The education industry has been ranked the worst in cybersecurity out of 17 major industries. Analysis published last week by SecurityScorecard, a New York City-based IT security company, reveals an incredible risk to students considering the sheer amount of personal data amassed on school networks.
In its 2018 Education Cybersecurity Report, the company found that the education industry is not taking many of the necessary steps to protect students from cyber-vulnerabilities. According to the study, the main areas of cybersecurity weaknesses in education are application security, endpoint security, patching cadence, and network security.
Schools collect sensitive information on every one of their students. Digitizing student data makes it easier for educators to view student information, as well as malicious actors. From health data to academic and financial records, a breached student record can provide malicious actors with a stereoscopic view of a student’s life. According to the report, although hackers are becoming more adept at accessing student and school data, the education industry has failed to keep pace with data protection.
Sam Kassoumeh, chief operating officer and co-founder of SecurityScorecard, said university networks are especially vulnerable to cyberattacks. “There is a large surface area of exposure at a university. It’s thousands and thousands of devices distributed over a campus,” he said.
Students often use more than one device on campus and in-class — computers, phones, tablets or other “internet of things” devices — that while beneficial, Kassoumeh said, create “a heterogeneous environment, where all of the devices are not secured equally.”
The structure of IT staff in universities and districts is also creating a poor cybersecurity environment for education, Kassoumeh said. Unlike more lucrative industries, educational institutions oftentimes cannot afford to hire dedicated cybersecurity personal, Kassoumeh said. Instead, schools often rely on one person or a small team for all campus IT needs. As a result, he said, “there’s just not enough time, focus and attention given to the security function.”
According to a 2017 department of Education report, cyberattacks are becoming more ubiquitous, precise and dangerous. And, it says, many schools are underestimating the need to monitor and protect networks.
Social engineering attacks, the most ubiquitous being phishing scams, account for 41 percent of cybersecurity incidents and breaches in 2018, according to a Verizon investigations report. Ed Hudson, chief information security officer for the California State University system, told EdScoop, “phishing scams continue to be the most prevalent attacks against students, staff and faculty in our system. They are increasingly more sophisticated and targeted.”
Hudson, who disagreed that education is the worst in cybersecurity, said that in comparison to highly regulated industries like banking or health care, education is unable to be as prescriptive in its cybersecurity strategy.
“I think Higher Education cybersecurity is unlike any other industry in the cross-section of our challenges,” Hudson said, noting that education has fairly open networks to accommodate student and faculty needs. “Our cybersecurity challenge is a continual balancing act to provide the most secure environment possible while making it the most open to facilitate academic research.”
K-12 education, included in SecurityScorecard’s assessment of the education industry, also struggles with information security, Kassoumeh said.
“Over the past few years, we have experienced a marked increase in the number and sophistication of cyberattacks,” said Steven Langford, the chief information officer of Beaverton School District just west of Portland, Oregon. In response to increasing incidents, Langford said that educational technology leaders are focusing on protecting student, staff, and organizational data. “For many IT leaders, we see this as one of our top priorities,” he said.
Although leadership may have shifted its attention to the importance of cybersecurity, widespread support is still being built. Kassoumeh said that slowly, people are starting to pay more attention to cybersecurity in education. “It doesn’t make the same kind of ripple you see when a big company gets hacked,” he said, but “because security is being discussed in the public domain and making headlines, it’s putting it in the forefront of people’s minds and drawing their attention.”
As this awareness grows, some hope a culture of cybersecurity will emerge. Hudson said that to improve the cybersecurity of the education industry, “we have to continue to mature and advance our ability to identify and respond to threats while increasing our cyber resilience.” Tools and technology can only go so far, he said. Creating a culture of security will hopefully increase the protection of educational data. “We teach young kids to look both ways before crossing the street,” Husdon said. “We have to educate our users to have the same mindset. Stop, think, connect.”