The Education Industry: An Executive Perspective on Cyber Risk
This week’s blog post will focus on the education industry, serving as the fourth installment of our series of cybersecurity executive views across industries.
Security is a never-ending challenge for all industries. The education sector, however, remains high on the list of vulnerable sectors since it leverages a variety of information that hackers find valuable. Information such as Social Security Numbers, financial data, emails, birth dates, mailing addresses, medical records, and employment history are all stored in a large database of current and past students, faculty, and staff from all levels of education.
Given the circumstances, the amount of stored information increases with every enrollment or registration, and consequently, these databases become more of a target for threat actors year after year. In fact, “the number of lost, stolen or compromised data records went up 164% in the first six months of 2017 compared to the last half of 2016” within the education sector. Chief Information Security Officers at universities have to worry about a wide variety of issues in order to keep their students and campus safe from cyber threats.
KEY STATISTICS ABOUT EDUCATION BREACHES
- $245 is the cost per record lost by U.S. educational institutions
- $200 is the cost per record lost globally for educational institutions
- It takes 221 days for an education institution to detect an incident; an additional 83 days on average to contain it
- 455 incidents, 73 with confirmed data disclosure as of 2016
WHY ATTACK AN EDUCATION ORGANIZATION?
As mentioned above, one of the primary reasons cyber threat actors target education institutions is due to the large amounts student and staff data stored. Universities house large numbers of Personally Identifiable Information (PII) and financial data, and that data can be monetized by cybercriminals. Most higher education institutions also have student health centers or affiliated hospitals that house Protected Health Information (PHI), which is highly desirable to attackers with financial motives. Hackers can sell this information on the dark web for an even wider variety of fraudulent activities, including pharmaceutical fraud.
Furthermore, many universities conduct research—sometimes groundbreaking, or sensitive research on behalf of government organizations – that may prove highly valuable to foreign nation states. Research in the areas of energy, defense, space, technology, medicine, and agriculture can be particularly useful for other nations, including China, that could use the information as a means to circumvent expensive or time-consuming research activities of their own. These fields contain highly desirable research data and other Intellectual Property (IP) that are targeted by attackers. Over the past year’s reported data there has been a substantial increase in the number of espionage-related breaches affecting the education industry, soaring from 5% of represented breaches in 2015 to 26% of breaches in 2016, according to the 2017 Verizon Data Breach Report.
Universities also conduct a multitude of politically sensitive research such as climate research, animal testing, and defense research; and the findings and discoveries are documented and stored in great detail. Hacktivists can enter an university’s systems and damage, destroy, alter, or leak data to media outlets or activity groups, thus exposing university ideologies.
WHAT ARE THE KEY CHALLENGES?
Just like other large entities, schools, colleges, and universities run into budgeting issues when it comes to security and are not necessarily fully equipped to face security threats. Cybersecurity programs are expensive and institutions may not have enough available funding to support such improvements. Educational organizations face the challenge of balancing priorities with limited resources (i.e. funding staff, facilities, and programs to attract and accommodate students and faculty to their institution, etc.). Without the proper resources, it is increasingly more difficult to monitor and protect their organization.
And just like large corporations struggling with BYOD (bring your own device) policies and protections, educational institutions run into challenges that deal with unsecured personal devices. Reportedly, in the fall of 2017 over 20.4 million students enrolled in American colleges and universities. Imagine the challenge facing university security teams to ensure that the devices connecting to their networks are legitimate staff/student devices that are also free from malicious threats. Institutions must protect their attack surfaces while also trying to keeping their institutions accessible.
NOTABLE INCIDENTS & BREACHES
The education sector faced a handful of cyber attacks this past June of 2017. The University of Oklahoma was breached and more than 29,000 students’ private information was publicized to users within Oklahoma University’s email system. Sensitive information included students’ Social Security Numbers, grades, and financial aid information was disclosed.
In addition, The Washington State University experienced a breach that very same month. A hard drive containing personal information of roughly one million people was stolen from a storage unit on campus. Information on the drive was part of a research study conducted for school districts, government offices, and other outside agencies containing Social Security Numbers and the health histories of students and staff.
TAKING ACTION: TOP 3 MUST-DOS
Important here is what is actionable for a Dean, C-Suite, or Institution Board member. First and foremost, you should implement and provide faculty, students, and employees with cybersecurity awareness training. Mandatory cybersecurity awareness training should be provided for students and faculty at the beginning of each academic year prior to gaining or keeping access to course registration or grading systems. Increased cyber knowledge would help to encourage students and staff to report any suspicious activity so security professionals discern whether threats pose an issue to the university network and IT systems.
Additionally, leadership boards should consider investing in a robust network security system that scans connected devices to ensure threats are not present. These programs also enable secure and verifiable system access and make sure that only the right people can gain access to the the applicable networks. If a student or staff member attempts to visit a known malicious website, then access to the site can be blocked to avoid device and network infection.
Furthermore, institutions should develop a response plan. This way they can practice their plan frequently and lessen the possibility of an abundance of information from being stolen should a future breach prove successful for a particular threat actor.
Education organizations will continue to grow – in terms of students, faculty, and ideas – and it’s crucial that senior leaders understand the cyber risks that make institutions so vulnerable. Is your campus prepared and secure? CyberVista can help your team through Cyber Resolve seminars, tabletop exercises, breach simulations and other executive cybersecurity training programs.