This blog post describes my experiences. It may differ for you.
When someone hears the phrase “Cyber-Security”, they automatically think of either a hacker or some nerd in an underground lab. The problem is not the Cyber-Security community itself, it’s education. In many schools across the UK, Information Security in primary schools, secondary schools and sometimes even universities are taught in an insufficient manner. By this, I mean that tutors do not go into enough detail about cyber-security and they don’t put enough emphasis on how important it is.
When I was 10 years old, the only thing I was told was:
- Don’t tell anyone your passwords
- Make your password something that no one will guess
The problem with this is that we don’t get told why we should do it. It is natural human behaviour to dismiss something if there is no satisfying reason for doing it. Tutors in primary schools and secondary schools don’t emphasise information security enough to students.
This may not seem like a problem in the short-term side of things, but once someone uses a bad practice once, they will know nothing better than using the same terrible practises over and over again, until they allow their accounts to get compromised in a security breach without realising that it’s their own fault.
Online Safety is also insufficiently taught
Online safety is taught in secondary schools in a students first year. However, once again I have seen the same fundamental problem; that it’s not being emphasised enough to students how important online safety and information security is. I still see students using passwords such as “toffee123” or “chelsea13”.
Then there is the problem of online bullying and harassment between students. So far, in 2016, I have seen 3 social media attacks on students in my year from groups of “friends”. These bullying groups usually contain 5-15 people and usually attack a minority group or a single person.
It’s not just students with poor security
This section is just an anecdote. Feel free to skip it.
In late 2015, a group of students in my year teamed up and started trying to gain credentials of various staff members. I first encountered this group a few weeks before they were discovered, when I saw two of their members trying to eavesdrop on a staff member trying to type their username and password into a printer. At the time, I didn’t think anything of it, as I only saw 2 people, and this thing had happened many times before. A week later, there were many rumours of this group gaining access to some staff members accounts on various websites. I didn’t know if it was true or not, as no one I asked could confirm it, but one thing did become clear – I was reasonably certain on who was involved in it.
Once again, I couldn’t verify anything, but this time, I knew much more about what they were doing and who they were targeting. A few days later, the group was uncovered by the technicians in my school. 1 student (the leader) was expelled, 7 students were given detentions every day for a week and the rest were spoken to by the behaviour manager. In total, 3 staff members were affected, with their usernames and passwords for various websites including banking services, email and other personal information being leaked. The personal information of many innocent students were leaked; as a result, a staff meeting was held in order to ensure that it wont happen again.
So far I have seen no more incidents involving this group and the group seems to have been dissolved. The targeted attack described above was actually the second incident that I had seen from that group.
People don’t see their stupid security practises until they have actually been affected by a security incident / breach. We should do more in schools to teach people about the importance of cyber-security and also help people gain awareness of online safety, instead of just leaving this as a last option.