Class Is in Session: Improving Cybersecurity Awareness in the Education Sector
The education industry faces a security crisis, one that goes beyond protecting the classrooms and hallways. IT professionals in the education sector see cybersecurity as their top priority, consistently ranking it as their No. 1 concern.
However, more than three-quarters of employees in the education field lack the cybersecurity awareness required to handle common privacy and security threats. This creates another level of undetected, yet preventable, risks for students, faculty and staff.
Education Is a Prime Target for Cybercriminals
When your network is compromised, cybercriminals are most often searching for personally identifiable information (PII). This information, which includes everything from full names and Social Security numbers to birthdates and bank accounts, has great value on the Dark Web.
Individually, each piece of PII may not do much damage, but when pieced together, criminals can recreate your identity or play the role of a digital Frankenstein, creating a brand new “person” out of multiple pieces of data belonging to different people (e.g., your credit card number, your co-worker’s phone number, the address of a student rental house) to make illegal purchases.
Few industries handle as much PII as the education industry, especially data associated with minor citizens. This PII covers every aspect of an individual’s life. In the eyes of a threat actor, this represents a goldmine to either sell or repurpose for identity theft.
The PII of young people is attractive due to the lack of monitoring. Adults can consult credit reports or leverage identity theft monitoring if their information is compromised in a data breach, but those services may not apply to children. When their PII is stolen, it often goes undetected until they apply for some type of credit, such as a college loan.
There is also a physical security component at work when it comes to PII. Think of how much information could be revealed about your child in one data breach: his or her age, home address, school-related activities, bus route, grades and health records, just to name a few. A malicious actor who accesses PII through the school’s network could theoretically gain physical access to your child. This is an uncommon reason for a cybercriminal to launch a campaign against a school, but it’s something that school leaders and IT professionals must keep in mind when thinking about data protection.
Education is also an easy target because the population is always changing. On a college campus, for example, not only is there an influx of new students and faculty each year, but there is a steady flow of visitors who leave a digital footprint. Widespread use of public Wi-Fi, a forgotten laptop with sensitive research files and careless mistakes by sleep-deprived undergrads can all result in a massive data breach. Cybercriminals know that and will take full advantage.
Lack of Awareness Leads to Social Engineering Attacks
In addition to the abundance of PII, intellectual property and financial records, the poor security posture within the education sector make academic institutions a particularly juicy target. According to one report, 76 percent of education sector employees surveyed earned security awareness scores low enough to land them in the “novice” or “risk” category, which means their behavior is likely to lead to a data breach.
These poor security skills set up the education sector for social engineering attacks. According to Verizon’s “2018 Data Breach Investigations Report,” most attacks in education are initiated by outsider actors. The most popular type of social engineering attack is a W-2 scam whereby school offices are tricked into turning over W-2 paperwork to crooks masquerading as legitimate school or tax officials. This scam may work so well in education due to the fluid nature of the school environment.
Boosting Cybersecurity Awareness Among Educators
There’s a touch of irony in saying that educators need to become better educated, but that’s exactly what must happen to decrease the risk of threats against school networks.
Security awareness training should be geared toward the school environment and involve everyone with network access. Students are often ignored when it comes to security training, even though they access the network from computers at school and from remote locations in the evening. If a fifth-grader accidentally opens a phishing message he or she thinks is coming from a teacher, it could spread malware throughout the entire school.
Because of the nature of the industry, education has an opportunity to lead the way when it comes to good security stewardship. Given the amount of data available to be breached, it’s imperative for IT professionals in the education sector to improve internal security awareness and limit the high risk potential.