The multitude of devices that have entered our lives over the past decade have also entered the classroom, and the security issues we face every day are just as real in the school as they are in our homes or businesses. Tablets, computers, even smartwatches can be useful educational tools, but the personal data that they store, belonging to students and teachers alike, can be a major liability. As we prepare to go back to school, how can educational institutions protect their data and guarantee the security of their students and faculty?
The Risks of Flunking Cybersecurity
According to Verizon’s 2017 Data Breach Investigations Report, there were 455 security incidents in the US education sector last year. This sector has greater exposure and a crucial responsibility as schools handle a large amount of personally identifiable information, including financial and credit card data. According to the report, more than half of these incidents resulted in the disclosure of personal data — belonging to both students and employees — while just over a quarter resulted in the publication materials subject to intellectual property.
In January of this year, a phishing attack on the Manatee County School District led to the disclosure of names, addresses, salaries, and social security numbers from more than 7,700 employees. More recently, the WannaCry ransomware affected schools and universities in China, negatively impacting hundreds of institutions, including Beijing University and Tsinghua University. According to Chinese media, students had important data encrypted or wiped, including thesis files and other important work that could impair their ability to graduate.
However, the risk goes beyond endangering academic or financial information. There are plenty of other areas associated with these institutions that can be targeted by cybercriminals. Some colleges and universities have their own affiliated medical centers and hospitals, which means that medical records and confidential patient information have also been endangered. Even university admissions processes are vulnerable to external manipulation by cyberattacks.
In terms of security, educational institutions face some very basic problems, such as a lack of funding. With the need for continuous maintenance, implementing advanced cybersecurity programs can be very costly. However, it is vitally important to change our mentality regarding the money we invest in cybersecurity. Given the invaluable data at stake, security should be a priority, no matter the initial costs.
Back to School: How to Pass the Cybersecurity Test
At present, the risks of data being exposed to threat actors are still very real, and it is paramount that any type of institution has a detailed plan to address the hazards it may face. To develop this plan, colleges and universities should consult companies providing cybersecurity and monitoring services to ensure their students, teachers and employees are protected. Cybersecurity professionals will help to devise preventive policies and response methods to alleviate the effects of a possible cyberattack on the institution.
Panda Security recommends implementing this series of measures:
- Educate employees and students to raise awareness about security and encourage them to report suspicious activity such as phishing. Training and reporting is a very relevant first step, and often ignored.
- Establish protocols to protect especially sensitive data. Limit access to and sharing of certain folders.
- Require constant updates for user passwords, and combine this measurement with multifactor authentication for the school’s most important data.
- Most of the computer attacks in China occurred because they were using pirated versions of Microsoft Windows. These versions do not receive the Microsoft update patches, and are therefore vulnerable to attacks that use exploits. It is always recommended to use secure and official versions of software.
- Implement advanced cybersecurity solutions, tailored to the specific needs of the education sector, with detection and rapid remediation capabilities.
- Develop a response plan and test it regularly to ensure that the institution is prepared for any kind of attack, just as physical training is often carried out in such educational institutions to prepare for the possibility of earthquakes, tornadoes, fires, etc.