Nowadays, educational institutes possess lots of data when it comes to students' and staff personal information. With the increased digital capabilities from students and faculty, cybercriminals are targeting educational institutions more often. In May 2015, Pennsylvania State University's engineering school was the target of a cyber-attack. The attack continued for few weeks before it was detected compromising records of some 18,000 students. In March 2014, University of Maryland's network was the target of a cyber-attack. It compromised 287,580 records of students, faculty, staff and other associated personnel.
It has been observed that the education sector ranks very high on the list of targets for cyber-attacks. Investigations have shown that the educational institutions are woefully lacking in preparedness to handle cyber threats and attacks. Apparently, even the education sector does not escape the evil eye of cybercriminals.
Many educational institutes overlook security challenges and fail to understand the impact of a cyber attack.
What is at risk?
Many educational institutes overlook security challenges and fail to understand the impact of a cyber attack. Educational institutes hold a wealth of personal data of students, staff, administrators and third-party vendors. Have a look at the type of data educational institutes hold:
Financial data: Institutes store financial information of the students and staff. Many students have direct debits set up for their monthly expenses. This requires the institute to store the bank details. This valuable information can be misused.
Personally identifiable information (PII): Students are not very particular about their online activity. They are also the ones with cleanest or blank financial credit records. Subsequently, they are a prime target for identity theft.
Enterprise data: Information on students, teaching staff, vendors, complex schedule management, student registration information, course evaluation material, fundraising efforts, and strategies are all valuable information. If this information is lost, the whole operation of the Institute can be crippled.
Educational data: Research material, class schedules and grade management system, testing systems, online evaluation (online assignment submission portals) is all critical for imparting education. Integrity and availability of these are vital for operations of the Institute.
Challenges for educational institutes for ensuring cyber security
Educational Institutes has multiple departments. They are high paced, high mobility and high activity environments. Many people access multiple systems from multiple locations. Data necessarily flows in and out of the system. This poses challenges for the security of the system. Here are a few challenges faced by most educational Institutes.
Decentralized IT - Most of the departments in a typical Institute run their own IT systems. They have a wide variety of computer systems based on their requirements. Because of such diversity and spread of the network, implementation of security policies becomes difficult.
BYOD culture - Institutes encourage students to bring their own devices to store data. Students work in labs, in classrooms and at their residence on the same project. They need to carry their data on USB drives and connect to whichever computer is available to them. Many students don't spend on even basic antivirus and anti-malware software. However, they download free and pirated software. This malicious software passes into institute's network the moment student's infected device is connected to a PC on the network.
Open networks - Most institutes' networks are open for any device to connect. This is done to implement the philosophy of freedom of information. However, this means the network access is not properly monitored for unauthorized access and it's easy for viruses, malware and hackers alike to enter and create havoc on the network.
Internal threats - Internal threats are the most common among all other cyber threats. An insider attack can be initiated by phishing email or transferring sensitive information on personal or insecure devices. In some cases, employees credentials or students online submission portal can be compromised by an insider or a human error can also cause data breach to happen.
How to protect educational institutes against cyber threats?
1. Identify the most valuable IT assets and secure them by using robust security solution
2. Implement a strong access control system based on student authentication, VPN etc. to prevent unauthorized access to the network.
3. Create strong cyber security policies and spread awareness amongst students and staff to follow safe and secure practices.
4. Invest in a robust cyber security solution which can provide safety to open, diverse and often targeted systems.
The cyber threats mentioned above clearly demonstrate the need for better security in education institutions. They need to take urgent measures to install appropriate security software including firewalls, intrusion detection and prevention systems, endpoint security solutions and antivirus for all client machines as well as servers.
Sanjay Katkar is a proven leader with a profound proficiency in developing strong client relationships, a passion for building outstanding teams and a disciplined focus on operations and execution of successful long-term business strategy. He is the recipient of many coveted appreciations and under his leadership; Quick Heal is being continuously making news by being recognized for various categories at National and International forums in last 9 years.