Light Dark
May 4, 2018 By Sue Poremba 3 min read
Risk Management
Data Protection
Network

The education industry faces a security crisis, one that goes beyond protecting the classrooms and hallways. IT professionals in the education sector see cybersecurity as their top priority, consistently ranking it as their No. 1 concern.

However, more than three-quarters of employees in the education field lack the cybersecurity awareness required to handle common privacy and security threats. This creates another level of undetected, yet preventable, risks for students, faculty and staff.

Education Is a Prime Target for Cybercriminals

When your network is compromised, cybercriminals are most often searching for personally identifiable information (PII). This information, which includes everything from full names and Social Security numbers to birthdates and bank accounts, has great value on the Dark Web.

Individually, each piece of PII may not do much damage, but when pieced together, criminals can recreate your identity or play the role of a digital Frankenstein, creating a brand new “person” out of multiple pieces of data belonging to different people (e.g., your credit card number, your co-worker’s phone number, the address of a student rental house) to make illegal purchases.

Few industries handle as much PII as the education industry, especially data associated with minor citizens. This PII covers every aspect of an individual’s life. In the eyes of a threat actor, this represents a goldmine to either sell or repurpose for identity theft.

The PII of young people is attractive due to the lack of monitoring. Adults can consult credit reports or leverage identity theft monitoring if their information is compromised in a data breach, but those services may not apply to children. When their PII is stolen, it often goes undetected until they apply for some type of credit, such as a college loan.

There is also a physical security component at work when it comes to PII. Think of how much information could be revealed about your child in one data breach: his or her age, home address, school-related activities, bus route, grades and health records, just to name a few. A malicious actor who accesses PII through the school’s network could theoretically gain physical access to your child. This is an uncommon reason for a cybercriminal to launch a campaign against a school, but it’s something that school leaders and IT professionals must keep in mind when thinking about data protection.

Education is also an easy target because the population is always changing. On a college campus, for example, not only is there an influx of new students and faculty each year, but there is a steady flow of visitors who leave a digital footprint. Widespread use of public Wi-Fi, a forgotten laptop with sensitive research files and careless mistakes by sleep-deprived undergrads can all result in a massive data breach. Cybercriminals know that and will take full advantage.

Lack of Awareness Leads to Social Engineering Attacks

In addition to the abundance of PII, intellectual property and financial records, the poor security posture within the education sector make academic institutions a particularly juicy target. According to one report, 76 percent of education sector employees surveyed earned security awareness scores low enough to land them in the “novice” or “risk” category, which means their behavior is likely to lead to a data breach.

These poor security skills set up the education sector for social engineering attacks. According to Verizon’s “2018 Data Breach Investigations Report,” most attacks in education are initiated by outsider actors. The most popular type of social engineering attack is a W-2 scam whereby school offices are tricked into turning over W-2 paperwork to crooks masquerading as legitimate school or tax officials. This scam may work so well in education due to the fluid nature of the school environment.

Boosting Cybersecurity Awareness Among Educators

There’s a touch of irony in saying that educators need to become better educated, but that’s exactly what must happen to decrease the risk of threats against school networks.

Security awareness training should be geared toward the school environment and involve everyone with network access. Students are often ignored when it comes to security training, even though they access the network from computers at school and from remote locations in the evening. If a fifth-grader accidentally opens a phishing message he or she thinks is coming from a teacher, it could spread malware throughout the entire school.

Because of the nature of the industry, education has an opportunity to lead the way when it comes to good security stewardship. Given the amount of data available to be breached, it’s imperative for IT professionals in the education sector to improve internal security awareness and limit the high risk potential.

 |  |  |  |  |  |  |  | 
Sue Poremba

More from Risk Management
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

October 27, 2023

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature