Education receives ‘D’ on 2017 Cybersecurity Assurance Report Card

Tenable Network Security, which issues the annual report card, said the education sector again scored lowest in combating cyber-threats.
EdScoop Feature Image

The education industry scored a dismal grade of D in overall security posture, according to a new cybersecurity report released on Monday.

The sector, especially higher education, reported the lowest 2017 Security Assurance score of any industry at 63 percent, according to the 2017 Global Cybersecurity Assurance Report Card, which is put out by Tenable Network Security, a private firm.

The report attributes the poor score to the multitudes of personally identifiable information stored at colleges and universities that provide fodder for hackers.

Despite the low rating, Cris Thomas, strategist for Tenable, tried to look on the bright side.


“One of the silver linings here is that many of the other
verticals, their scores dropped this year versus last year,” he said in an interview. “So the fact that
education stayed flat can be looked at maybe as a positive, even though it would
be better for it to increase.”

According to a news report last year, one in 10 education institutions have been hit by malware this year, which makes the sector high on the target list. The move by many colleges and universities to the cloud signifies that bigger threats loom on the horizon for data to be leaked or stolen.

The report card was created to measure the opinions and perceptions of security professionals, and find out whether the available cyber-defenses on the market are helping. The grades were based on a survey of 700 senior IT security executives who work for organizations employing more than 1,000 employees globally, in 19 industries and nine leading countries North America, Europe and Asia.

The analysis shows the education sector as having strengths in assessing the network perimeter, assessing physical servers in the datacenter and measuring security effectiveness. Among weaknesses were assessing cloud environments and conveying risks to executives and board members. Executives and board members also scored low in their commitment to making improvements.

“I find that interesting, because that’s really where you’re looking at mobile and BYOD, and those are big things in education,” Thomas said. “It’s really hard to look at a perimeter defense of a network that way when you have such amorphous devices coming and going. There’s a little bit of a disconnect there in the data where you’re scoring yourself on laptops and notebooks as an ‘F’ but network perimeter as a ‘B.'”


Of the seven industries analyzed in last year’s study, including retail, telecommunications, hospitality and health care, education and government received the lowest overall marks. Compared to this year, there was little change in the — education was static at 63 percent, and government went down three points to 63 percent.

Thomas said that although the scores for many industries were flagging, the participants in the survey had little reason to despair.

“Despite these really abysmal scores across the board … 90 percent of people feel OK or really OK about security and their ability to detect [problems],” he said. “So it’s interesting to see that people are scoring themselves poorly in all these different areas, and yet overall, their optimism level is really high. I think that bodes well in the future.”

For Thomas, that was the big takeaway: “If we are down in the dumps about our job, we can’t improve.”

Reach the reporter at and follow her on Twitter @clestch and @edscoop_news.

Latest Podcasts