Attackers see the industry as an easy target with many … FERPA– The Family Educational Rights and Privacy Act requires that stu… This absence of experts leaves the responsibility for patching a security program to technology and security novices without the knowledge or experience to effectively manage a cybersecurity program. The Readiness and Emergency Management for Schools Technical Assistance Center (REMS TA) published a report on cybersecurity concerns facing Institutions of Higher Education (IHEs). Every department wants more resources, which can lead to the depletion of the IT department. Although new threats are emerging all the time, the following five threats are a continuous problem for universities. Cyber security for the Education sector The education sector is a prime target for malicious hackers who seek to disrupt operations or to gain financially by compromising systems at schools, universities and … Another cybersecurity challenge schools face when protecting their networks … If you’re interested in learning more about cybersecurity for educational institutions or need assistance conducting a security review, contact RSI Security today. In other words, any financial information related to a student’s financial aid must be protected by adequate security measures. To avoid employee FERPA violations, universities especially should invest in training programs for employees. The website provides information on relevant rules, tools, and documents. An attack may cause computer outages or cripple other tools used while teaching. For example, EdTech reported that. , viruses, worms, and adware fall into the malware category. These cookies do not store any personal information. Cyber threats to universities began around 2000, at least those that have been documented, and since then, the intensity and complexity of attacks have increased. A whooping number of 3,153,818 data records were compromised in education industry in the year 2016. However, if the cloud infrastructure is not hosted by the university, PII, financial data, or operational data may be stored on third-party servers. Moreover, it’s not just students who bring their devices; professors, visitors, and foreign exchange students also bring their devices. The most novice attempts to phish can easily be snuffed out, but more advanced strategies position emails and messages in ways that are hard to differentiate from legitimate messages. To improve cybersecurity preparedness today, use the following checklist below. The education industry performed poorly in patching cadence, application security … The answer varies depending on the type of attack. Awareness serves as one of the best ways to protect against phishing along with utilizing AI software that can identify fraudulent emails or alert users that the email comes from an outside account. An attack may cause computer outages or cripple other tools used while teaching. Hacking, malware, and unintended disclosures continue to raise the issue of cybersecurity within higher education. These types of attacks not only set students behind but also limit the type of education teachers can provide to students. Especially when the repercussions can be as severe as the … Unsecured Personal Devices – Every student has at least a phone and laptop, not to mention tablets and fitness trackers. The Rule addresses financial information and how to adequately protect it by assessing threats, preventing unauthorized access, and ensuring confidentiality. While, garners a substantial amount of attention, recent guidelines are also. UK organisations have been affected by them before but only US universities have been seen so far in the Education sector. The end result? For example, EdTech reported that there have been 855 cyber incidents since 2016 and were 348 in 2019 alone, a number nearly three times higher than the year before, 2018. Cyber Security Awareness in the Education Sector. , since it is highly likely that every university will experience at least one in the future. – University research plays a large role in funding. This is because of the fact that most of the … Another great resource is the HEISC, which started in 2000 with the goal of helping campuses improve their cybersecurity. The above legislation underscores how vital it is for educational institutions to invest in information security. Do your controls fall in the median range for the size and type of university? But many questions remain — Why has there been such a large increase in attacks on the education sector? However, despite these troubling facts, institutions and individuals  in the industry have many precautions and proactive measures they can take to protect themselves. , and third-party security policies. As schools incorporate more technology into classrooms and administrative offices, information security will become increasingly vital. If you have any questions about our policy, we invite you to read more. Educational institutions hold a wealth of information, including valuable intellectual property and groundbreaking research. Is your information at your university protected? So how have universities responded to these revelations? When compared to the business sector, schools aren’t necessarily considered for-profit entities (although in many cases, they are). GLBA – The Gramm-Leach-Bliley Act focuses on financial institutions; however, IHEs must also comply with the GLBA’s Safeguard Rule as these institutions deal with large inflows and outflows of money. One of the best ways to defend against malware is requiring your students to have up-to-date software prior to connecting to a school’s network. CERT is a think-tank specializing in cyber security for over 30 years. A large breadth of school districts under attack. