What the education industry must do to protect itself from cyber attacks

Data breaches show no signs of slowing down and companies across many industry verticals fall victim to what now seems to be a regular occurrence.

Most attention around data breaches is on the commercial side, with Capital One being the recent high-profile breach, compromising the personal information of more than 100 million people. However, the education sector is proving to also be an attractive target.

This summer made it evident that K-12 school districts, higher education, and even commercial companies working with educational institutions are at risk. Notably, the state of Louisiana declared a state of emergency following an attack that disabled computers at three school districts. And it’s not just a problem in Louisiana — schools nationwide are being targeted by hackers.

On August 2, the K-12 Cybersecurity Resource Center’s K-12 Cyber Incident Map reported its 533rd publicly disclosed cyber incident, which means the number of data breaches against K-12 school districts in 2019 has already surpassed 2018’s total. With four months still to go until the end of the year and the 2019-2020 school year beginning, school districts must take appropriate measures to protect themselves from the next attack.

Each year, more schools make the transition to the cloud and security falls further behind. The adoption of cloud technology in schools means that not only must security teams have the resources to monitor for suspicious and malicious activity from external threats, they must also simultaneously be well-equipped to monitor for potential threats from within.

The start of the school year means millions of students and staff members will return to a school’s cloud environment. It also means massive amounts of data will flow into, within and out of that environment. Computers, laptops, and cloud applications like Google G Suite and Microsoft 365 are now as essential to a school supply list as notebooks, binders and pencils. Teachers and staff members use these cloud-based productivity applications as much as they do email, spreadsheets and word processing.

The fact is, schools today cannot function without these education-oriented cloud technologies and applications. At the same time, funding shortages mean that securing them is often not prioritized. But hackers are aware of this and schools should protect themselves moving forward.

Here are three ways to get the ball rolling:

1. Shift the focus to prevention, not mitigation

Most school districts have fewer than 2,500 students and don’t have a staff member dedicated to handle cyber security incidents. Because of this, schools have become a target.

But their mindset should shift from “if an attack happens” to “when an attack happens.”

Many schools across the U.S. have made the transition — or eventually will — to running classroom and administrative operations in the cloud. The problem, however, is that securing the cloud applications in the new cloud environment has been an afterthought. This means schools are leaving student data vulnerable to identity theft, fraud, and other emerging threats.

By shifting the focus to secure applications and data before an attack happens, rather than after, schools and other organizations in the education market will be better prepared to protect students, staff, and operations against an external attack or internal incident.

2. Minimize internal threats

The increase in adoption of cloud applications means schools must also improve their security posture to prevent an internal incident. K-12 schools that have recently transitioned to the cloud, or are still making the transition, may not realize cyber security means more than securing a network with firewalls and gateways. It also means securing the data within the cloud environment — even when an individual and device physically leaves the premises.

Verizon’s 2019 Data Breach Investigations Report found that nearly 32 percent of breaches involved phishing, 34 percent involved internal actors and that errors were causal events in 21 percent of breaches. Focusing on cloud application security as much as network or endpoint security will help minimize the internal threats that could occur throughout the school year and will help prevent sensitive data from leaving a school’s environment.

For example, a member of a school’s faculty could be at home and click on a phishing link in an email. That phishing link has now granted hackers access to the school’s cloud environment. Attackers are then able to pass through any firewall and gateway schools have in place and can download and share any files they want. Most worrying of all, schools may never know the breach took place unless the hacker discloses it (as typically seen in a ransomware attack).

3. Make data loss prevention a priority this year

Educational institutions must fulfill data security and privacy requirements mandated by specialized laws and regulations such as the Family Educational Rights and Privacy Act (FERPA), the Children’s Internet Protection Act (CIPA), the Children’s Online Privacy Protection Act (COPPA), and the Health Insurance Portability and Accountability Act (HIPAA).

They must also protect their own organizational data, including the personal and financial data of their employees, and usually do it all without having huge security budgets.

When thinking about data loss prevention, most think of tools and solutions. But while data loss prevention tools can monitor user activity to detect improper or unusual behavior, preventing data loss goes much deeper. Institutions must educate staff and students on the most common types of human error and the various threats they may come across. They must also plan and documented processes to be better prepared and protected.

Attackers are becoming more sophisticated in their attacks and it’s high time for schools to become more sophisticated in their defenses. Remember, security doesn’t have to be expensive or complicated, but configuring protections correctly and monitoring for vulnerabilities and potential breaches is essential.