Survey Reveals Top Cybersecurity Issues in Education

Institutions Are Optimistic About Their Security Preparedness

For an organization to be cyber resilient, preparedness for an attack is vital. Educational institutions increasingly are thinking about cyberthreats as inevitabilities rather than possibilities, which means considering the eventual effects of an attack on a school, district or campus.

“Cyber risk is a business risk,” says Buck Bell, head of CDW's Global Security Strategy Office. “When you think about resilience, that's a key input into the overall continuity of the business, not just the ability of the technical environment to withstand attacks.”

Across the education sector, 43 percent of respondents indicated that they have not experienced a data breach in the past five years. Of those who have, 22 percent said the attacks cost them between $1 million and $5 million. Sixty-one percent of respondents say they are either very or somewhat prepared to respond to a cybersecurity incident and minimize the resulting downtime, while 28 percent are very or somewhat unprepared.

“When you're talking about the implications of a cyberattack, some of the obvious implications of that are related to data exfiltration and financial risk, the reputational risk and compliance impacts that will follow that,” Bell says. “Operational downtime is a huge risk that in some ways outstrips even those other risks.”

DISCOVER: Segmentation helps higher ed institutions manage data exfiltration risks.

Cyber insurance plays a role in helping educational institutions prepare for and recover from cyber incidents. Forty-seven percent of education respondents said their cyber insurance policy significantly influences their cybersecurity strategy, while 21 percent of respondents do not have a policy. These plans offer many benefits to organizations of all kinds, but particularly in the education sector where cyberattacks are more prevalent.

“Many cyber insurers have begun to develop partnerships with security vendors that they can bring in as experts to help folks have a really well-prepared incident response plan,” Bell says.

Visibility is also a factor in cyber resilience. In the survey, 78 percent of education respondents said they are either somewhat or very confident that they have sufficient visibility into their cybersecurity landscape. Education respondents named cloud security posture management and identity and access management as the most effective tools for improving visibility into an environment, with 74 percent of respondents citing both approaches as somewhat or very effective.

“When you look at IAM, there are two levels to that,” Bell says. “First, you have the ability to control access, but more important, it's the governance side of the house where you're creating and assigning permission sets to end users.” With analytics from these tools, Bell says, administrators can monitor users’ access and behaviors to identify potential risks — insights they might not have without comprehensive IAM solutions in place.

Staffing Issues Permeate the Cybersecurity Field

Across industries, staffing and training were major concerns for IT and security professionals.

In education, 38 percent of respondents said sufficient understanding of staffing needs is missing from their organizations’ approach to cybersecurity — the most common response on the list. Only 10 percent of respondents considered themselves fully staffed, while 13 percent are severely understaffed, and 40 percent are understaffed but say it could be worse.

Because staffing is an ongoing concern, retention strategies are particularly important. In the education sector, providing opportunities for certification and education was seen as the most effective way to retain IT security staff, with 66 percent of respondents calling it either somewhat or very effective.

LEARN MORE: How a cyber resilience strategy can be key to business success.

“You retain your staff by ensuring that you're raising their value as a staff member by ensuring they have a broad set of skills and they're working on high-value tasks,” Hagopian says.

Outsourcing can be another effective way to address staffing concerns, but according to the survey, 38 percent of education respondents do not outsource anything related to IT security.

Education Sector Lags Behind Other Industries in Zero-Trust Adoption

Like cyber resilience, zero trust is a set of tools and strategies that can improve an organization’s security posture, but its implementation varies across industries.

“Organizations are all on a journey, from a zero-trust maturity perspective,” Hagopian says. “And no two organizations are going to be in the same place in terms of what they're doing or what they have to do to operate in a highly mature state.”

While 42 percent of respondents across industries reported that their organization is in the advanced maturity level when implementing zero-trust initiatives, only 23 percent of education respondents reported the same. Most education respondents (38 percent) said they were in the initial stages of zero-trust maturity, while 18 percent of respondents said they have not started any zero-trust initiatives — double the industrywide total of 9 percent.

READ MORE: Higher ed institutions could benefit from a zero-trust approach to cybersecurity.

Getting executive buy-in is one of the top challenges education institutions face when implementing zero-trust principles, with 44 percent of respondents noting difficulty in that area. Hagopian says this is a common concern outside of the technology implementation aspects of zero trust.

“There are a lot of business challenges and business process changes that have to occur when you're rolling out a zero-trust program,” she says. “We find that we have to provide a lot of assistance in an advisory and consulting capacity to help organizations more with that business process change, as well as with the change management and communication you have to create internally within the organization to get the proper buy-in from all of the stakeholders that have to get involved.”