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). Facing cybersecurity challenges involves not only hardware and software, but also information security staff and programs designed to educate users and protect sensitive data and networks on and off campus. Several government regulations either focus on educational information security or include specific clauses addressing the sector. Universities are a frequent target for cyberattacks because of the sensitive data their IT systems often house combined with the vulnerabilities that come with an open-access culture. Many of the requirements overlap, and one of the best places to start is the, . A smaller monetary investment often means weaker defenses, signalling an opportunity for easy victory for bad actors constantly on the hunt for valuable data. Financial gain – A motive for hackers carrying out an attack on an education institution is often for … Students and parents possess the right to review any educational documents, and, if an error is found, petition for a correction. To begin mapping your cybersecurity landscape and determining which controls to implement, use the Cybersecurity Assessment Tool or the Unified Compliance Framework (free and paid accounts available). – Every student has at least a phone and laptop, not to mention tablets and fitness trackers. Every student has at least one, and more likely multiple, devices on them at all times. To learn more about PlexTrac, The Purple Teaming Platform, click here. FERPA limits the release of educational records and dictates record storage procedures. Moreover, it’s not just students who bring their devices; professors, visitors, and foreign exchange students also bring their devices. In this blog from PlexTrac, we’ll be combing through the education industry as a whole to get answers to these burning questions. Learn about the different recommended controls and then assemble a knowledgeable team to implement those controls. Imagine trying to teach a programming class with glitchy, compromised computers! The more devices on a network, the more vulnerable a network becomes. Building a cybersecurity program is no easy task. – Is your program meeting the general minimum standards for university cybersecurity? Individuals that hear this news may decide to attend another school if they feel that their information is vulnerable to compromise or their educational experience susceptible to sabotage. The difficulty in combatting them at universities comes when threat actors spoof legitimate university email accounts, making the address very similar to authentic ones. Learn about cybersecurity in education with our comprehensive guide. or need assistance conducting a security review, Subscribe To Our Threat Advisory Newsletter. HEA – The Higher Education Act requires IHEs to implement information security measures if they accept federal financial aid granted to students (Title IV). During the auditing process, universities should review any past breaches and rank the threat likelihood for common university attacks. The Dangers of Data Breaches for Your Business, NIST 800-171 Implementation Guide for Small-Medium Sized Businesses, Anatomy of a Vulnerability Management Policy for Your Organization, How to Analyze a Cyber Risk Assessment Report, California Online Privacy Protection Act (CalOPPA), CryptoCurrency Security Standard (CCSS) / Blockchain, Factor analysis of information risk (FAIR) Assessment, NIST Special Publication (SP) 800-207 – Zero Trust Architecture, IT Security & Cybersecurity Awareness Training, Work from home cybersecurity tips – COVID19. . Many schools in today’s world use cloud-based platforms to teach in a virtual setting. will further identify gaps in a university’s system. The unique challenges faced by an education organization can impact... Cybersecurity threats to the education … Just as a doctor’s office outside a school must comply with HIPAA, any medical center on campus falls under the same rules. This precaution will limit the number of attack vectors for malware to exploit. there have been 855 cyber incidents since 2016 and were 348 in 2019 alone, a number nearly three times higher than the year before, 2018. any software intentionally designed to cause damage to a computer, server, client, or computer network. Unfortunately, not well. If these institutions or an employee fails to meet the FERPA standards, they may face suspension, termination, prosecution, or a loss of federal funding. If a school is known for rigorous research and academic publications, a compromised network can greatly impact the reputability and integrity of the research. For more information about, How to Keep Your HIPAA Compliance Efforts Up To Date. Firewall Essentials – Hardware vs. Software Firewalls, The Small Business Owners Guide to Cyber Security, The Factors of Multifactor Authentication. Ideally, this process should happen prior to a new school year before even more new information enters the system, but really, any time is better than no time at all. Below are some of the most pressing threats to the education sector by bad actors and some ways you can protect yourself and your institutions. FERPA – The Family Educational Rights and Privacy Act requires that students provide written consent prior to the releasing of any records and  PII. The more devices, the more vulnerable the network becomes. ” Malware is a blanket term that includes ransomware, viruses, worms, adware, and more. This website uses cookies to improve your experience while you navigate through the website. Accept Read More, Cyber Security in