Education industry not making the grade for cybersecurity

(Image credit: Image Credit: James F Clay / Flickr)

Despite schools collecting sensitive data such as students’ personal details, test scores and behavioural assessments, their cybersecurity posture is not up to scratch. Hackers are becoming increasingly more skilled at stealing school and student data, however the education industry is no better prepared to deal with these malicious threats.

Data collection is a vital resource for schools around the world, so the only solution is to tighten up on security as schools can’t stop using it. Inside and outside the classroom technology is being adapted, for example, most schools have now adopted new technology and learning systems into their curriculum. Outside the classroom, a lot of schools are collecting and storing information digitally on local networks or cloud systems.

This new shift into data collection, while integral to a student’s growth and even a school standing, also invites a grave risk considering the sheer amount of personal data that is being aggregated on networks. A student’s school file can offer malicious hackers a vivid insight into a child’s life, including the location of their home and personal health data, to increasingly personalised academic records such as attendance, learning outcomes, teacher assessments and test scores.

Key insights

In order to compile our research, we analysed 2393 companies with a footprint of 100 IP addresses or more in the education industry, from April 2018 to October 2018. Our key findings were as follows:

  • The education industry was the lowest performer in terms of cybersecurity compared to all other major industries.
  • The education industry performed poorly in patching cadence, application security, and network security.
  • There are several regulatory requirements for cybersecurity performance to improve in the education industry.

What information is at risk?

Data breaches at schools are happening more and more, however, schools are still underestimating the need to responsibly monitor and protect network infrastructure. According to a 2017 report from the U.S. Department of Education, internet-based data collection, learning, and management platforms have not only become more ubiquitous but also the target of more precise, dangerous hacks. There is also a vast amount of pressure to secure this data due to it being such sensitive information regarding personal data about students. Only recently have teachers started using technological methods to store their data. Despite the likelihood of these dangerous hacks happening, our research demonstrated that many schools continue to underestimate the need to responsibly monitor and protect network infrastructure.

With schools now incorporating new testing and teaching methodologies based on technology and its ability to compile massive amounts of data, the information stored increases exponentially. Data such as assessment information, learning tool data, educator observations, attendance data, instructor feedback and summative evaluations are now aggregated electronically. There are pros and cons to switching to this technological process. Storing data electronically means you can store large amounts and is easier for educators, but subsequently also malicious actors, to access.  Computer Based Assessments for Learning (CBAfL) offers additional resources for educators, but also poses extra privacy and cybersecurity risks. While CBAfLs is largely beneficial for teachers as it provides real-time snapshots of students, academic strengths and weaknesses, they also collect personal identifying information. As much as this helps teachers access metrics, they also need to tighten up on their security awareness to protect the student’s information.

Where do schools store information?

Nowadays schools store most if not all their information online. Schools use Educational Software- as-a-Service, which provides teachers and schools visual data representations that provide at-a-glance insights to track individual and group metrics. This software is greatly beneficial due to its value in helping at risk students. However due to these metrics holding so much data it only results in more people having access to it.

Only some schools integrate data with state information systems. The vulnerability of resources available within schools, districts and states create another problem for data storage. Individual schools store more data related to daily work, as opposed to districts who store aggregated information in its databases, and the state collects data from standardised testing. The education sector has restricted funding which could mean both student personal data and opportunities data are at risk.

What does the future look like?

Overall, it has become apparent that, over the next few years, most if not all information will be stored online in electronic databases. With almost everything being stored online in this new modern shift it is only right for schools to carry on this trend and start storing all their information online. Electronic databases are ideal in terms or storing large amounts of data in one place and making it easy to access. Unfortunately, cyber security has not kept up with the rise of electronic storage in the education system. Hackers are becoming scarily good at stealing school and student data and they are only going to get better and more efficient and sneakier.

As education continues to move towards the future, local institutions will need to safely share information with state and federal level stakeholders. With such sensitive information being stored there needs to be a reassurance that this information is safe and being stored in a tightly secure database. To reassure stakeholders that there has been a tightening up of security in the education sector there must be proof such as how they are applying new security rules and how it will be monitored on the lead up to a more secure education system.  It is unrealistic to expect the education system to tighten their security and it will never be hacked again, it is more a case of being one step ahead of the hacker and realising how they will hack this information and then securing it so that they cannot. Using ‘white hackers’ in this situation is a smart idea as they know all the techniques that the hackers will use to creep their way in to this sensitive information. Security is always changing, so it is vital we keep up with it. Judging by the statistics highlighted in our research, the education sector has a long way to go.

Matthew McKenna, Vice President EMEA, SecurityScorecard
Image Credit: James F Clay / Flickr