Mobile Guardian Compromise Highlights Need for Cybersecurity Commitment From the Education Sector’s Key Stakeholders
Everything is a target. Everyone is a possible victim.
That is the sobering reality of what is now a threat-infested digital landscape that sees hundreds, if not thousands, of cyber attacks worldwide every single day.
The hardest hit has been the manufacturing sector (accounting for 25.7% of recorded cyber incidents in 2023), followed by finance and insurance (18.2%), professional services (15.4%), energy (11.1%), and retail (10.7%). Rounding out the 10 most attacked industries globally are healthcare (6.3%), government (4.3%), transportation (4.3%), education (2.8%), and media and telecommunications (1.2%).
Manufacturing, finance and insurance, energy, retail, and government making this unfortunate hit list hardly seem surprising. However, the fact that healthcare and education are also heavily targeted underscores the point: Everything is a target. Everyone is a potential victim.
And, only recently, the education sector fell victim once again to nefarious actors who gained unauthorised access to the Mobile Guardian app—a device management app similar to Android’s Parental Controls—and wiped the users’ gadgets clean. The breach was reportedly part of a “global cybersecurity incident” that affected Mobile Guardian users worldwide—including some 13,000 secondary school students in Singapore who use Chromebooks and iPads as personal learning devices.
The incident prompted the Lion City’s Ministry of Education (MoE) to order the removal of the app from the students’ devices. The MoE also promises to send IT roving teams to schools and provide additional learning resources, especially since some students were unable to recover their data—classroom notes, learning materials, and other vital resources—after the breach.
“As a precautionary measure, MoE will remove the Mobile Guardian Device Management Application from all iPads and Chromebooks,” said the Singaporean MoE. “Efforts are underway to safely restore these devices to normal usage. MoE is considering other mitigating measures to regulate device usage to support learning during this period.”
The Digital Terrain: Tricky, Torturous, Terrifying
Curiously, this latest incident comes just four months after a previous data breach involving the same app—this time via its user management portal—that resulted in cybercriminals gaining access to the personal information of parents and staff from five primary schools and 122 secondary schools. The use of the device wasn’t affected in this case, and it remains unclear what the threat actors did with said personal information. But it was apparently a harbinger of things to come, leading to this recent incident that only highlights the tricky terrain the education sector needs to navigate as it looks to benefit from digitalisation.
That’s why educational institutions navigating this tricky digital terrain will have to embrace cybersecurity and make it a pillar of any digital transformation initiative.
“The recent incident with Mobile Guardian underscores the urgent need for educational institutions to implement a comprehensive and multi-layered approach to cybersecurity. This approach must include stringent vendor management practices and robust technological defences,” Darren Guccione, CEO at and Co-Founder of Keeper Security, told Cybersecurity Asia (CSA). “The remote wiping of student devices serves as a stark reminder that cybercriminals will exploit any vulnerability in digital platforms, highlighting the importance of strong cybersecurity measures to protect these systems. This is especially crucial for platforms safeguarding the educational experience of young learners.”
Then again, this is not surprising. As Kelvin Lim, Senior Director, Security Engineering, APAC, at Synopsys Software Integrity Group pointed out to CSA: “In today’s world, where business logic and decisions are processed by applications, software risks are business risks.”
Indeed, going digital is a risk, and the Mobile Guardian incident, according to Singh, only “shows the need for strong cybersecurity to stop unauthorised access,” and that “addressing these issues can improve the security and reliability of digital tools in education.”
The question then is, how?
Embracing Cybersecurity
A good start, according to Guccione, is for educational institutions to “rigorously evaluate their third-party vendors” to ensure they adhere to the highest standards covering data privacy, security, and internal controls across native and cloud applications”—with an eye out for SOC 2 Type 1 and 2 and ISO 27001, 27017, and 27018 certifications. Educational institutions must also conduct regular audits and require vendors to provide proof that their security controls can actually help mitigate risks.
Guccione also identifies these steps as non-negotiable:
- Craft an incident response plan. Institutions should regularly test and update their response strategies to ensure they can quickly and efficiently address evolving cyber incidents.
- Implement a zero-trust network architecture. Going zero trust within educational environments can limit access only to the resources necessary for users, and this minimises the blast radius in the event of unauthorised access.
- Continuous education and training for all stakeholders. School staff, students, and parents must be continuously trained in cybersecurity best practices, including recognising phishing attempts, securing devices, and understanding the importance of strong, unique passwords.
- Develop and enforce comprehensive security policies. These policies must cover all aspects of digital usage, from device management to data protection.
Similarly, third-party vendors like Mobile Guardian need to step up their cybersecurity game several notches higher, and they might want to take notes of Singh’s practical recommendations:
- Ensure supply chain security. Check the security of all partners involved in the app’s development and maintenance. Ensure third-party libraries and services are from trusted sources and updated regularly. Conduct regular penetration tests and manage external attack surfaces.
- Conduct code audits. Regularly review the app’s code to find and fix vulnerabilities in third-party components.
- Implement Mobile Threat Defence (MTD) solutions. Use MTD solutions for threat prevention, real-time monitoring, and response capabilities. For instance, an MTD software development kit can be added to the app to protect against cyber threats and secure sensitive information.
Parents and Students, Listen Up!
While the Mobile Guardian incident is by and large a cybersecurity issue, there is an aspect to all this that needs to be talked about just as much—and it’s something Lim pointed out to CSA: The wise and responsible use of technology.
“Upon the removal of the Mobile Guardian application on the students’ devices, the students will have more autonomy and flexibility in using their devices for learning,” Lim observed. “Parents and teachers will need to encourage and instil responsible digital habits and continue to monitor and guide students in using technology wisely.”
To this end, it is worth noting what Maslina Mohamad Nasir, Sales Director, Head of Public Sector, at Lenovo Malaysia, said in her commentary, “Digital Transformation in the Education Sector is Crucial for Student and Teacher Success,” for Disruptive Tech News, CSA’s sibling under the Asia Online Publishing Group umbrella: “Digital transformation is about more than just the technology that powers it. Its success is also driven by a robust ecosystem of collaboration between educators, parents, school administrators, IT teams, and technology partners. Ultimately, what students need more than anything is a human touch in an increasingly digitised world.”
This human touch, more than ever, is critical to ensure these innovations are being used responsibly.
Then again, it is just as important that tech providers and educational institutions ensure these innovations are safe to use and secure against threat actors.
After all, everything is a target. Everyone is a possible victim.