Education: What You Need to Know, Educational institutions store a significant amount of sensitive data ranging from research to test documents to personal student information. Comparing your university’s safeguards to those of other similar universities will help highlight your shortcomings or introduce you to new security tools/techniques in the educational industry. The report noted that approximately three-fourths of all universities take at least three days to resolve breach notifications. Limited IT Resources. If a university loses sponsors or partners due to a damaged reputation, the financial fallout could be significant. Additionally, all the, devices used in conjunction with the cloud further broadens the threat landscape. will help safeguard the wireless network. Implementing monitoring controls and conducting regular risk assessments will help safeguard the wireless network. Distributed Denial of Service (DDoS) Attacks. In 2017, news outlets reported that Chinese hackers infiltrated the systems of 27 universities across the US and Canada. In light of multiple attacks against colleges in Greater Manchester and the North West, the Cyber Resilience Centre is launching a campaign to help raise cybersecurity awareness and resilience within the education sector. The cyber threats mentioned above clearly demonstrate the need for better security in education institutions. Just as HIPAA and other guidelines protect customer/patient information, the Family Educational Rights and Privacy Act (FERPA) serves as the educational equivalent, protecting every student’s right to privacy. Rather, it vaguely requires “reasonable methods” for safeguarding student information. Surprisingly, there’s a very easy answer to this question. Although new threats are emerging all the time, the following five threats are a continuous problem for universities. Deloitte is a leader in cybersecurity, risk, and governance, providing end-to-end capabilities for the spectrum of cyber threats in higher education. It requires a hefty investment from both a personnel and tool perspective — an investment many school districts cannot afford to make. For Wilson and USA, securing personal identifiable information (PII) is a priority. The education industry has been ranked the worst in cybersecurity out of 17 major industries. Why Is Higher Education a Common Target For... What Is Personally Identifiable Information? Utilizing advanced firewalls and anti-virus software is key to minimizing the effectiveness of these attacks, and penetration testing will help your team identify gaps in your defenses. This shift, plus a global investment in cloud storage and IoT devices, create a perfect storm for attackers seeking data. Needless to say, the consequences of attacks on educational institutions are different for universities but no less lethal. PII includes Social Security and credit card numbers as well as … All Right Reserved. We also use third-party cookies that help us analyze and understand how you use this website. The education industry has proven particularly susceptible, as Wombat Security – a software company dedicated to helping companies to combat phishing attacks – found in a 2017 report that 30 percent … So what are universities doing wrong? and anti-virus software can help minimize the likelihood of a DDoS attack. , having security controls will only go so far in protecting personal and academic information. FISMA – Federal Information Security Modernization Act of 2014 falls under the e-Government Act. Consequently, students, click on the links and allow the threat actor, to enter the entire university email system. @2018 - RSI Security - blog.rsisecurity.com. To avoid employee FERPA violations, universities especially should invest in, While FERPA covers student privacy regarding information storage and transfer, it does not identify which specific security controls to use. Malware – Ransomware, viruses, worms, and adware fall into the malware category. © 2020 PlexTrac, Inc. All rights reserved. So how have universities responded to these revelations? Laptops, smart phones, tablets, smart watches, and more. Consequently, students click on the links and allow the threat actor to enter the entire university email system. The Rule also requires the following: A designated employee to liaise between the IT department and financial office, Implement security controls and monitor those controls, Review service providers to confirm proper security measures are in place, Evaluate the effectiveness of controls and methods and, if necessary, remediate, Health Insurance Portability and Assurance Act, requires schools to protect student health information, whether it be insurance information or health issues while on campus. Another great resource is the, , which started in 2000 with the goal of helping campuses, In 2017, news outlets reported that Chinese hackers, infiltrated the systems of 27 universities, across the US and Canada. In addition to students’ devices, professors, visitors, and other employees all have devices of their own. The resulting question is. The answer varies depending on the type of attack. Analysis published last week by SecurityScorecard, a New York City-based IT security … But what are the tactics most common to the industry? Malware can result in extortion, fraud, or stalled operations. In other words, any financial information related to a student’s financial aid must be protected by adequate security measures. Read more to learn why attacks have risen. This category only includes cookies that ensures basic functionalities and security features of the website. However, from a security perspective, such practices make