Support 416-591-6711 option 1 or Email Us

Aiming for an A+: Cybersecurity for the Education Sector

Thu, 23 May 2019

Hackers are becoming better at stealing school data and student information. However, the education sector is no better prepared to defend against these malicious threats. With universities and schools increasingly using more data analytics for student retention and academic performance initiatives, the amount of data that they are storing is growing. 

Cybersecurity for the Education SectorEducational institutions collect sensitive data and student information such as grades, behavioural analysis, incident reports, financial information, and social insurance numbers that can benefit cyber criminals. In addition, at universities that conduct research, the presence of intellectual property stemming from corporate and government research is desirable to hackers. As entire course curriculums are moved online, and more data is collected and stored via the internet – educational institutions need to increase their cybersecurity measures to protect themselves and their students.

According to the 2019 Verizon Data Breach Investigations Report, the education sector continues to be inundated by errors, social engineering schemes and inadequately secured email credentials. Denial of Service (DoS) attacks make up over half of all cyber incidents in education.[i] According to a report from the U.S. Department of Education, online data collection and learning management platforms have not only become more abundant but are also the target of more precise cyber attacks.[ii]

The Verizon report also detailed that over the past year, human error was the cause of 35 percent of data breaches in the education sector. Approximately 25 percent of breaches in education resulted from web application attacks, often via phishing emails that sent links to phony login web pages. Stolen credentials accounted for 53 percent of the data compromised.[iii] 

Gabe Bassett, Information Security Data Scientist, Verizon, highlighted that education has a wide array of threats that it contends with, yet it’s the unique openness of education’s cyber environments that present its most substantial challenge. Where businesses can put in more stringent guidelines for cybersecurity, he said, “education has to balance their [security] need with flexibility.” Bassett went on to say that “It’s a double whammy to have such a broad range of threats as well as less flexibility on how to combat those threats.” [iv]

Education Gets a Failing Grade in Cybersecurity

According to research conducted in 2018 on 2393 companies (with a footprint of 100 IP addresses or more in the education sector), education was the least cyber secure of the seventeen primary industries. The study looked at both individual schools (K-12 and higher education) and entire school boards, as well as private companies in the education sector. There was no difference between education-related private companies and school boards in terms of cyberattack vulnerability. The study concluded:

  • “The education industry was the lowest performer in terms of cybersecurity compared to all other major industries.”
  • “The education industry performed poorly in patching cadence, application security, and network security.”
  • “There are several regulatory requirements for cybersecurity performance to improve in the education industry.”[v]

Since 2016, there have been 477 cybersecurity-related incidents involving public schools in the United States. Thirty-seven school districts have experienced more than one cyber incident over the same period.[vi] In the face of rising cyber incidents, a mere fifteen percent of the United States’ K-12 information-technology leaders have a cybersecurity plan implemented in their school district and approximately three in four school district IT leaders admit that they aren’t “adding security safeguards to vendor negotiations.”[vii]

Global Attack

In March of 2018, nine Iranian hackers, employed by the Iranian government, were charged with theft of intellectual property after breaching 176 universities worldwide, in addition to government and banking organizations. The men are accused of stealing 31 terabytes of academic data and intellectual property, amongst other data and information.[viii] They were able to obtain this data through phishing campaigns that launched malware. Inadequate cybersecurity education for staff and students combined with insufficient cybersecurity measures made the universities vulnerable.

Cutthroat Cafeteria

Recently, Keith Wesley Cosbey, CFO of Choicelunch, a company that provides lunches to Californian students, hacked into his competitor’s database to try and increase his own business. He hacked into LunchMaster’s customer database that contains everything from students’ grades to meal preferences and food allergies. He sent the attained information to the Department of Education to highlight the incompetence of LunchMaster in protecting their clients’ privacy. His plan backfired when Coseby’s data theft was discovered, and he was charged with identity theft and unauthorized computer access. The result, Cosbey may face a three-year prison sentence.[ix] 

The situation sounds a little silly, but there is a significant concern that needs to be, outside of lax security measures – access to data. Why does a lunch caterer for a K-12 school district require access to student grades? Controlling vendor access to systems and information is vital in any supply chain system.

Higher Ed Gets Hacked

Earlier this year, three private colleges in the United States were hacked. The hackers managed to access sensitive student data and sent a ransom demand for student admission files. Applicants to Grinnell, Hamilton, and Oberlin Colleges received emails that offered them the chance to buy their admission files which included reports on interviews, ratings, and tentative admissions decisions. The hackers requested 1 BTC (approximately $3890) to obtain the file. 

The colleges use the company Slate for handling applications and admission communications. The vendor denied being hacked. Alexander Clark, CEO of TechnoSolutions, stated that “Slate was not hacked. Rather, an unauthorized party used weaknesses in the password reset systems operated by three colleges to gain access to the campus resources – not just Slate – to which the user had access. We are not aware of any other colleges that have been similarly impacted.”[x]

 Cybersecurity for the Education Sector

How to Make the Cybersecurity Grade

The authors of The SecurityScorecard Education Report write that “A cybersecurity plan should reflect a holistic approach to student data protection.” They go on to say that “By incorporating technology and people, a robust program mitigates risks, while also ensuring ongoing education instills good security habits into employees, students, and their parents.”[xi]

Application Security: Educational institutions at all levels are growing increasingly reliant on online applications for testing, data collection and storage, and analytics. Hackers are looking for any application vulnerabilities. Vulnerability assessment or penetration testing is essential for school board and university networks so that those weaknesses can be found and fortified. Having appropriate application security software and firewall protection in place is also vital.  

Endpoint Security: Use of personal devices by students and faculty across all levels of education is increasing, multiplying vulnerable endpoints. Individual devices can be especially susceptible because people often use the same devices to connect to lesser protected home networks or free Wi-Fi hubs. Endpoint security software allows universities to detect weaknesses and unify network management more efficiently.

Educate: All organizations need to prioritize cybersecurity education in their cybersecurity strategy; including cybersecurity awareness programs, cyberliteracy programs and cyber hygiene training. Inside of educational settings, cyber education requires teaching staff, as well as students and parents. As the Canadian Institute for Cybersecurity, University of New Brunswick stated, "Cybersecurity and privacy, once issues only for technology experts have become widespread concerns in business and society. Cybersecurity is no longer just an IT problem. It is a business problem; it is everyone's problem. The weakest link in cybersecurity is now people, not devices. As such, the human factor is considered the biggest threat to cyber safety."[xii]

Protecting the education sector, and the students who are part of it is important. Educational organizations and the vendors that support them need to respond to increased attacks with network fortification measures and organization-specific cybersecurity incident response plans. Talk to the cybersecurity solutions specialists at ISA, who have over 27-years of demonstrated industry excellence, about how to protect your organization from a cyber attack.


‹ Back