In this blog post, the final piece in our series of blog posts about IT risks in various industries, we’ll highlight the main concerns of educational organizations worldwide. We’ve gathered feedback from IT specialists working for educational institutions to find out about their IT security practices, pain points, experiences and plans. In case you missed our previous posts covering IT risks in other industries, check them out now: IT Risks in Healthcare Organizations, IT Risks in Large Enterprises and SMBs, IT Risks in Finance and IT Risks in Government.
Cybersecurity context: who is responsible?
Just like healthcare and government organizations, the majority of educational institutions do not use any software for information security governance or risk management. Educational institutions struggle to invest in cybersecurity software due to either lack of a security strategy, or lack of financial and labor resources.
79% of educational organizations do not use any software for information security governance
One of the top problems for the entire education sector is the need to economically justify every attempt to deploy new software or hire a new staff member. As one respondent put it, “IT is seen as a cost driver and not an investment.” It’s no wonder that many educational organizations do not even have a separate cybersecurity function. Instead, they often place responsibility for security-related tasks on the shoulders of IT operations teams, who have to then handle multiple tasks and can easily overlook critical changes indicative of security violations or cyber attacks.
Which areas are the most and least protected?
In order to better understand the current state of cybersecurity in educational institutions, let’s take a look at the areas of IT infrastructure that receive the most, and the least, attention from organizations.
Our research shows that educational organizations have different priorities than other industries: They focus more on the security of their endpoints (82%), on-prem systems (79%) and virtual infrastructures (73%). This is not a big surprise; educational entities store most of their sensitive data on premises rather than in the cloud, and their IT environments are largely virtualized.
Areas that are either neglected or don’t receive meticulous attention include BYOD (49%), unstructured data stored in third-party data centers (e.g., documents, paper forms, reports and email) (33%), and employee activity (17%). Since the IT infrastructures of educational organizations are often distributed across several campuses, gaining centralized control over operations and IT staff member activity is essential to keeping sensitive data safe. However, the boom in personal smartphones, tablets and laptops on campus, as well as the inability to ensure 100% control over data in third-party data storage, complicates IT security and increases the risk of data loss and breaches due to ransomware, privilege abuse and other cyber threats.
What are the biggest security concerns?
Because educational organizations often lack visibility into user activity, most of them perceive their own employees to be the biggest threat to cybersecurity, even bigger than hackers from the outside. After all, it can be quite a challenge to detect a malefactor who is already inside your castle.
77% of educational organizations consider employees to be the biggest security risk
If we take a look at the security incidents that happened to organizations in 2016, we see that this concern is justified. About 49% of organizations told Netwrix that the main cause of security incidents was human errors. Other 37% of incidents were due malware — and of course, malware is often spread through social engineering and makes its way into critical systems and data due to the negligence of staff and students. Regarding operational issues, we see the same picture — most accidents that resulted in system downtime and service disruption occurred because of accidental or incorrect user activity. These results indicate that education is probably more vulnerable to insider threats than any other industry.
What about compliance?
We’ve talked about security and operational issues, but what about compliance? What specific challenges do educational organizations face, and how difficult is it for them to pass annual audit checks?
Educational organizations store a lot of sensitive data, including students’ educational records, financial data (e.g., information about loans and tuition payments), and other types of PII. Some also offer healthcare services and store healthcare data. Therefore, many educational institutions have to comply not only with strict educational compliance requirements such as FERPA, but also with financial and healthcare standards like PCI-DSS and HIPAA. As a result, they must meet a wide variety of requirements, including continuous monitoring of privileged user activity and data access.
35% of educational organizations had compliance issues in 2016
In customer interviews, we often hear that IT in education is unlike IT in any other industry because the user population is changes so dramatically so often. In such a heavily regulated industry with multiple standards, the inability to monitor and manage user activity and changes in the IT environment makes it hard to ensure that proper data security controls are in place, let alone satisfy auditors. No wonder that compliance audits are not always smooth: About 35% of organizations admitted that they had several problems passing audits in 2016.
Are educational institutions ready to beat cybersecurity risks?
Although educational institutions may not be as tempting a target for criminals as financial or government organizations, they are still vulnerable to highly motivated hackers, who may try to gain access to students’ PII and financial data.
Unfortunately, only 23% of organizations are ready to defend against cyber threats. This result helps explain why the latest Verizon DBIR found that the number of security incidents in the educational sector has increased by almost 80% since 2015.
Only 23% of educational institutions are well prepared to beat cyber risks
Educational institutions report the same obstacles to cybersecurity as any other industry: The vast majority of respondents are held back by lack of funding, both for security software and for people to support it. Other reasons why educational organizations are lagging behind include lack of time for security-related activities and insufficient support from senior management. The growing number of security incidents, like the recent Free Application for Federal Student Aid (FAFSA) tool breach, as well as the huge financial impact of data loss, are critical factors that might force educational organizations to become more proactive in their cybersecurity efforts and allocate more resources to data security.
Educational institutions report the same obstacles to cybersecurity as any other industry: The vast majority of respondents are held back by lack of funding, both for security software and for people to support it. Other reasons why educational organizations are lagging behind include lack of time for security-related activities and insufficient support from senior management. The growing number of security incidents, like the recent Free Application for Federal Student Aid (FAFSA) tool breach, as well as the huge financial impact of data loss, are critical factors that might force educational organizations to become more proactive in their cybersecurity efforts and allocate more resources to data security.
Since educational institutions view insiders as the top cybersecurity threats, it’s no wonder that they perceive visibility into user behavior as a key to securing their IT environments. They realize that software that provides visibility and control across critical systems and data (including virtual infrastructures) will help them detect human errors and insider misuse (98%), investigate security incidents faster (98%), and minimize the risk of the disruption of services (95%).
Overall, the approach to IT risk management of educational entities is very immature. Lack of funding and personnel make both security and compliance extremely challenging. But these organizations also need to overcome the security mindset that remains focused on perimeter defense and adopt a data-centric approach instead. The realization that insiders are the most pressing threat is already helping to move organizations in this direction, which will definitely increase market demand for solutions that provide user behavior analytics and risk assessment.
View the full infographics (click on the image to open a high resolution version in a new tab)
Interested in learning more about other findings from this survey? Please read the full Netwrix 2017 IT Risks Report.
.png)