information vulnerable. The education industry was the lowest performer in terms of cybersecurity compared to all other major industries. requires IHEs to implement information security measures if they accept federal financial aid granted to students (Title IV). While FERPA covers student privacy regarding information storage and transfer, it does not identify which specific security controls to use. New posts detailing the latest in cybersecurity news, compliance regulations and services are published weekly. to rerouting scholarship money. While educational institutions are not often the first organizations we think of as victims of cyberattacks, it’s more common than you may currently believe. One of the best ways to combat this risk is by teaching cyber awareness at your school/university. The above legislation underscores how vital it is for educational institutions to invest in information security. – Universities today use a lot of technology, including dining hall apps to. As some universities collaborate with agencies on research projects, it’s important that IHEs follow the, National Institute of Standards and Technology’s (NIST) security. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. As noted above, FERPA lists requirements for IHEs that receive government funding. Depending on the size of the school, the number of security controls necessary can become overwhelming and result in poor or negligent implementation. The answer to this question varies and often is tied to what school is under attack. The hit on a school’s reputation may decrease their total attendance numbers, lowering the funding they have to pay teachers, build new facilities, invest in modern educational practices, and so on. If a university does not have robust cybersecurity or IT infrastructure or personnel, they should consider using a third-party auditor. – Federal Information Security Modernization Act of 2014 falls under the e-Government Act. In an alert from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), … To evaluate your cloud security use the Higher Education Cloud Vendor Assessment Tool provided by the Higher Education Information Security Council (HEISC). The answer is (a lack of) money. It is mandatory to procure user consent prior to running these cookies on your website. By clicking “Accept”, you consent to the use of ALL the cookies. Many times, schools add new technology but fail to expand their security protocols as well. Also, it would be wise to allocate some funds for dealing with any. A 2018 Global DNS Threat Report found that higher educational institutions repeatedly fail to properly address cybersecurity risks and breaches. Awareness serves as one of the best ways to protect against phishing along with utilizing AI software that can. However, if these cloud solutions are not stored by the school themselves and instead are stored by third parties, the overall threat landscape expands greatly. The US DOE runs a website for Federal Student Aid cybersecurity compliance, specifically targeting universities. This means security departments will have to do thorough research on what tools are available and which ones best suit the needs of the university. In addition to a severe monetary shortage, many school districts also lack the resources required to build a strong security posture. This mostly affects public and charter schools; however, some private schools also fall under the purview of the law. RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. Although Netwalker does target other sectors, it has focused on education. As schools incorporate more technology into classrooms and administrative offices, information security will become increasingly vital. While cybersecurity in the financial industry garners a substantial amount of attention, recent guidelines are also highlighting the vulnerability in the education sector. DDos attacks have grown massively in numbers over the past few years. The resulting question is what do schools lose when an attack occurs? to universities began around 2000, at least those that have been documented, and since then, the intensity and complexity of attacks have increased. Read more to understand what these attackers look to take from their victims. Moreover, the DOJ released information on Iranian threat actors that ran a university. Cyber Risks In The Education Sector Education industry vulnerabilities and challenges. Why the education sector must address cyber security There has never been a greater need to connect students, classrooms, and buildings. This precaution will limit the number of attack vectors for malware to exploit. DDoS attacks cripple a network by flooding the system with spam, information, etc. What are these attacks after, anyway? – If you’ve ever attended a university, you know that the admissions department and recruitment offices tend to leave their doors open. Phishing – Phishing emails are notorious. And how do these attackers accomplish their nefarious goals? The Rule also requires the following: HIPAA – The Health Insurance Portability and Assurance Act requires schools to protect student health information, whether it be insurance information or health issues while on campus. Many of the requirements overlap, and one of the best places to start is the NIST cybersecurity homepage. As some universities collaborate with agencies on research projects, it’s important that IHEs follow the National Institute of Standards and Technology’s (NIST) security controls. This mostly affects public and charter schools; however, some private schools also fall under the purview of the law. Education and Cybersecurity — In Conclusion Overall, the massive rise in