The education sector is the least secure of 17 industries studied this year, according to a new report released Thursday.
In particular, education institutions struggled with application security, endpoint security and patching cadence, according to the “2018 Education Cybersecurity Report,” conducted by the information security company SecurityScorecard.
“The results show that although hackers have become increasingly deft at stealing school and student data, the education industry is no better prepared to deal with these malicious threats,” the report’s authors conclude. “There is a growing concern because schools collect an incredible — and vastly increasing — amount of personal data about students, to varying degrees.”
3 Points of Security Vulnerabilities in the Education Sector
As universities and schools increase their use of data analytics for initiatives related to student retention and academic performance, the amount of data they collect is growing, which worries security experts. In higher education, in addition, the presence of intellectual property related to corporate and government research also is attractive to hackers.
"The lack of resources and attention to cybersecurity in schools and universities should be a cause for serious concern among students, parents, school boards, and the education industry as a whole," said Sam Kassoumeh, COO and cofounder of SecurityScorecard. "Schools collect an incredible and vastly increasing amount of personal data about students. At the same time research universities house valuable IP. Securing these networks and protecting this information is essential to protect the future of innovation and privacy."
In order to protect student data, SecurityScorecard offers these three insights to get education institutions started on a more reliable security plan:
- Application Security: Schools are relying more than ever on online applications for testing, data collection and analytics. Hackers will take advantage of application vulnerabilities, which means school districts and universities need to be aware of any in their networks and close them up. One way to do so is to build application security into system development. Incorporating vulnerability scans or penetration tests is another way to root out potential security flaws. Additionally, companies like Barracuda offer application security software and firewall appliances.
- Endpoint Security: The number of personal devices used by students and faculty across both K–12 and higher education is increasing, expanding the number of vulnerable endpoints. These devices can be especially vulnerable because many people use the same devices to connect to home networks, which may offer less protection than campus networks. Endpoint security software offered by companies like Symantec and Malwarebytes allow universities to more easily detect vulnerabilities and unify network management. Cybersecurity education programs are also crucial to ensure users are responsible at all times. Additionally, integrating endpoint segmentation can help to limit any damage if a device is compromised.
- Patching Cadence: Updating software is essential. While patching can be a burden for education IT teams, especially those with fewer resources, there are programs that can help bear some of the weight. Security companies like McAfee offer virtual patching programs that identify vulnerabilities and offer a quick fix until an IT member can complete the patch.
“A cybersecurity plan should reflect a holistic approach to student data protection,” the SecurityScorecard authors write. “By incorporating technology and people, a robust program mitigates risks, while also ensuring ongoing education instills good security habits into employees, students, and their parents.”