In a recent survey carried out by Apricorn, more than two-thirds (67%) of respondents in the education sector stated that staff within their organization didn’t see themselves as targets for data theft. They are probably wrong. While healthcare organizations are notoriously attractive to cyber-attackers, education institutions are a close second in terms of data security incidents, according to the ICO.
The second-highest number of personal data breaches reported to the ICO during Q2 2021 came from the education sector – with 313 reports received, behind 435 from healthcare, 13% of the total across 21 sectors. When it comes to data being emailed to the wrong recipient, education was the most prolific offender, with 78 incidents, ahead of legal with 72. It is also the sector with the second-highest number of reported incidents of unauthorized access to data.
It’s clear that education institutions are vulnerable to data loss and theft and a tempting target for hackers. Not only do they hold vast repositories of sensitive student data, along with an ever-expanding wealth of knowledge and expertise, but the shift to remote teaching during the pandemic also created myriad new avenues of attack.
Over the last year, the NCSC has repeatedly highlighted an increase in ransomware attacks against schools, colleges and universities in the UK and called for education organizations to do more to protect their networks and data.
Education Lags on Security Practice and Awareness
To breach education institutions, cyber-criminals often take advantage of insiders, including students and teachers. However, according to Apricorn’s research, employees at education institutions don’t consider themselves targets. This suggests a lack of awareness of the risks.
What’s more, only 26% of respondents in the education sector confirmed their organization had policies for responding in the event of a device being lost or stolen. Overall, the survey data points to a lack of cyber-resilience – the ability to prepare for, respond to and recover from a breach.
Education organizations must strengthen their defense and security posture, focusing on protecting information. In particular, they need to work on their resilience so that data can be restored quickly following an incident, the cause can be rapidly identified and remediated and the necessary due diligence can be demonstrated to regulators and stakeholders.
Developing and fostering effective defenses require a multi-layered approach that aims to block all potential attack vectors. Everyone needs to understand the importance of information security and be aware of the threats the organization faces. They must also be fully invested in playing their own part in preventing breaches.
Build a Cross-Campus Culture of Security
The crucial first step for the organization is to bring together all its employees – including teaching and academic staff – and establish an effective communication channel. Alongside the dissemination of cybersecurity policy, information and best practice, this should enable everyone to share their security needs and concerns and educate each other on the ever-evolving gaps in requirement and practice as they emerge.
This will create the foundations for becoming a security-focused team, with all individuals working together toward the same goal instead of pulling in different directions.
Establishing Practice in Policy
The next stage is to put the right policies and tools in place to protect data and information assets, including those stored or moved beyond the firewall.
Every organization’s set of policies should mandate the encryption of all data, whether it’s at rest or in transit, including hardware encryption at the endpoint. This has become a critical strategy for protecting data in organizations where people interact both inside and outside a central network. In higher education, in particular, students and teachers are in constant contact with each other and continually accessing university resources, both on campus and in their homes – not to mention coffee shops and anywhere else that offers free wifi.
Many institutions will have hundreds of people on the network at any one time using their own smartphones, tablets or laptops; it simply isn’t possible to deploy centrally-approved devices across a student body like a business can with its workforce. Therefore, the IT team must mitigate the risk of hackers targeting unsecured endpoints by implementing clear device usage policies that cover removable storage devices.
There should also be a requirement for all essential and valuable information to be regularly backed up offline. This is especially effective for minimizing the damage caused by a ransomware attack, ensuring there is always a clean, safe copy of the information available. A straightforward way of facilitating this practice is to issue all staff with a portable hardware encrypted USB or hard drive that enables them to back up the data they handle, store it securely offline, and move it safely around and between locations as needed.
During the pandemic, cyber-breaches reported by education institutions have run the gamut from unintentional data leaks caused by students and staff to increasingly sophisticated phishing and denial-of-service (DoS) attacks. Trying to counter individual threats would be an impossible task. Luckily, the best approach is to establish a holistic and proactive cybersecurity strategy that focuses on the endpoints and the individuals accessing the network and activity on the network itself.
