Education Cyber Security Vulnerabilities and What Schools Can Do About Them
K-12 schools, colleges, and universities are attractive targets for hackers. Their networks contain an enormous amount of identifying information on staff members, students, and students’ families, including names, birth dates, addresses, Social Security numbers, and even health records.
Additionally, educational institutions are frequently connected to each other and to government agencies for information-sharing purposes, which means that hackers may use a school’s network as a “back door” into their real target. Unfortunately, education cyber security is as weak as other industries, as these recent incidents show:
- In November 2016, Columbia County School District in Georgia disclosed a breach of personal data belonging to its employees and their families.
- Los Angeles Valley College was hit by a ransomware attack on New Year’s Eve that disabled the school’s critical systems. In a repeat of last year’s Hollywood Presbyterian Medical Center ransomware incident, the college broke down and paid a ransom of $28,000 in Bitcoin to get back in.
- Shortly after the New Year, Northside Independent School District, the largest school system in San Antonio, disclosed that it had fallen victim to a data breach the previous August affecting 23,000 current and former students and employees.
- Also in the Lone Star State, the Argyle Independent School District fell victim to a spear phishing scheme that resulted in all of its employees’ W2 data being released to cyber criminals.
- Illustrating how education cyber security threats can originate within a school itself, South Washington County Schools in Minnesota was hacked by one of its own students, exposing the personal data of over 3,200 employees.
Education cyber security poses a unique set of challenges. K-12 schools and, to some extent, colleges and universities have a user base that includes minor children. Minors are particularly vulnerable to social engineering schemes, and, as in the South Washington County Schools case, they can even pose threats themselves. Students may breach a school’s network to alter grades, cause general disruption, or even just for kicks.
The good news is, there are proactive steps schools can take to prevent attacks.
Address Bring Your Own Device (BYOD) Vulnerabilities
Modern classrooms and school hallways are filled with teachers, other staff members, and students carrying their own mobile devices and laptops, which they are using for both work and play. Unfortunately, all of these devices create a data security nightmare. Developing an authentication system for accessing the network is critical, but because some of the users are children, the challenge is to make it easy enough for them to use but robust enough to protect the network; schools should enlist the help of cyber security professionals like the experts at Continuum GRC to implement a workable but secure solution.
Implement Appropriate User Access
Similar to a workplace, users should be given different levels of network access depending on their role: student, teacher, other faculty member, or guest. Teachers and faculty, just like employees at any other organization, should be given only as much access to the network as they need to do their job. Likewise, students should be given only the access they need to complete their coursework, and no more.
Ensure that Third-Party Education Apps Are Secure
Cash-strapped schools, under pressure from students and parents to offer more e-learning options, often turn to free or very low-cost applications released by third-party vendors. The companies that make these apps must earn money somehow, and they could do it by collecting personal data from teachers and students and selling it to other companies. There are also serious questions as to the data security of third-party education apps. An independent audit of 1,200 education applications by the nonprofit group Common Sense Education found that nearly half did not automatically encrypt students’ data. In many schools, individual teachers are given autonomy regarding which apps to use. Schools must centralize approval of applications and bar teachers from installing any apps until they have been vetted for data security.
Train Teachers and Students on Cyber Security Best Practices
Just as in any other field, education cyber security must be proactive, not reactive. Teachers, other school staff, and students must be educated on data security, including how to spot phishing emails and other social engineering techniques. Since even young children access the internet, they can and should be taught how to protect themselves online, just as they are taught how to stay safe in the real world.
Maintain Compliance with Applicable Data Security Standards
Because of the wealth of data they process and store, educational institutions are subject to a number of data security standards, from FISMA to HIPAA. While compliance with these standards is not data security in and of itself, it is the law, and it lays the foundation for a solid cyber security plan. Educational institutions should consult with compliance professionals such as the experts at Continuum GRC, who can advise which standards apply and help schools achieve and maintain compliance.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.