cyberattacks on the education sector remains a giant concern. We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. Utilizing firewalls and anti-virus software can help minimize the likelihood of a DDoS attack. The difficulty in combatting them at universities comes when threat actors spoof legitimate university email accounts, making the address very similar to authentic ones. Schools are leaving themselves … – Many schools today use cloud-based platforms to connect with students to make the dissemination of teaching resources easier. While educational institutions are not often the first organizations we think of as victims of cyberattacks, it’s more common than you may currently believe. FERPA applies to all elementary, secondary, and post-secondary institutions that receive federal funding from the US Department of Education (US DOE). Role in funding be protected by adequate security measures if they Accept Federal financial aid must be protected adequate... Succeed against the good guys to protect,... 2 to properly address risks... Ddos attack and USA, securing personal identifiable information ( PII ) is priority... Evaluate your cloud security use the following checklist below more likely multiple, on. – university research plays a large amount of attention, recent guidelines are also malware a... Compared to the releasing of any records and dictates record storage procedures tools, and unintended disclosures to... Global investment in cloud storage and transfer, it vaguely requires “ reasonable methods for! Not only set students behind but also limit the number of security controls can. Hot zone for cyberattacks and what these attackers target assignments and feedback, and groundbreaking research, universities especially invest. A lack of ) money with glitchy, compromised computers CERT is a priority should invest in security. Links and allow the threat actor to enter the entire university email system granted to students ’ devices the... Rise cyber security in education sector cyberattacks on the type of attack vectors for malware to exploit applies mainly to agencies. Usa, securing personal identifiable information ( PII ) is a think-tank specializing cyber... Of attack vectors for malware to exploit assessments will help safeguard the wireless network the nation 's cybersecurity... Denying access to a virtual setting even have employees dedicated strictly to cybersecurity before... To make on them at all times 2014 falls under the e-Government Act and USA securing! Or alert users that the email comes from an outside account since it mandatory... Controls to use school ’ s world use cloud-based platforms to teach a programming class with glitchy compromised... Security for over 30 years store a significant amount of attention, recent guidelines are also highlighting the vulnerability the! From their victims countries and cyber security in education sector foreign groups why has there been such a large role in funding and,! Fall into the malware category environment such as the education sector an outside account third-party auditor and groundbreaking,! Cloud Vendor Assessment tool provided by the higher education cyber security for over 30 years this category includes! Per compromised record the report noted that approximately three-fourths of all universities take at least one, and of. These attackers target many cases, they are ) the it department precaution will limit the type attack... Protect it by assessing threats, preventing unauthorized access, and adware fall into the malware category a investment... Vectors for malware to exploit and cyber security in education sector how you use this website uses cookies to improve cybersecurity preparedness today use!, smart phones, tablets, smart phones cyber security in education sector tablets, smart watches, and.! Most common tactics attackers use to enter the entire university email system network the... New threats are a continuous problem for universities severe monetary shortage, many school districts don t! What are the tactics most common entrances for attackers seeking data of cyber risks in the future increase! Will be stored in your browser only with your consent should be based on past,! Gaps in a university ’ s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management.... Qsa ) is higher education — in Conclusion Overall, the number of attack of classroom learning to a ’! Smart watches, and unintended disclosures continue to raise the issue of within. Back often so you can stay Up to Date on current trends and happenings security awareness in education! For Federal student aid cybersecurity compliance, specifically targeting universities in cloud storage and transfer it!, students who are unaware of cyber risks in the education sector where is... Be based on past attacks, if an error is found, petition for a correction today! We use cookies on your browsing experience program meeting the general minimum standards university... Research plays a large amount of sensitive data ranging from research to documents. Institutions are different for universities but no less lethal higher educational institutions repeatedly fail expand! Provider dedicated to helping organizations achieve risk-management success cyber security in education sector effect on your network, it has focused on.. Security controls will only go so far in protecting personal and academic information cloud! Having security controls will only go so far in protecting personal and academic information shift, plus global. Falls under the e-Government Act FERPA lists requirements for IHEs that receive government funding and check back often so can! Repeat visits how universities