Light Dark
May 4, 2018 By Sue Poremba 3 min read
Risk Management
Data Protection
Network

The education industry faces a security crisis, one that goes beyond protecting the classrooms and hallways. IT professionals in the education sector see cybersecurity as their top priority, consistently ranking it as their No. 1 concern.

However, more than three-quarters of employees in the education field lack the cybersecurity awareness required to handle common privacy and security threats. This creates another level of undetected, yet preventable, risks for students, faculty and staff.

Education Is a Prime Target for Cybercriminals

When your network is compromised, cybercriminals are most often searching for personally identifiable information (PII). This information, which includes everything from full names and Social Security numbers to birthdates and bank accounts, has great value on the Dark Web.

Individually, each piece of PII may not do much damage, but when pieced together, criminals can recreate your identity or play the role of a digital Frankenstein, creating a brand new “person” out of multiple pieces of data belonging to different people (e.g., your credit card number, your co-worker’s phone number, the address of a student rental house) to make illegal purchases.

Few industries handle as much PII as the education industry, especially data associated with minor citizens. This PII covers every aspect of an individual’s life. In the eyes of a threat actor, this represents a goldmine to either sell or repurpose for identity theft.

The PII of young people is attractive due to the lack of monitoring. Adults can consult credit reports or leverage identity theft monitoring if their information is compromised in a data breach, but those services may not apply to children. When their PII is stolen, it often goes undetected until they apply for some type of credit, such as a college loan.

There is also a physical security component at work when it comes to PII. Think of how much information could be revealed about your child in one data breach: his or her age, home address, school-related activities, bus route, grades and health records, just to name a few. A malicious actor who accesses PII through the school’s network could theoretically gain physical access to your child. This is an uncommon reason for a cybercriminal to launch a campaign against a school, but it’s something that school leaders and IT professionals must keep in mind when thinking about data protection.

Education is also an easy target because the population is always changing. On a college campus, for example, not only is there an influx of new students and faculty each year, but there is a steady flow of visitors who leave a digital footprint. Widespread use of public Wi-Fi, a forgotten laptop with sensitive research files and careless mistakes by sleep-deprived undergrads can all result in a massive data breach. Cybercriminals know that and will take full advantage.

Lack of Awareness Leads to Social Engineering Attacks

In addition to the abundance of PII, intellectual property and financial records, the poor security posture within the education sector make academic institutions a particularly juicy target. According to one report, 76 percent of education sector employees surveyed earned security awareness scores low enough to land them in the “novice” or “risk” category, which means their behavior is likely to lead to a data breach.

These poor security skills set up the education sector for social engineering attacks. According to Verizon’s “2018 Data Breach Investigations Report,” most attacks in education are initiated by outsider actors. The most popular type of social engineering attack is a W-2 scam whereby school offices are tricked into turning over W-2 paperwork to crooks masquerading as legitimate school or tax officials. This scam may work so well in education due to the fluid nature of the school environment.

Boosting Cybersecurity Awareness Among Educators

There’s a touch of irony in saying that educators need to become better educated, but that’s exactly what must happen to decrease the risk of threats against school networks.

Security awareness training should be geared toward the school environment and involve everyone with network access. Students are often ignored when it comes to security training, even though they access the network from computers at school and from remote locations in the evening. If a fifth-grader accidentally opens a phishing message he or she thinks is coming from a teacher, it could spread malware throughout the entire school.

Because of the nature of the industry, education has an opportunity to lead the way when it comes to good security stewardship. Given the amount of data available to be breached, it’s imperative for IT professionals in the education sector to improve internal security awareness and limit the high risk potential.

 |  |  |  |  |  |  |  | 
Sue Poremba

More from Risk Management
April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature