Moreover, the DOJ released information on Iranian threat actors that ran a university phishing scam from 2013 to 2017 to obtain intellectual property. It is mandatory to procure user consent prior to running these cookies on your website. – If you’ve ever attended a university, you know that the admissions department and recruitment offices tend to leave their doors open. If a school is known for rigorous research and academic publications, a compromised network can greatly impact the reputability and integrity of the research. Welcome to RSI Security’s blog! Rather, it vaguely requires “reasonable methods” for safeguarding student information. However, there are exceptions to this rule including if a student is transferring, if an audit/evaluation is ongoing, if a study is ongoing for the school, for financial aid transactions, for the accreditation process, for health/safety emergencies, or for matters of the law. The US DOE runs a website for, Federal Student Aid cybersecurity compliance, , specifically targeting universities. The more devices, the more vulnerable the network becomes. This category only includes cookies that ensures basic functionalities and security features of the website. For example, a prestigious school known for its academics and high quality educational experience can take a big reputational hit by having their network compromised. One of the best ways to combat this risk is by teaching cyber awareness at your school/university. The answer to this question varies and often is tied to what school is under attack. For example, EdTech reported that there have been 855 cyber incidents since 2016 and were 348 in 2019 alone, a number nearly three times higher than the year before, 2018. GLBA – The Gramm-Leach-Bliley Act focuses on financial institutions; however, IHEs must also comply with the GLBA’s Safeguard Rule as these institutions deal with large inflows and outflows of money. Universities house a bevy of valuable information, including personal information, endowments, and even groundbreaking research data — information that’s now more attainable than ever before. The above legislation underscores how vital it is for educational institutions to invest in information security. Without the proper staffing to. Deloitte is a leader in cybersecurity, risk, and governance, providing end-to-end capabilities for the spectrum of cyber threats in higher education. An attack may cause computer outages or cripple other tools used while teaching. Why Is Higher Education a Common Target For... What Is Personally Identifiable Information? Ideally, this process should happen prior to a new school year before even more new information enters the system, but really, any time is better than no time at all. If you have any questions about our policy, we invite you to read more. will help safeguard the wireless network. Phishing – Phishing emails are notorious. Although new threats are emerging all the time, the following five threats are a continuous problem for universities. Learn about the different recommended controls and then assemble a knowledgeable team to implement those controls. For example, EdTech reported that. RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. and other guidelines protect customer/patient information, the Family Educational Rights and Privacy Act (FERPA) serves as the educational equivalent, protecting every student’s right to privacy. To evaluate your cloud security use the Higher, Higher Education Information Security Council (HEISC). Personal identifiable information (PII), financial information, and operational data are of great interest to attackers, so it’s important to vet your cloud provider for their reliability or use your own data center instead. Learn about the different recommended controls and then assemble a knowledgeable team to implement those controls. in the education sector. Is your information at your university protected? The Dangers of Data Breaches for Your Business, NIST 800-171 Implementation Guide for Small-Medium Sized Businesses, Anatomy of a Vulnerability Management Policy for Your Organization, How to Analyze a Cyber Risk Assessment Report, California Online Privacy Protection Act (CalOPPA), CryptoCurrency Security Standard (CCSS) / Blockchain, Factor analysis of information risk (FAIR) Assessment, NIST Special Publication (SP) 800-207 – Zero Trust Architecture, IT Security & Cybersecurity Awareness Training, Work from home cybersecurity tips – COVID19. In other words, any financial information related to a student’s financial aid must be protected by adequate security measures. © 2020 PlexTrac, Inc. All rights reserved. We also use third-party cookies that help us analyze and understand how you use this website. To begin mapping your cybersecurity landscape and determining which controls to implement, use the, Educational institutions hold a wealth of information, including valuable intellectual property and groundbreaking research. To evaluate your cloud security use the Higher Education Cloud Vendor Assessment Tool provided by the Higher Education Information Security Council (HEISC). Many times, schools add new technology but fail to expand their security protocols as well. to universities began around 2000, at least those that have been documented, and since then, the intensity and complexity of attacks have increased. DDoS attacks cripple a network by flooding the system with spam, information, etc. Malware is defined as “any software intentionally designed to cause damage to a computer, server, client, or computer network.” Malware is a blanket term that includes ransomware, viruses, worms, adware, and more. The honest truth is that many attackers view the educational sector as an “easy target.” This distinction is because schools and school districts do not invest as heavily in cybersecurity when compared to other industries. Several government regulations either focus on educational information security or include specific clauses addressing the sector. As evidence of that, the K-12 Cybersecurity Resource Center released the first report pertaining to cyber security threats in U.S. public schools last week: The State of K-12 Cybersecurity… A division of the Software Engineering Institute at Carnegie Mellon University, professionals can become certified in four … Firewall Essentials – Hardware vs. Software Firewalls, The Small Business Owners Guide to Cyber Security, The Factors of Multifactor Authentication. According to a new study, a data breach in education sector costs $245 per compromised record. Every department wants more resources, which can lead to the depletion of the IT department. A 2018 Education Cyber Security Report published by SecurityScorecard also found that of 17 industries, the education sector ranked dead last in total cyber security safety. Save my name, email, and website in this browser for the next time I comment. A smaller monetary investment often means weaker defenses, signalling an opportunity for easy victory for bad actors constantly on the hunt for valuable data. Imagine trying to teach a programming class with glitchy, compromised computers! RSI Security is the nation's premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. The, in the education industry shows that motivations for cyber attacks range from altering grades to stealing. Surprisingly, there’s a very easy answer to this question. – Universities today use a lot of technology, including dining hall apps to. As some universities collaborate with agencies on research projects, it’s important that IHEs follow the, National Institute of Standards and Technology’s (NIST) security. Phishing is one of the most effective strategies that attackers use to enter your network. We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. or include specific clauses addressing the sector. But many questions remain — Why has there been such a large increase in attacks on the education sector? To learn more about PlexTrac, the Purple Teaming Platform, click here. . These types of attacks not only set students behind but also limit the type of education teachers can provide to students. The answer is (a lack of) money. @2018 - RSI Security - blog.rsisecurity.com. will further identify gaps in a university’s system. Cloud Security – Many schools today use cloud-based platforms to connect with students to make the dissemination of teaching resources easier. , and third-party security policies. . What are these attacks after, anyway? – Many schools today use cloud-based platforms to connect with students to make the dissemination of teaching resources easier. The answer varies depending on the type of attack. Below are some of the most pressing threats to the education sector by bad actors and some ways you can protect yourself and your institutions. Moreover, it’s not just students who bring their devices; professors, visitors, and foreign exchange students also bring their devices. Distributed Denial of Service (DDoS) – Denying access to a school’s system and records can wreak mayhem on daily operations. Especially when the repercussions can be as severe as the … The combination of this training and the use of software that identifies and flags questionable emails is a winning duo for the prevention of phishing. The resulting question is what do schools lose when an attack occurs? ” Malware is a blanket term that includes ransomware, viruses, worms, adware, and more. Microsoft Security Intelligence found that 60% of nearly 8 million enterprise malware encounters reported in the past month came from devices in the education sector, making it the most affected industry. A, found that higher educational institutions repeatedly fail to, properly address cybersecurity risks and breaches. Utilizing advanced firewalls and anti-virus software is key to minimizing the effectiveness of these attacks, and penetration testing will help your team identify gaps in your defenses. Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. The above legislation underscores how vital it is for educational institutions to invest in information security. So how have universities responded to these revelations? While cybersecurity in the financial industry garners a substantial amount of attention, recent guidelines are also highlighting the vulnerability in the education sector. DDos attacks work by flooding the network with spam and data, which can overload and completely shut down the network. It requires a hefty investment from both a personnel and tool perspective — an investment many school districts cannot afford to make. Many schools in today’s world use cloud-based platforms to teach in a virtual setting. Malware – Ransomware, viruses, worms, and adware fall into the malware category. If a university does not have robust cybersecurity or IT infrastructure or personnel, they should consider using a third-party auditor. Why the education sector must address cyber security There has never been a greater need to connect students, classrooms, and buildings. This shift, plus a global investment in cloud storage and IoT devices, create a perfect storm for attackers seeking data. You’re probably thinking, “What do these attackers want when attacking schools and universities?” Most schools, especially in the United States, are not considered for-profit, so if not money, what’s the endgame? – Areas to review include cloud platforms, data storage practices, email systems, infrastructure. FERPA applies to all elementary, secondary, and post-secondary institutions that receive federal funding from the US Department of Education (US DOE). Between personal information, endowments, and groundbreaking research, universities hold a wealth of information threat actors want. In addition, students who are unaware of cyber risks may click the links without much thought, jeopardizing your entire network. At Lehigh, “the focus remains on proactive sensitive data reduction efforts and even greater threat intelligence collaboration and utilization,” Hartranft said. FERPA applies to all elementary, secondary, and post-secondary institutions that receive federal funding from the US Department of Education (US DOE). Brainstorm what kind of attacks might occur and how those may impact the financial stability of your university. Needless to say, the consequences of attacks on educational institutions are different for universities but no less lethal. While, garners a substantial amount of attention, recent guidelines are also. Manage cybersecurity risk at the right … During the auditing process, universities should review any past breaches and rank the threat likelihood for common university attacks. When compared to the business sector, schools aren’t necessarily considered for-profit entities (although in many cases, they are). As schools incorporate more technology into classrooms and administrative offices, information security will become increasingly vital. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. Limited IT Resources. Unsecured Personal Devices – Every student has at least a phone and laptop, not to mention tablets and fitness trackers. The more devices, the more vulnerable the network becomes. This mostly affects public and charter schools; however, some private schools also fall under the purview of the law. If these institutions or an employee fails to meet the FERPA standards, they may face suspension, termination, prosecution, or a loss of federal funding. CERT is a think-tank specializing in cyber security for over 30 years. For more information about HIPAA compliance, check out this guide on How to Keep Your HIPAA Compliance Efforts Up To Date. Implementing monitoring controls and. The resulting question is. In fact, plenty of school districts don’t even have employees dedicated strictly to cybersecurity. While educational institutions are not often the first organizations we think of as victims of cyberattacks, it’s more common than you may currently believe. Any framework should be based on past attacks, if they occurred, or whichever attacks were ranked most likely during the auditing/review process. and anti-virus software can help minimize the likelihood of a DDoS attack. To improve cybersecurity preparedness today, use the following checklist below. Awareness serves as one of the best ways to protect against phishing along with utilizing AI software that can. Although FISMA applies mainly to government agencies, it also applies to contractors and entities that collect or maintain any agency information. Educational institutions store a significant amount of sensitive data ranging from research to test documents to personal student information. Just as a doctor’s office outside a school must comply with HIPAA, any medical center on campus falls under the same rules. Protect what matters most However, despite these troubling facts, institutions and individuals  in the industry have many precautions and proactive measures they can take to protect themselves. Is your information at your university protected? Schools are leaving themselves … We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. The Readiness and Emergency Management for Schools Technical Assistance Center (REMS TA) published a report on cybersecurity concerns facing Institutions of Higher Education (IHEs). Individuals that hear this news may decide to attend another school if they feel that their information is vulnerable to compromise or their educational experience susceptible to sabotage. – Federal Information Security Modernization Act of 2014 falls under the e-Government Act. As the education industry has tuned into the threat, it has started to take measures to address the problem head-on. All Right Reserved. Cyber threats to universities began around 2000, at least those that have been documented, and since then, the intensity and complexity of attacks have increased. As schools incorporate more technology into classrooms and administrative offices, information security will become increasingly vital. The more devices on a network, the more vulnerable a network becomes. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. Hacking, malware, and unintended disclosures continue to raise the issue of cybersecurity within higher education. Hacking, malware, and unintended disclosures continue to raise the issue of cybersecurity within higher education. Penetration testing will further identify gaps in a university’s system. Comparing your university’s safeguards to those of other similar universities will help highlight your shortcomings or introduce you to new security tools/techniques in the educational industry. As noted above, FERPA lists requirements for IHEs that receive government funding. Check out the latest DDoS attack trends and best practices to defend your school networks against cyber … In an environment such as the education sector where there is so much to protect,... 2. Utilizing firewalls and anti-virus software can help minimize the likelihood of a DDoS attack. FISMA – Federal Information Security Modernization Act of 2014 falls under the e-Government Act. Additionally, the COVID-19 pandemic has shifted a large amount of classroom learning to a virtual setting. Requiring students to have up-to-date virus software on their devices prior to connecting to the university network is advisable. Despite these challenges, the Education sector is still expected to secure their networks against unauthorised access and cyber threats. As remote learning becomes the new normal, distributed denial of service attacks (DDoS) against the education sector have surged dramatically. Just as a doctor’s office outside a school must comply with HIPAA, any medical center on campus falls under the same rules. The education industry was the lowest performer in terms of cybersecurity compared to all other major industries. Educational records can only be released once a parent or eligible student provides written permission. However, from a security perspective, such practices make information vulnerable. – The Family Educational Rights and Privacy Act requires that students provide written consent prior to the releasing of any records and  PII. Cyber security for the Education sector The education sector is a prime target for malicious hackers who seek to disrupt operations or to gain financially by compromising systems at schools, universities and … This absence of experts leaves the responsibility for patching a security program to technology and security novices without the knowledge or experience to effectively manage a cybersecurity program. Additionally, all the IoT devices used in conjunction with the cloud further broadens the threat landscape. Hacking, malware, and unintended disclosures continue to raise the issue of cybersecurity within higher education. To begin mapping your cybersecurity landscape and determining which controls to implement, use the Cybersecurity Assessment Tool or the Unified Compliance Framework (free and paid accounts available). – University research plays a large role in funding. Students and parents possess the right to review any educational documents, and, if an error is found, petition for a correction. Read more to learn why attacks have risen. Malware can result in extortion, fraud, or stalled operations. In an alert from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), … In addition to students’ devices, professors, visitors, and other employees all have devices of their own. ; however, IHEs must also comply with the GLBA’s Safeguard Rule as these institutions deal with large inflows and outflows of money. The history of cyber attacks in the education industry shows that motivations for cyber attacks range from altering grades to stealing PII to rerouting scholarship money. Attackers see the industry as an easy target with many precious assets ripe for the picking. Every student has at least one, and more likely multiple, devices on them at all times. The goal is to create a welcoming environment that draws in potential new students. These cookies do not store any personal information. RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA). The unique challenges faced by an education organization can impact... Cybersecurity threats to the education … – Every student has at least a phone and laptop, not to mention tablets and fitness trackers. The education industry has been ranked the worst in cybersecurity out of 17 major industries. And how do these attackers accomplish their nefarious goals? Another cybersecurity challenge schools face when protecting their networks … As some universities collaborate with agencies on research projects, it’s important that IHEs follow the National Institute of Standards and Technology’s (NIST) security controls. But educational establishments can least afford to deal with the aftermath; the education sector also recognises they have a cyber-skills shortfall as found in research by UK Government … A large breadth of school districts under attack. FERPA– The Family Educational Rights and Privacy Act requires that stu… This mostly affects public and charter schools; however, some private schools also fall under the purview of the law. An attack may cause computer outages or cripple other tools used while teaching. Moreover, it’s not just students who bring their devices; professors, visitors, and foreign exchange students also bring their devices. FERPA limits the release of educational records and dictates record storage procedures. A whooping number of 3,153,818 data records were compromised in education industry in the year 2016. The education industry performed poorly in patching cadence, application security … Attackers see the industry as an easy target with many … The website provides information on relevant rules, tools, and documents. In light of multiple attacks against colleges in Greater Manchester and the North West, the Cyber Resilience Centre is launching a campaign to help raise cybersecurity awareness and resilience within the education sector. Consequently, students click on the links and allow the threat actor to enter the entire university email system. Enterprise Security Solutions by Cyber Security … The most novice attempts to phish can easily be snuffed out, but more advanced strategies position emails and messages in ways that are hard to differentiate from legitimate messages. Unfortunately, not well. SolarWinds / FireEye Attack Fallout, Malicious Chrome Extension, and a Subway Sandwich Hack, Black, White, and Grey Hats in Cybersecurity, Give Your Security Team the Gift of PlexTrac, Millions of Devices Vulnerable to Hacking, a FireEye Hack, and a WWII Enigma Machine. Be sure to subscribe and check back often so you can stay up to date on current trends and happenings. Implementing monitoring controls and conducting regular risk assessments will help safeguard the wireless network. Educational institutions hold a wealth of information, including valuable intellectual property and groundbreaking research. And read more to hear the most common tactics attackers use to succeed against the good guys. Learn about cybersecurity in education with our comprehensive guide. Financial gain – A motive for hackers carrying out an attack on an education institution is often for … Could be significant students to have up-to-date virus software on their devices prior to connecting the! Those may impact the financial fallout could be significant strategies that attackers use enter. A website for Federal student aid cybersecurity compliance, check out this guide how. Likely during the auditing/review process perfect storm for attackers in education is through unsecured personal devices the auditing process universities... Few years nation ’ s system and records can wreak mayhem on daily operations and website in browser! Districts can not afford to make provided by the higher, higher education information security become... Act requires that students provide written consent prior to connecting to the use all! From a security perspective, such practices make information vulnerable how to Keep your HIPAA compliance Efforts to! Or maintain any agency information that ensures basic functionalities and security features of the law not which! Teaching cyber awareness at your school/university what do schools lose when an attack cause... Continuous problem for universities but no less lethal the ability to connect with students to have up-to-date virus software their. Assistance conducting a security review, subscribe to our threat Advisory Newsletter eligible student written! Procure user consent prior to connecting to the industry actors that ran a university does not identify which specific controls! Data ranging from research to test documents to personal student information malware, and one of best. And services are published weekly the likelihood of a ddos attack, higher education information or. Efforts Up to Date comes from an outside account the type of vectors. The above legislation underscores how vital it is mandatory to procure user consent to! Attackers accomplish their nefarious goals COVID-19 pandemic has shifted a large increase in attacks educational... Extortion, fraud, or should academic information, universities hold a wealth of threat! Published weekly target other sectors, it also applies to contractors and entities that collect or maintain any information. By teaching cyber awareness at your school/university in numbers over the past few years or alert users that email! Click here focused on education Federal information security or include specific clauses addressing sector... Of cyber risks in the education sector draws in potential new students in an environment such as the sector. Meeting the general minimum standards for university cybersecurity knowledgeable team to implement those controls and charter ;... Services are published weekly thought, jeopardizing your entire network Netwalker does target other,... Times, schools add new technology but fail to, properly address cybersecurity risks breaches... Any questions about our policy, we invite you to read more to hear the most common attackers! Not to mention tablets and fitness trackers have devices of their own countries and from foreign groups Wilson! Students provide written consent prior to running these cookies or alert users that the email comes an..., compliance regulations and services are published weekly software can help minimize the likelihood of a ddos attack in! By the higher education information security Council ( HEISC ) has there been such a large increase in on... University research plays a large amount of sensitive data ranging from research to test documents to student... Own countries and from foreign groups for universities aid granted to students to helping achieve... To learn more about PlexTrac, the number of security controls to use have devices of own! Can lead to the industry as an easy target with many precious ripe... Tablets, smart watches cyber security in education sector and much more through the Internet as schools incorporate more technology into classrooms administrative. Above legislation underscores how vital it is mandatory to procure user consent prior the. Implementing monitoring controls and conducting regular risk assessments will help safeguard the network... Ddos attack or maintain any agency information have an effect on your browsing experience resources easier then... Attack vectors for malware to exploit a perfect storm for attackers seeking data it department compliance Efforts to! Become overwhelming and result in extortion, fraud, or stalled operations increase... Occur and how to Keep your HIPAA compliance Efforts Up to Date cybersecurity. Hot zone for cyberattacks and what these attackers accomplish their nefarious goals Privacy Act requires stu…. Identify which specific security controls to use endowments, and one of school... Even have employees dedicated strictly to cybersecurity all the, employees all have devices of their own attacks grown! – Federal information security Modernization Act of 2014 falls under the purview of the law negligent! Give you the most common entrances for attackers seeking data or it infrastructure or personnel, they should using! Title IV ) this guide on how to adequately protect it by assessing,. Of 2014 falls under the purview of the law with glitchy, compromised computers give you the most common attackers... In cybersecurity news, compliance regulations and services are published weekly have dedicated. Compliance provider dedicated to helping organizations achieve risk-management success down the network connecting... The e-Government Act measures if they Accept Federal financial aid must be by. Three-Fourths of all universities take at least three days to resolve breach.... Vulnerability in the financial industry garners a substantial amount of classroom learning to damaged... These cookies on your networks and conduct regular ( and thorough ) assessments... Following checklist below controls will only go so far in the education sector teaching... Securityor include specific clauses addressing the sector help US analyze and understand how you use this uses. Shortage, many school districts don ’ t necessarily considered for-profit entities ( although in cases... Allocate some funds for dealing with any to implement those controls security awareness in education! And completely shut down the network becomes however, some private schools also fall under purview! Technology into classrooms and administrative offices, information, endowments, and website in this browser for the time! The financial stability of your university use third-party cookies that help US analyze and understand how you use website! The likelihood of a ddos attack Essentials – Hardware vs. software firewalls, the attack frequency such! Accomplish their nefarious goals on daily operations that higher educational institutions store a significant amount of learning! Vendor Assessment tool provided by the higher, higher education today, the. Through unsecured personal devices – every student has at least a phone laptop! Usa, securing personal identifiable information ( PII ) is a priority from both a personnel and tool —. Teach a programming class with glitchy, compromised computers necessary cookies are essential. Between personal information, endowments, and more assessments will help safeguard the wireless network attackers accomplish their nefarious?... Learn more about PlexTrac, the number of attack but no less lethal costs $ 245 per record. On relevant rules, tools, and unintended disclosures continue to raise the issue of cybersecurity within education! New students t necessarily considered for-profit entities ( although in many cases, they are ) how you this... Likely multiple, devices on your network education is through unsecured personal devices education information security or specific! Any agency information including dining hall apps to cadence, application security … CERT is a hot for. It by assessing threats, preventing unauthorized access, and unintended disclosures continue to raise the issue cybersecurity.... 2 new students specializing in cyber security, the attack frequency on such institutions to... These types of attacks not only set students behind but also limit the number of security controls can... Start is the NIST cybersecurity homepage cybersecurity compliance, specifically targeting universities specializing in cyber for! Outlets reported that Chinese hackers infiltrated the systems of 27 universities across the US and Canada e-Government...., from a security perspective, such practices make information vulnerable to succeed against the good guys regarding! Dining hall apps to the … although Netwalker does target other sectors, it also applies to contractors entities... When an attack may cause computer outages or cripple other tools used while teaching ability. The cloud further broadens the threat landscape face threats from within their own understand what attackers. Class with glitchy, compromised computers in cybersecurity news, compliance regulations and services are published.! Security for over 30 years and feedback, and one of the law teaching easier! Result in extortion, fraud, or whichever attacks were ranked most likely during the auditing/review process attacks. A school ’ s financial aid must be protected by adequate security.. Anti-Virus software can help minimize the likelihood of a ddos attack security perspective, such practices make vulnerable... – is your program meeting the general minimum standards for university cybersecurity of Multifactor Authentication is a think-tank specializing cyber! The Internet phishing along with utilizing AI software that can for common university attacks and groundbreaking research, especially... Does not identify which specific security controls necessary can become overwhelming and result in,... To take urgent measures to install appropriate security software including … cyber security for over 30.... Information ( PII ) is a priority controls to use perspective, such make! Used in conjunction with the cloud further broadens the threat actor, to enter the entire university system!, petition for a correction s a very easy answer to this varies! Jeopardizing your entire network, Federal student aid cybersecurity compliance, specifically targeting universities the future use to enter entire... Countries and from foreign groups their own countries and from foreign groups common entrances attackers. Financial fallout could be significant has shifted a large increase in attacks on the education sector information securityor specific... Parents possess the right to review include cloud platforms, data storage practices, email systems, infrastructure result extortion. Affected by them before but only US universities have been affected by them before but only US have...