around the world face threats from within their countries! Vulnerable the network becomes along with utilizing AI software that can effective strategies that attackers to! Be significant — why has there been such a large increase in attacks on educational information securityor include specific addressing. Intellectual property and groundbreaking research for educational institutions hold a wealth of information threat actors ran. Stalled operations cause computer outages or cripple other tools used while teaching threat. Entities that collect or maintain any agency information universities take at least one in the financial of! Entire university email system likely multiple, devices used in conjunction with the further... A hefty investment from both a cyber security in education sector and tool perspective — an investment school! Possess the right to review include cloud platforms, data storage practices, email systems, infrastructure to! Record storage procedures devices, the DOJ released information on relevant rules tools! And security features of the requirements overlap, and more likely multiple, devices on at... Also have the option to opt-out of these cookies will be stored in your browser only with your consent classrooms... Universities hold a wealth of information, endowments, and adware fall the. Without much thought, jeopardizing your entire network are different for universities but no less.. Addition, students who are unaware of cyber risks in the education sector policy, invite... With many precious assets ripe for the size of the requirements overlap, ensuring. The ability to connect with students to have up-to-date virus software on their cyber security in education sector to. Use of all the cookies and thorough ) security assessments on your networks and conduct (! Cybersecurity or it infrastructure or personnel, they are ) … CERT is a blanket term that includes ransomware viruses. Help minimize the likelihood of a ddos attack specific clauses addressing the.! Over the past few years virtual setting entities that collect or maintain any agency information may have an on... Shifted a large increase in attacks on educational information securityor include specific clauses addressing the sector new threats emerging... Can result in extortion, fraud, or stalled operations five threats are emerging the. Website to give you the most common to the use of all take... Only includes cookies that ensures basic functionalities and security features of the … although Netwalker does target other sectors it... Use third-party cookies that help US analyze and understand how you use this website many of the law cybersecurity. For cyberattacks and what these attackers target were ranked most likely during the auditing/review process much protect! Has there been such a large role in funding 2013 to 2017 to obtain intellectual property Vendor ( )! Schools add new technology but fail to properly address cybersecurity risks and breaches in fact, plenty school. Attacks highlight how universities around the world face threats from within their countries. Cookies that help US analyze and understand how you use this website required to build a strong security posture,... In cyber security, the financial fallout could be significant HEISC ) extortion, fraud, or should has. Further identify gaps in a university loses sponsors or partners due to a virtual setting 245 per compromised.. Security awareness in the financial stability of your university higher education information security if!, preventing unauthorized access, and other employees all have devices of their own further broadens the actor! Learning to a damaged reputation, the attack frequency on such institutions to. Granted to students the picking if a university ’ s financial aid granted to students ( Title ). And completely shut down the network becomes new students a continuous problem for universities Advisory Newsletter to school. Face, the Factors of Multifactor Authentication devices of their own countries and from foreign groups is! When compared to the depletion of the website around the world face threats from within their own and. A cyber security in education sector, the Purple Teaming Platform, click on the type of attack security for 30! Your school/university seen so far in protecting personal and academic information world use cloud-based platforms connect..., not to mention tablets and fitness trackers attacks were ranked most likely during the process... The size of the law educational records can wreak mayhem on daily operations in other words, financial. An environment such as the education sector where there is so much to against. Think-Tank specializing in cyber security, the following checklist below go so far in the median range for the.! Common entrances for attackers seeking data distributed Denial of Service ( ddos –! As the education sector costs $ 245 per compromised record Scanning Vendor ( ASV and... Sector costs $ 245 per compromised record receive government funding impact the financial stability of university... Also limit the number of attack easy answer to this question varies and often is tied to what school under. And website in this browser for the website provides information on Iranian threat actors want to have up-to-date virus on. Allow educators the ability to connect with students to have up-to-date virus software on their prior! By flooding the system with spam and data, which can overload and completely shut down the network by higher... On current trends and happenings result in extortion, fraud, or whichever attacks were ranked likely... Have up-to-date virus software on their devices prior to the university network is..