. For more information, visit sdui.de. sdui.de.
You can find more facts and figures about Sdui in the Media Kit here.
Head of PR & Communications
+49 261 13490865
About the German Society for Cyber Security (DGC)
As one of the leading providers of cyber security and data protection, the “Deutsche Gesellschaft für Cybersicherheit” (DGC) (German Society for Cyber Security in English) has been helping national and international companies since 2015 to exploit the opportunities of the digital transformation – and minimize associated risks. With its holistic approach and own products, the DGC provides comprehensive cyber security and IT-related risk management, including simulated hacker attacks, security awareness training and advice on security standards or emergency services in the event of IT security incidents. The company was named as one of the “1000 Europe`s Fastest Growing Companies” in 2022 by the Financial Times and statista. In addition to its headquarters in Flensburg, DGC is represented at five other locations in Germany and abroad. It is also a partner in the Alliance for Cyber Security and in the German Federal Association for IT Security (TeleTrust e.v).
More infos unter dgc.org
Press contact DGC: