How Educational Institutions Are Failing to Adequately Protect Student Data

With security at the forefront of hot button issues across the country right now, one threat often gone unnoticed to students’ well-being is the growing frequency with which their personal data is being compromised.

Cyber criminals’ increased interest in attacking education systems imperils students’ financial futures and privacy, and gives parents a reason to question whether schools are up to the task of protecting their kids’ personal data.

As reported by education IT news site EdScoop, a recent study from consultancy EdTech Strategies indicates that the web sites of state education departments and local school districts are among the most insecure on the Internet. For example, the study found that 26 of the 50 states are not making full use of the secure “HTTPS” Internet protocol, making them more vulnerable to attacks.

“Analyses of education agency websites suggest a widespread lack of attention to issues of online security and privacy,” Douglas Levin, president of EdTech, told EdScoop.

Levin also shed some light on what he believes is one cause of the problem, noting that school districts suffer from a lack of deep security experience and understaffed (and thus overwhelmed) IT teams. And as years of writing about IT security has taught me, that generally leads to a host of unpleasant consequences, including less-than-stellar security measures.

The state of student data security apparently isn’t a whole lot better at the collegiate level either. Earlier this month, US News & World Report wrote about a state report that found that the University of Wisconsin System hadn’t developed a comprehensive computer security program.

According to the US News report, the UW Information Assurance Council had taken some required steps—including establishing authentication and data classification procedures and raising security awareness—but that the system’s administration hadn’t complied fully with regent security policy, resulting in an increased risk of unauthorized changes to accounting, payroll and student data.

These kinds of lax security efforts—insufficient use of secure protocols, not adhering to established policies—are alarming enough in and of themselves, but when you combine them with a landscape characterized by an unprecedented volume of threats, you get the potential for a perfect storm.

Along those lines, Security Boulevard recently reported that the FBI and U.S. Department of Education had issued a warning that schools faced an immediate ransomware threat from a hacker group called TheDarkOverlord (or TDO). According to the warning memo, TDO between April 2016 and January of this year was responsible for at least 69 ransomware attacks on schools and business, had attempted to sell more than 100 million records including personally identifiable information, and had released 200,000 records, including those of 7,000 students, due to non-payment of ransoms.

The really sad thing is that none of this should come as a big surprise, as education has proven itself to be perhaps the most security-challenged sector in society. In fact, a recent piece in Forbes highlights a BitSight study suggesting that education lags far behind other industries in its security rating, and thus its vulnerability to ransomware.

Perhaps the one piece of good news is that education IT leaders recognize there’s a problem. For the third consecutive year, EDUCAUSE, a non-profit association of higher education IT leaders, has identified information security as the number one IT issue confronting universities.

Sharon Pitt, VP of IT for the University of Delaware, told EDUCAUSE that schools find themselves fighting the battle to protect data on numerous fronts, as they grapple with their own security shortcomings, a changing and increasingly sophisticated threat environment, and expanding compliance requirements.

Meanwhile, Michael Corn, CISO for the University of California at San Diego, clearly believes that, at least in higher education, security teams have let their schools down thus far.

“While colleges and universities continue to invest in information security, we security practitioners have failed to clearly define a strategy for cybersecurity, and thus our leadership feels ‘unmoored’ in response to the public drama of large-scale data breaches,” Corn told EDUCAUSE. “We hear the constant question: ‘What are we doing in response?'”

If all of the recent indicators are to be believed, they better have a good response soon, or students will be paying the price.

*** This is a Security Bloggers Network syndicated blog from RSAConference Blogs RSS Feed authored by Tony Kontzer. Read the original post at: