By Wes Hutcherson, director of competitive intelligence, eSentire.
Educational institutions are being dealt a one-two-punch these days. If it’s not the financial crisis spawned by the global pandemic and the subsequent economic crisis, it’s schools and institutions of higher learning’s growing attractiveness as targets for cybercriminals. Over the past three years, educational institutions around the globe have seen an increase in incidents bypassing traditional prevention technologies, causing expensive remediation efforts. And it’s only getting worse.
The writing on the Blackbaud
In 2018, more than 300 universities worldwide and 144 U.S. universities were part of a cyberattack by Iranian hackers that stole more than 30 terabytes of data costing universities more than $3.4 billion dollars. A year later, the Georgia Institute of Technology reported they had been breached, exposing the personally identifiable information (PII) data of 1.3 million students, teachers, staff and student applicants.
More recently, the University of Utah paid out more than $457,000 to mitigate a ransomware attack on its computer servers. Earlier this summer, Blackbaud, a cloud computing company, was hit with ransomware. The company ultimately paid to protect its data, but the net result was that dozens of universities in the United States, Canada and Great Britain were impacted. And now, with increasing numbers of U.S. public schools opting for virtual classrooms for the foreseeable future, out comes a report that found security issues with Google Classroom.
All told, since 2005, the Privacy Right Clearinghouse reported that 780 data breaches have occurred in K-12 schools and institutions of higher education, so despite what you might have learned in school sometimes 780 multiplied by 15 (years) does equal 14,871,122, at least if you’re talking about numbers of compromised records.
The three “R”s: Reading, writing and regulation
The risk associated with student data is increasing, and compounding the problem is the unexpected shift to virtual learning environments that has only served to increase the pressure on already constrained cybersecurity resources. The education sector has a unique set of cybersecurity risks to factor in, including a broad array of personal devices used to access information and learning platforms, as well as the adherence to governmental requirements that protect students’ sensitive data.
In February 2020, the U.S. Department of Education issued a statement regarding its enforcement of cybersecurity requirements and provided notice of increased scrutiny around cybersecurity programs. Under it, K-12 schools and districts, as well as higher education institutions, are subject to requirements as set out by three regulatory bodies: The Health Insurance Portability and Accountability Act (HIPAA), which is relevant to any institution that provides medical care and/or procedures to their students; the Family Educational Rights and Privacy Act (FERPA), which pertains to the rights granted to parents of students both under and over the age of 18, enabling control over the data that they provide to their educational institution; and lastly, the Children’s Online Privacy Protection Rule (COPPA), which mandates that educational institutions establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of children’s personal information.
COPPA also applies to operators of any website or online service that collects PII from children under the age of 13. Moreover, educational institutions also must adhere to the requirements set forth by the U.S. Department of Education for organizational, operational, and procedural assessments to identify gaps and mitigate risk against growing cyberattacks.
It’s a lot to keep track of, especially when you consider that schools are already at the mercy of legacy systems and insufficient internal resources, and on the whole lack a clear understanding of risk-based best practices. Add to that a lack of visibility into personal devices and the fact that they are sitting on high-value PII and it’s no wonder that educational institutions increasingly are finding themselves in the crosshairs.
Managed Detection and Response: It adds up
Let’s face it, there’s never a good time to be hacked, and given the current global situation, learning institutions can little afford the extra complication of a cybersecurity breach. Whether your organization is a K-12 school district or a higher-education institution, threat actors are going to capitalize on vulnerable systems and the highly valuable PII data therein. Ultimately, the difference between organizational protection and potential disruption will come down to the speed at which you can identify and contain an attack.
MDR services rapidly identify and contain threats that bypass traditional security controls by ingesting signals across the litany of devices that access a client’s systems. A true MDR provider combines endpoint, network, log, vulnerability and cloud data to identify known and elusive threats. When looking for a security partner, look for one that offers risk management services that can test your existing defenses against simulated attacks, assess, and measure your security posture and help to build a path for resiliency that ensures alignment with regulatory requirements and a better security posture.
Your security partner is your first line of defense against the latest threat actors so make sure they understand the unique needs of your organization and that their services align with the education’s top challenges . While you might be in the business of educating young minds, you don’t want to find yourself in the position of educating your security partner.
The 1-2-3s of cybercrime
- 80% of attacks on the educational sector were ransomware attacks distributed via malware on websites. (DBIR Report, 2020)
- 28% of security incidents convert to data disclosure for Educational Services. (Verizon DBIR Report, 2020)
- 212 days mean time to identify (Ponemon: Cost of a Data Breach Report, 2019)
- 71 days mean time to contain (Ponemon: Cost of a Data Breach Report, 2019)
- $1,270,000 average detection and escalation costs in 2019 (Ponemon: Cost of a Data Breach Report, 2019)
- $1,070,000 average post-breach costs in 2019 (Ponemon: Cost of a Data Breach Report, 2019)
- $210,000 average notification costs in 2019 (Ponemon: Cost of a Data Breach Report, 2019)