This report examines the shift to modern data collection and storage in the education system and the new risk factors this move invites as massive amounts of personal data is being aggregated on networks and stored on premises and in the cloud, much of it accessible to multiple third parties.
Data collection is a vital resource for educational institutions across the world, including student records, which contain highly sensitive material such as a student’s name, address and social security number, and often test scores, behavioural assessments, personal health data and more.
In addition, research project data at leading universities is a ripe target for cyber criminals and nation states. The 2018 Education Cybersecurity Report shows that out of 17 industries in the U.S., education ranks last in terms of overall cybersecurity posture.
In 2018, SecurityScorecard analysed 2393 companies with a footprint of 100 IP addresses or more in the education industry.
“The lack of resources and attention to cybersecurity in schools and universities should be a cause for serious concern among students, parents, school boards, and the education industry as a whole,” said Sam Kassoumeh, COO and cofounder of SecurityScorecard.
“Schools collect an incredible and vastly increasing amount of personal data about students. At the same time research universities house valuable IP. Securing these networks and protecting this information is essential to protect the future of innovation and privacy.”
SecurityScorecard found the Education category performed poorly in three key areas: application security, patching cadence and network security.
- Application Security: As more schools rely on educational technology and software solutions for testing and metrics, substantial risks come into view. Application software vulnerabilities represent a top target for hackers, and educators' reliance on these technologies is one of the most significant data breach risks.
- Patching Cadence: Despite school IT departments recognising the importance of a rapid patching cadence, updates are often scheduled when systems are inactive. A slow patching cadence or late patch installation, open systems up to unauthorised users.
- Network Security:: Networks are indispensable to access classroom materials and resources as they incorporate more laptops and tablets than curricular tools. As more students use cloud services to connect to work between the home and the classroom, the education sector needs to focus on business continuity of network security. Network security issues plague the education industry as it stands on the brink of becoming the next major attack target.“A cybersecurity plan for schools should reflect a holistic approach to student data protection and visibility across the education systems’ vendor ecosystem to assess risk,” continued Kassoumeh.