Assessing the status of Cybersecurity in New Zealand Schools

MIT School of Digital Technologies lecturer Dr Sreenivas Tirumala.

The ransomware attack on Waikato District Health Board again put the issue of public sector cybersecurity in the headlines.

According to a Manukau Institute of Technology (MIT) lecturer, Dr Sreenivas Tirumala, the country’s school system is another area of potential vulnerability with the move to distance learning forced by COVID-19 lockdowns, as well as the growth of BYOD contributing to a forty percent increase in security breaches in the last twelve months.

As a ‘white hat' hacker, Dr Tirumala from School of Digital Technologies’ was asked to take a look at a school website. He says it was ‘quite vulnerable’ with the exercise getting him thinking about the protections and policies that are currently in place.

“What’s happening now is when you look at New Zealand schools, there is no standardized framework for cybersecurity and this could be true for schools elsewhere as well,” says Dr Tirumala.

The nation’s more than two thousand five hundred schools hold large amounts of data including student information, staff employment records, financial statements and assessment materials. While most have an IT support person who takes care of hardware, network and software, it’s highly likely that they do not have adequate skills in cybersecurity to protect this highly sensitive data.

“Cybersecurity is about three things: privacy, security and trust. Trust is built on how we have a framework making sure your personal information and identity can’t go out. Most assessments are stored online and it’s important for us to have a standardized security network to safeguard this,” says Dr Tirumala.

This has inspired a project to develop a set of benchmarks and reference points to provide to the Ministry of Education. The preliminary investigation for this is supported by a grant from InternetNZ, a community funding agency for high impact cybersecurity and internet research. The two other co-investigators on the project are Dr Sayan Kumar Ray, School’s Academic Leader of Research and Curriculum Development and Head of School Dr Nathan Rountree.

“The initial investigation in this project work will concentrate on the submission portals, websites and Wifi network of the schools to identify the possibility of compromising login to access information like assessments, pics, documents. This work will also investigate technical aspects like the strength of the passwords, open networks and open ports,” says Dr Tirumala.

The work focusing on schools is only one of several cybersecurity projects that Dr. Tirumala is undertaking. He has also received MIT Strategic Research funding to develop a low-cost malware analysis system for small-to-medium enterprises using simple devices like Raspberry Pi. Dr Ray is the co-investigator in the project.

“Attacks are common on organisations big and small. SMEs can’t afford protection. (In the system under development) all the analysis is done online with artificial intelligence, instead of having your own team to do malware analysis,” Dr. Tirumala says.

Another project Dr Tirumala has on the horizon is the creation of a ‘honeypot’ that network hackers are invited to attack so the insights collected can be used for cybersecurity malware detection and filtering.

Dr. Sreenivas Tirumala has published papers on artificial intelligence, cybersecurity research as well as a survey on cybersecurity awareness in various groups of New Zealand.

“Creating cybersecurity awareness in children and youth has become a necessity in this society”, he says.