Education ranked worst at cybersecurity out of 17 major industries

Cyber-risk management company SecurityScorecard found the industry is skipping many of the necessary steps to protect student data.
Harvard University at night
Harvard University (Getty Images)

The education industry has been ranked the worst in cybersecurity out of 17 major industries. Analysis published last week by SecurityScorecard, a New York City-based IT security company, reveals an incredible risk to students considering the sheer amount of personal data amassed on school networks.

In its 2018 Education Cybersecurity Report, the company found that the education industry is not taking many of the necessary steps to protect students from cyber-vulnerabilities. According to the study, the main areas of cybersecurity weaknesses in education are application security, endpoint security, patching cadence, and network security.

Schools collect sensitive information on every one of their students. Digitizing student data makes it easier for educators to view student information, as well as malicious actors. From health data to academic and financial records, a breached student record can provide malicious actors with a stereoscopic view of a student’s life. According to the report, although hackers are becoming more adept at accessing student and school data, the education industry has failed to keep pace with data protection.

Sam Kassoumeh, chief operating officer and co-founder of SecurityScorecard, said university networks are especially vulnerable to cyberattacks. “There is a large surface area of exposure at a university. It’s thousands and thousands of devices distributed over a campus,” he said.


Students often use more than one device on campus and in-class — computers, phones, tablets or other “internet of things” devices — that while beneficial, Kassoumeh said, create “a heterogeneous environment, where all of the devices are not secured equally.”

The structure of IT staff in universities and districts is also creating a poor cybersecurity environment for education, Kassoumeh said. Unlike more lucrative industries, educational institutions oftentimes cannot afford to hire dedicated cybersecurity personal, Kassoumeh said. Instead, schools often rely on one person or a small team for all campus IT needs. As a result, he said, “there’s just not enough time, focus and attention given to the security function.”

According to a 2017 department of Education report, cyberattacks are becoming more ubiquitous, precise and dangerous. And, it says, many schools are underestimating the need to monitor and protect networks.

Social engineering attacks, the most ubiquitous being phishing scams, account for 41 percent of cybersecurity incidents and breaches in 2018, according to a Verizon investigations report. Ed Hudson, chief information security officer for the California State University system, told EdScoop, “phishing scams continue to be the most prevalent attacks against students, staff and faculty in our system. They are increasingly more sophisticated and targeted.”

Hudson, who disagreed that education is the worst in cybersecurity, said that in comparison to highly regulated industries like banking or health care, education is unable to be as prescriptive in its cybersecurity strategy.


“I think Higher Education cybersecurity is unlike any other industry in the cross-section of our challenges,” Hudson said, noting that education has fairly open networks to accommodate student and faculty needs. “Our cybersecurity challenge is a continual balancing act to provide the most secure environment possible while making it the most open to facilitate academic research.”

K-12 education, included in SecurityScorecard’s assessment of the education industry, also struggles with information security, Kassoumeh said.

“Over the past few years, we have experienced a marked increase in the number and sophistication of cyberattacks,” said Steven Langford, the chief information officer of Beaverton School District just west of Portland, Oregon. In response to increasing incidents, Langford said that educational technology leaders are focusing on protecting student, staff, and organizational data. “For many IT leaders, we see this as one of our top priorities,” he said.

Although leadership may have shifted its attention to the importance of cybersecurity, widespread support is still being built. Kassoumeh said that slowly, people are starting to pay more attention to cybersecurity in education. “It doesn’t make the same kind of ripple you see when a big company gets hacked,” he said, but “because security is being discussed in the public domain and making headlines, it’s putting it in the forefront of people’s minds and drawing their attention.”

As this awareness grows, some hope a culture of cybersecurity will emerge. Hudson said that to improve the cybersecurity of the education industry, “we have to continue to mature and advance our ability to identify and respond to threats while increasing our cyber resilience.” Tools and technology can only go so far, he said. Creating a culture of security will hopefully increase the protection of educational data. “We teach young kids to look both ways before crossing the street,” Husdon said. “We have to educate our users to have the same mindset. Stop, think, connect.”

Betsy Foresman

Written by Betsy Foresman

Betsy Foresman was an education reporter for EdScoop from 2018 through early 2021, where she wrote about the virtues and challenges of innovative technology solutions used in higher education and K-12 spaces. Foresman also covered local government IT for StateScoop, on occasion. Foresman graduated from Texas Christian University in 2018 — go Frogs! — with a BA in journalism and psychology. During her senior year, she worked as an intern at the Center for Strategic and International Studies in Washington, D.C., and moved back to the capital after completing her degree because, like Shrek, she feels most at home in the swamp. Foresman previously worked at Scoop News Group as an editorial fellow.

Latest Podcasts