[BreachExchange] Education industry not making the grade for cybersecurity

[Audrey McNeil]

https://www.itproportal.com/features/education-industry-not-making-the-grade-for-cybersecurity/

Despite schools collecting sensitive data such as students’ personal
details, test scores and behavioural assessments, their cybersecurity
posture is not up to scratch. Hackers are becoming increasingly more
skilled at stealing school and student data, however the education industry
is no better prepared to deal with these malicious threats.

Data collection is a vital resource for schools around the world, so the
only solution is to tighten up on security as schools can’t stop using it.
Inside and outside the classroom technology is being adapted, for example,
most schools have now adopted new technology and learning systems into
their curriculum. Outside the classroom, a lot of schools are collecting
and storing information digitally on local networks or cloud systems.

This new shift into data collection, while integral to a student’s growth
and even a school standing, also invites a grave risk considering the sheer
amount of personal data that is being aggregated on networks. A student’s
school file can offer malicious hackers a vivid insight into a child’s
life, including the location of their home and personal health data, to
increasingly personalised academic records such as attendance, learning
outcomes, teacher assessments and test scores.

Key insights

In order to compile our research, we analysed 2393 companies with a
footprint of 100 IP addresses or more in the education industry, from April
2018 to October 2018. Our key findings were as follows:

The education industry was the lowest performer in terms of cybersecurity
compared to all other major industries.
The education industry performed poorly in patching cadence, application
security, and network security.
There are several regulatory requirements for cybersecurity performance to
improve in the education industry.

What information is at risk?

Data breaches at schools are happening more and more, however, schools are
still underestimating the need to responsibly monitor and protect network
infrastructure. According to a 2017 report from the U.S. Department of
Education, internet-based data collection, learning, and management
platforms have not only become more ubiquitous but also the target of more
precise, dangerous hacks. There is also a vast amount of pressure to secure
this data due to it being such sensitive information regarding personal
data about students. Only recently have teachers started using
technological methods to store their data. Despite the likelihood of these
dangerous hacks happening, our research demonstrated that many schools
continue to underestimate the need to responsibly monitor and protect
network infrastructure.

With schools now incorporating new testing and teaching methodologies based
on technology and its ability to compile massive amounts of data, the
information stored increases exponentially. Data such as assessment
information, learning tool data, educator observations, attendance data,
instructor feedback and summative evaluations are now aggregated
electronically. There are pros and cons to switching to this technological
process. Storing data electronically means you can store large amounts and
is easier for educators, but subsequently also malicious actors, to
access.  Computer Based Assessments for Learning (CBAfL) offers additional
resources for educators, but also poses extra privacy and cybersecurity
risks. While CBAfLs is largely beneficial for teachers as it provides
real-time snapshots of students, academic strengths and weaknesses, they
also collect personal identifying information. As much as this helps
teachers access metrics, they also need to tighten up on their security
awareness to protect the student’s information.

Where do schools store information?

Nowadays schools store most if not all their information online. Schools
use Educational Software- as-a-Service, which provides teachers and schools
visual data representations that provide at-a-glance insights to track
individual and group metrics. This software is greatly beneficial due to
its value in helping at risk students. However due to these metrics holding
so much data it only results in more people having access to it.

Only some schools integrate data with state information systems. The
vulnerability of resources available within schools, districts and states
create another problem for data storage. Individual schools store more data
related to daily work, as opposed to districts who store aggregated
information in its databases, and the state collects data from standardised
testing. The education sector has restricted funding which could mean both
student personal data and opportunities data are at risk.

What does the future look like?

Overall, it has become apparent that, over the next few years, most if not
all information will be stored online in electronic databases. With almost
everything being stored online in this new modern shift it is only right
for schools to carry on this trend and start storing all their information
online. Electronic databases are ideal in terms or storing large amounts of
data in one place and making it easy to access. Unfortunately, cyber
security has not kept up with the rise of electronic storage in the
education system. Hackers are becoming scarily good at stealing school and
student data and they are only going to get better and more efficient and
sneakier.

As education continues to move towards the future, local institutions will
need to safely share information with state and federal level stakeholders.
With such sensitive information being stored there needs to be a
reassurance that this information is safe and being stored in a tightly
secure database. To reassure stakeholders that there has been a tightening
up of security in the education sector there must be proof such as how they
are applying new security rules and how it will be monitored on the lead up
to a more secure education system.  It is unrealistic to expect the
education system to tighten their security and it will never be hacked
again, it is more a case of being one step ahead of the hacker and
realising how they will hack this information and then securing it so that
they cannot. Using ‘white hackers’ in this situation is a smart idea as
they know all the techniques that the hackers will use to creep their way
in to this sensitive information. Security is always changing, so it is
vital we keep up with it. Judging by the statistics highlighted in our
research, the education sector has a long way to go.


--
#BetterDataMatters - Want to meet up at RSA? Find us at Booth #6285 North
Expo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190122/8b403f6d/attachment.html>