The education industry is a magnet for cybercrime. This is quite self-explanatory, given the vast amount of diverse information it holds on students and staff, including Personally Identifiable Information (PII), financial information, and even health information. On top of this, the education sector is also home to several trailblazing research projects and innovations, making it a lucrative target for cybercriminals.
In the first half of 2017, the education sector accounted for 13% of data breaches, resulting in the compromise of around 32 million records. And this number was a whopping 164% increase compared to the data breaches in 2016.
In April 2019, Georgia Tech announced that nearly 1.3 million current and former faculty members, students, staff and student applicants had been affected by an education data breach that was caused by unauthorized access to a web application. Later in July 2019, Pearson reported a data breach that impacted roughly 13,000 school and university accounts.
Apart from data breaches, here are some other common challenges faced by the Education Industry:
As explained earlier, the immense amount of sensitive information stored by educational providers make them a frequent target for malicious offenders. According to the 2020 Data Breach Investigations Report by Verizon, Ransomware is really taking hold of Education vertical incidents. Up from 48% in 2019, Ransomware has been responsible for approximately 80% of Malware infections, while hacking and phishing attacks account for 23% and 28% of attacks respectively. Apart from these forms of threats, DDoS attacks are also very common, and aim to disrupt key operations of the institutions.
Another major issue is BYOD (Bring Your Own Devices). With students bringing their own devices and with an open network in most educational environments, personal information has never been more vulnerable to data security related incidents. The 2020 Verizon Report on Data Breach Investigations also states that malware distribution to victims was more common via websites than email. This information doesn’t really seem to make sense until you consider malware being distributed via unmonitored email (such as personal mail accounts from students on bring-your-own devices connected to shared networks), and all of those infections obviously endanger the larger organization.
This brings us to the next challenge – the lack of proper data security strategies, and an inefficient IT system. More than any other industry, the education sector is increasingly progressing online – offering remote services to its students. In such a case, institutes cannot afford to run IT systems on their, and resources should be put towards a skilled team of IT professionals who can implement the right data security technology in place.
And just like any other organization, apart from all the other day-to-day activities, compliance is also something that should be on top of the priority list. Often, compliance takes the back burner and institutions end up facing expensive lawsuits. Laws like The Family Educational Rights and Privacy Act (FERPA), and even HIPAA, govern the education sector and must be taken seriously to avoid the costs of non-compliance. Apart from these laws, other data protection acts like the GDPR and the CCPA are also applicable.
Finally, most students and staff are very unaware of the different forms of data security threats. In such cases, even simple threats could end up deceiving an individual into giving up confidential information.
It is quite evident that people and processes are not enough; organizations should implement the right technology in place to build a strong data security posture.
The following steps can enable a strong data security posture:
- Monitor user activity for all actions performed on sensitive data in your enterprise.
- Choose from different methods or select a combination of techniques such as encryption, tokenization, static, and dynamic data masking to secure your data, whether it's at rest, in use, or in motion. Before this step, sensitive data discovery is a must, because if you don't know where your data is, how will you protect it?
- Deploy consistent and flexible data security approaches that protect sensitive data in high-risk applications without compromising the application architecture.
- Your data security platform should be scalable and well-integrated, which is consistent across all data sources and span both production and non-production environments.
- Finally, ensure the technology you're implementing is well-integrated with existing data protection tools for efficient compliance reporting and breach notifications.
It is no doubt that the education services sector faces a difficult time given that it serves as a very attractive trove of sensitive data. To face this problem, it is imperative to implement a data security and awareness training program and to have an able set of individuals who can make effective data security strategies.
The MENTIS platform comprises a comprehensive solution that protects sensitive data along its lifecycle in the customer’s systems - providing capabilities from sensitive data discovery, masking, and monitoring to data retirement. Engineered with unique, scalable architecture and built-in separation of duties, it delivers comprehensive, consistent, and reliable data and application security across various data sources (mainframe, relational databases, unstructured data, big data, on-premise, and cloud).
How a leading ivy league university in the US is effectively handling data security
Find out how we implemented a complete data security solution in an Ivy League University in the US, by executing discovery, static data masking, dynamic data masking, and monitoring across multiple data sources.
Click here to read more: MENTIS Customer Success Stories - Enterprise-wide security in an Ivy League University in the US