Cyber Criminals Are Turning to a New Source of Valuable, Loosely Protected Data, and You Won't Believe What Industry It's In


Posted on by Tony Kontzer

It's time for today's cybersecurity awareness test: What industry has accounted for 2 percent of all data breaches during 2017, more than healthcare, social media or retail?

Finance would be a good guess, but it would be skewed by the scale of the Equifax breach. Government would make sense, too, given that the IRS was breached earlier this year and the SEC in September revealed a substantial breach that occurred last year.

But as surprising as it is, the answer is education.

Ryan Cloutier, an edtech security specialist, offered this surprising reality check about education breaches during an education-related cybersecurity webinar several weeks ago, as reported by education industry news site edscoop.

The harsh truth facing educational institutions is that many of them simply lack the expertise, resources and maturity to formulate an effective security strategy. That has led cyber criminals to identify the education sector as easy pickings, which is why the U.S. Department of Education recently put out an alert warning of an uptick in the frequency with which hackers are extorting money from schools by threatening to expose sensitive student data.

During the webinar, Cloutier also suggested that the security struggles in the education sector are fueled by immature practices. To wit, schools are often unaware of breaches or simply choose not to report them.

"That's a bad trend that we see in the education industry," he said. "A bit of covering up of the breach or, worse yet, not knowing it's happened at all."

As bad as all of this is, it's nothing compared to the mind-blowing statistic that Diane Doersch, chief technology and information officer for Wisconsin's Green Bay Area School District, shared with the webinar audience: that children are 51 times as likely as adults to be targeted by identity thieves.

Think about the implications of that for a second. For all the time and money and energy IT security teams in numerous industries have been devoting to stopping hackers from exposing HR data, the entities charged with protecting our most valuable and vulnerable resource — our children — are ill equipped to do just that.

“No credit history and virtually unused Social Security numbers are what make children the focus of identity thieves,” said Doersch. “Many times young adults don’t realize they’ve had their identity stolen until they’re applying for a first loan and they’re rejected for poor credit and debt that they did not accumulate.”

So what's a school to do? There are plenty of steps they can take that have little to do with technology or expertise, but rather draw upon common sense and attentiveness. For instance, Cloutier suggests starting by developing robust policies that dictate data privacy as well as acceptable date use for staff, students and the community, and then implementing procedures that back up those policies.

Organizations also should identify and rank their risks so that their better prepared, Cloutier said.

"Having an idea of what your risks are and ranking them by priority is going to allow you to effectively manage any data breach that you have," he said.

Lastly, said Cloutier, education entities should strive for continuous improvement, with the idea being that any step in the right direction is better than none.

Meanwhile, Amy McLaughlin, information services director at Oregon State University, provided the webinar attendees with some concrete measures they can take, such as no longer putting email addresses on web pages where they can be harvested or screen scraped.

Most important, McLaughlin suggested, is that education entities take a multi-pronged approach to cybersecurity, and not rely on some magical technology elixir to solve the problem.

"There are no perfect technical solutions," she said.

What makes this problem even worse for schools is the financial cost associated with breaches. Already unable to devote sufficient budget to preventing breaches in the first place, education entities are equally challenged by the $245 that McLaughlin said it costs to remediate each individual record that's lost. It's a bill that can stretch way beyond their abilities very quickly.

The bottom line for schools is that they clearly can't afford to sit by and let breaches happen. Nor can they afford to hire experienced security teams or buy the latest security tools.

That leads to the same truth many industries are discovering as they try to get ahead of cyber threats: communication is key, and getting the students whose data is most at risk to understand that they're an important line of defense just might be the most logical solution.

Contributors
Tony Kontzer

, RSAC

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs