Business and Operations//
April 16, 2023
With every technological advancement comes a set of risks. According to Allianz’s Risk Barometer 2023, cyber-incidents rank as the most serious risk globally for the second year in a row.
For K–12 schools, cyber-attacks are happening more frequently than ever, with rates continuing to increase. A cyber-incident threatens student, faculty, and staff privacy; targets sensitive data such as personal and financial information; and can result in school closures and teaching and learning disruptions.
A new risk, however, is on the minds of cyber-security companies and organizations: ChatGPT. Here is what you must know about this popular platform. We’ll also discuss the latest cyber-security recommendations for K–12 schools from The Cybersecurity and Infrastructure Security Agency (CISA).
ChatGPT: A New Cyber-Security Risk
ChatGPT has taken over recent news and discussions. It is estimated to have reached 100 million active users in January—just two months after its launch—making it the fastest-growing app of all time.
ChatGPT is a natural language processing tool driven by AI technology that allows users to engage in human-like conversations. The app can answer questions and assist with tasks like writing emails, essays, and code. Almost every organization is investigating its capabilities—even schools.
Whether your school has prohibited the use of ChatGPT or embraced it as a creative tool, there are growing concerns about its potential for security-threatening purposes.
BlackBerry, a cyber-security organization, conducted a survey in January 2023 of 1,500 IT decision-makers across North America, the UK, and Australia. While respondents in all countries perceived ChatGPT as generally used for ‘good’ purposes, 74% acknowledge its potential threat to cyber-security and they are concerned.
One ISM member asked ChatGPT its opinion about its own dangerous potential. Here is the output:
But is there evidence of anyone using the app for malicious purposes?
Researchers at a security company, Check Point Re4search, recently published a report analyzing multiple major underground hacking communities. Their findings revealed there are already instances of cybercriminals using OpenAI to develop harmful tools.
In January 2023, researchers at cyber-security specialists CyberArk published a threat research blog that detailed how coders could use ChatGPT to create polymorphic malware—a type of malware that constantly changes its identifiable features to evade detection. While ChatGPT has built-in content filters preventing it from answering questions about precarious or problematic topics, there are blind spots. CyberArk’s experiment found a way to bypass that filter through “insisting and demanding.”
Others argue that, although ChatGPT’s ability to write malicious code is a real concern, it is a result of how it is used, not an inherent risk of the technology itself. All new technologies and innovations possess welcomed advantages and inevitable disadvantages.
The difference with ChatGPT is that the more input it receives, the better the outputs become over time.
Tune in to live webinars every week during the school year to get specific, research-backed insight you can immediately apply at your school.
What Can, or Should, My School Do?
While there are no ChatGPT-specific recommendations for cyber-security yet, its potential is a reminder to continue bolstering and implementing cyber-security measures and procedures at your school.
The Cybersecurity and Infrastructure Security Agency (CISA) released a report in January 2023 titled: Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats. Below is a summary of their findings and recommendations.
Invest in the most impactful security measures.
Each school has its own strengths, weaknesses, and varying needs when implementing cybersecurity measures. There are relatively simple actions to minimize the risk of a harmful cyber-attack that every K–12 school can take.
Start with a few of the highest-priority steps. For example, implement multifactor authentication, which is a layered approach to securing online accounts and data. Fix known security flaws and vulnerabilities. Develop a cyber-incident response plan.
Develop a customized cyber-security plan. Your plan’s objective should be to define a target maturity state for your school with an outlined route to achieving this state. Incorporate checkpoints to evaluate your progress to inform further investment.
Identify and address resource constraints.
Many schools are making the most of limited cyber-security resources, and this lack is a significant obstacle to implementing effective programs. Here are two solutions.
Use free or low-cost services to make short-term improvements. Many trusted sources and institutions have published online guides, recommendations, and assessment tools. These offer valuable insights and starting points for schools with limited resources.
Ask more of technology providers and vendors. Almost all schools rely on technology companies for their IT and educational functions. Expect and ask that these organizations have strong security controls enabled by default for no extra fee.
Prioritize collaboration and information exchange.
Preventing and defending against emerging risks, vulnerabilities, and threats isn’t an undertaking you can pursue alone.
Join information-sharing forums, such as K12 Six, to receive alerts, research, and other cyber tools. Research state and regional associations and agencies that may provide additional help and information.
If your school experiences a cyber-attack, report the event to the U.S. government. Doing so is essential to help CISA better understand threats to develop more effective guidance, identify perpetrators, and help protect other potential victims.