Is Your Data Safe with Edtech? Understanding why India's educational sector and edtech is the most cyber attack prone space globally and how consumers and companies be wary of internet malice
Opinions expressed by Entrepreneur contributors are their own.
You're reading Entrepreneur India, an international franchise of Entrepreneur Media.
Upon resumption of offline schools, Kabir, a 13-year-old boy in the 8th standard of a well-reputed school in New Delhi, saw a different line of conversation among his classmates, one that he seldom heard before. He would hear discussions of what edtech platform is the best, how it helped his classmates and general critique of the same. While Kabir was aware of the developments in the sector, he had never himself given it much thought. But hearing his peers talking about how online learning gave them a push in their learning, he decided to give it a go himself. Upon registering with a top edtech company, he received a mail that asked him to download a certain software for the smooth operation of the app on his device. The naïve boy installed the app and learned the dangers of cyber attacks in a dangerous way, seeing all his personal information hacked and accessed by a hacker.
With the increased dependency on devices for work and learning, it is not a shocking discovery to learn that the risk of cyberthreats has only increased during the pandemic. However, in the case of India, there has been a great increase in the booming edtech industry.
A recent report compiled by Singapore based digital risk management enterprise CloudSEK found out that India is the biggest target of cyber threats to educational institutions and online platforms. The report titled "Cyber Threats Targeting the Global Education Sector" said that this was a consequence of the adoption of remote learning during the COVID-19 pandemic, digitisation of education, and prevalence of online learning platforms in the country.
To discuss the validity of the report and the extent of the increase in cyber attacks in the past couple of years, Entrepreneur India reached out to several top edtech platforms and discovered that this was indeed a fact. However, the reasoning that the report gave out, which basically related the increase to the increase in scale, is not the only issue here.
Cyber is an issue
Renowned cyber security consultant Sunny Vaghele, Founder & CEO, Techdefence, expresses that the reason is not really simple, but multifold. "Trend in cybersecurity is shifting from application and server based attacks to attacks targeting users. Today, user data is the most important asset that any business can leverage. So, if a big edtech company's IT infrastructure is breached, the hacker has instant access to the personal information of millions and millions students. The hacker can dump this data online and make a quick buck. This data can be used for marketing by other companies, it is also a possibility that gaming providers can try to access this data due to the age group," he tells Entrepreneur India.
Now, there are two ways to target an edtech platform's business: directly targeting the user or targeting the application. The users, since they are in a young age bracket, are susceptible to these attacks as they are not mature enough to understand whether the content they wish to access has malicious intent or not.
"By engaging with these sites, you leak out information to a hacker that you are a user of an edtech products. They may send in disguised emails which can contain faulty links which then can give them access to your device's audio and video and other sensitive informations," Pankit Desai, Co-Founder and CEO at SEQURETEK, told Entrepreneur India.
Such cases will absolutely go up, he further asserts. As the number of people onboarding on edtech platforms will increase, more people will get impacted.
"These platforms need to be more agile to spread the word about the threats that are associated with the use of their product. This inculcation of knowledge needs to be part of the onboarding process when acquiring a new customer," he adds
Speaking about government regulations about the same issue, Desai said there are data privacy regulations that need. to pass, but it might take as long as 4-5 years to see the light of day. He believes that since these companies are working with kids; they need to make it a point that they are ensuring cybersecurity before putting their product in the market and also alerting the users about the same.
Like Vaghele pointed out earlier, hacking the user is one thing. The bigger fish to catch is hacking into the system of these edtech platforms. He points out that most of these startups are not focused on cyber security in the initial period of development. Most of their investments are focused on marketing and increasing their valuation. A lack of security investment is what opens them up for attacks.
"I have been hearing from my students who work for or around these companies that when they report a problem with their cyberinfrastructure to big edtech companies, rather than appreciating the effort, what they do is they create a legal mess for them. After the let down, the ethical hacker might also get frustrated and can sell off the vulnerabilities and the one who buys them can further exploit them. Most hackers are looking for bounty, which such companies report to pay. If your application has problem and the data of the millions of people on board with your application, hacker can make a decent pay check from selling that information," he adds.
Vaghele said that the edtech companies need to carry out responsible disclosure programs, and when an ethical hacker approaches them with issues, there needs to be internal discussion and appropriate bounty should be awarded. Vaghele further elaborates that 90 percent of data leaks come from insiders while 10 percent of these attacks come from competition, who loop ex-workers of a company to find flaws in the business logic and exploiting the same. "I have been approached by a company which fired around 800 people recently. They said that they have witnessed certain algorithms and aspects of their business leaked out in the market, and also people are trying to play around with our data. How do they found out who among the 800 has dumped the data? I suggested forensic investigation to find out who's behind this. But there is another roadblock there as a lot of employees are using their own device. You have jurisdiction on your company owned devices, not on the employee's," he highlights.
What are companies doing to address this?
Since no specific regulations are in place at the moment, the onus of maintaining a robust cyber security infrastructure lies solely on the companies operating in the space.
Akshay Chaturvedi, Founder and CEO, Leverage Edu, confirms that the increase in risk is owed to the company's own employees. "That's the case because most edtech companies have massive sales teams and there is less fight over data access internally. As you become a team lead in an ed tech organisation, you get access to a lot of data. And if you don't want to play by the rule book then you have an opportunity of leaking this data rather conveniently," he elaborates
In his company's case, Chaturvedi points out that the company has had to comply with international regulations since day 1, as a large chunk of its business comes from external markets. "We are bound by General Data Protection Regulation (GDPR), a requirement to work on data in the EU. So even when our incoming investors come in and ask for existing student data to verify our results, we can't really divulge that data," he said.
Chaturvedi said that the issue might grow with scale for a lot of companies, but for Leverage, whose business relies a lot on foreign based universities, the issue may not arise. "To be honest, the universities don't care if we scale or not. What they care about is data privacy as these are students entering their borders and its a more macro issue. They have to be very careful of the PI of these students. If I don't have the necessary infrastructure to take care of the data of the students, the universities get issues. Hence, I do not mind scaling two years later and play by the rules, because my business is dependent on the cyber security infrastructure," he adds.
UpGrad, another top name in the edtech space in India, also complies by GDPR. The company's Co-Founder Phalgun Kompalli asserts that the issue might become a massive problem for everybody in the space if they are not careful with their systems and processes. He explains that a platform like theirs has a lot of engagement with a user on a daily basis, generating about 3,000 data points per customer. Further, there is the timing that one is using the system for career support, payment information, and many other sensitive data. Ensuring the protection of this data is of paramount importance, as one major mishap could tarnish the brand image.
Kompalli also highlights an interesting undertaking of the company to address the issue. "So, we have a lot of students who are enrolled with us learning cybersecurity. We are planning to have a bounty competition where all of our existing cybersecurity students can engage in an ethical hacking competition, where they are supposed to hack the UpGrad system, for a bounty. In the process, we will be able to identify the bugs and patches in our system meanwhile simultaneously giving the students a learning opportunity.
Desai comments that vigil needs to be taken up on the consumer front more seriously. There are many options to ensure the cybersecurity of your ward, but the parents need to educate themselves first about the threats associated with edtech and use detecting systems that can help them navigate their kids' activity online and identify potential threats. "Netmanning is the term that is used here, and there are softwares which allow you to do that. Edtech companies should also evangelise the use of such oversight softwares with their products. They should convey to the users that there are cyber risks involved and maybe also look into partnering with these software companies and make parental oversight a norm of sorts," he advised.