Chief Product Officer, driving next-gen innovation across Sophos’ portfolio of network and end-user security, and Sophos Central groups.
A year of living through a pandemic and quarantining has put a harsh spotlight on many things in the United States, but perhaps one of the least acknowledged is household cybersecurity. This is especially problematic when you consider the millions of adults and children who spent more of 2020 on their home networks than usual. Between remote working, virtual learning and Zoom get-togethers, we spent much of the past year on our home Wi-Fi — and as a recent survey we conducted reveals, this trend came with some serious, underreported cybersecurity risks.
The survey, conducted in February 2021, polled 1,000 adults with school-aged children (under 18 years old) — 94% of whom had their kids attending school through virtual learning. What those parents revealed highlighted a pernicious gap between how households think about cybersecurity versus how they are (or aren’t) acting on it — and how fears around household security have exploded during Covid-19. More troubling, these findings reveal the extent to which otherwise addressable security gaps in school-issued devices may have gone unaddressed over the past year, raising risks for schools as students return to the classroom with school-issued devices that may be carrying a year’s worth of potential vulnerabilities.
Most parents worry about ‘imminent’ cyberattacks at home and feel more at risk now than ever.
Two-thirds of parents surveyed expressed fear that their family would become the victim of a cyberattack at some point over the next year. That fear was compounded by a majority (51%) feeling that they were more at risk now of being hit by a cyberattack than they were 12 months ago.
It doesn’t take much effort to connect the dots here, and it’s no surprise that as families have spent more time than usual on their home internet over the past year, they’re feeling more worried than before about their own lack of household security. More time online means greater potential risk exposure, especially if your home Wi-Fi network or devices aren’t as protected as work or school networks.
It’s not just broad anxiety about cybersecurity in general; parents surveyed listed a handful of specific cyberthreats they’re most worried about, including:
• Viruses and malware (named by 54% of parents).
• Identity theft (43%).
• Social media hacking (42%).
• Financial fraud (42%).
Household security shortcomings pose risks for school-owned devices — and school districts themselves.
While cybersecurity at home seems to be a top-of-mind issue for parents, there’s a worrying disconnect between that awareness and actual action — a disconnect that has potentially serious implications for schools and especially school district IT administrators.
The survey shows that, depending on who owns the device or what the device is used for, perceptions of who is responsible for that device’s security can vary wildly. Nearly 40% of parents whose kids are using school-owned devices at home say securing those devices is solely the responsibility of the school. That isn’t an unreasonable assumption to make, but given how quickly schools were forced to shift to remote learning and get laptops, tablets and other devices out to students’ homes, it brings to mind two key questions: How secure were those devices when the school sent them to students? And with so many parents believing it’s not their responsibility to update them, is the school continuing to adequately and consistently secure these devices for students?
While the majority of school-issued devices are Chromebooks and iPads that don’t require updates and don’t feature antivirus software, the survey shows that the situation isn’t as clear-cut as every student using a school-issued device. The data revealed that 48% of households have used personal devices for school and homework, compared to just 40% that have used school-issued devices for those purposes. Additionally, 14% of households reported using company-owned devices for school and homework. On top of that, despite the vast majority of respondents saying they had children under 18 years of age in the house, a full one-quarter of this total group reported still not having a single school-issued device available for student use.
This lack of clarity around device usage for school purposes presents serious consequences for both parents and schools. For one, if school districts aren’t taking adequate steps to secure children’s learning devices, that can introduce major cybersecurity risks in the students’ households. It also means that as kids have used either school-issued, company-owned or personal devices for virtual learning, they’ve not only been open to security vulnerabilities, but they could now be potentially carrying those vulnerabilities back onto their school networks as they shift to in-person learning again — all because the schools either did not secure these devices to begin with or weren’t proactively monitoring and securing these devices throughout the virtual learning year.
What comes next for schools?
Given all this, it’s no surprise that some school district IT administrators may feel a little anxious about reintegrating devices that had been issued to students for the past year with little to no security. It’s imperative that school district IT teams take steps to make sure students aren’t unwittingly carrying malware or vulnerabilities from their home Wi-Fi back into the school. These include:
• Downloading and installing pending operating system updates.
• Updating antivirus software that may be lingering with currently out-of-date definitions.
• Conducting an audit of software installed — or uninstalled — on students’ devices over the past year.
• Setting up a temporary LAN for quarantining students’ devices as they’re scanned and cleaned of potential (or actual) malware risks.
• Reenabling any browser filters and social media controls that may have been disabled (or enabling them if they weren’t activated in the first place).
As schools ramp up in-person reopenings for students, school district IT teams must ensure that all school-owned devices being returned aren’t just cleaned of potential malware incurred over the past year but are adequately protected with new (and in some cases, long overdue) cybersecurity to ensure that students, either at home or in the classroom, aren’t subjected to these vulnerabilities again.