Privacy and Cybersecurity in Education: A Constant Battle

Posted on by Ayse Kaya Firat

Millions of institutions across all industries have embraced cloud computing, seeing improvements in productivity, customer service, and cost savings. Yet cloud is impacting one industry at a larger scale than others: Education. Cloud is opening a new world of possibilities to students from across the globe, granting them access to a rich array of training resources, eliminating expensive and outdated textbooks, hardware and software; allowing them to collaborate efficiently.

Despite significant security and privacy concerns, it is estimated that the global cloud computing in education market will grow from USD 8.13 billion in 2016 to USD 25.36 billion by 2021. According to Google, more than 50 million students and teachers currently use Google Apps for Education and more and more schools are using on-demand computing resources for storage, networking and analytics services such as Microsoft Azure. 

CloudLock 1

Students Make Online Privacy Decisions Every Minute:

Growing up with an influx of technological solutions embedded into almost everything we interact with including smart phones, cars and homes; today’s students adopt cloud technologies fast. They spend 7 hours and 38 minutes per day online according to the Homeland Security, constantly making decisions pertaining to their privacy in app installs, social media engagement, and information sharing on various collaboration platforms. And occasionally, they make mistakes: Despite country-wide efforts to increase cybersecurity awareness, hundreds of thousands of young identities are stolen every year. 

CloudLock 2

The Big Picture: A CyberAttack Every Hour

A recent VMware survey suggests over a third of UK universities (36%) are hit by a successful cyber attack every hour, 87% of the respondents say they experienced at least one successful cyberattack. As Huffington Post puts it, we have all heard of the notorious Sony hack in 2014, but within the same year there were five colleges with bigger data breaches. 

Hackers target valuable intellectual property and research data that universities generate - worth millions of dollars - as well as large collections of personal data that belong to students, their families and staff, causing significant reputational and monetary damage. 74% of the VMWare survey respondents said, for example, that they had had to halt a research project because of infiltration. 

CloudLock 3

The most expensive data breaches are in Education & Healthcare 

According to the Ponemon Institute, education and healthcare industries have the most expensive breaches per record: The average data breach cost across all industries was $158 per lost or stolen record. In healthcare, this number was $355, and in education $246, mostly due to higher fines for compliance requirements and the sensitivity of the data. 

CloudLock 4

31% of Apps Used at Educational Institutions Deemed Risky 

CloudLock’s cybersecurity research center, CyberLab, is closely monitoring user behavior in the cloud. Our research reveals that Education at the top tier of cybersecurity and privacy vulnerability. Last quarter’s cybersecurity report focused on ‘the Explosion of Apps’, highlighting the incredible growth of connected 3rd party apps, and Education led the crowd with a significant gap. More importantly, a significant portion of apps we found belonged to a high risk category: 

CloudLock 5

Another report, highlighting  a very popular gaming app, Pokemon Go, uncovers significant security risks, showcasing how employees/staff/students across many organizations are granting the game programmatic access to organizational cloud platforms

Sampling over 250 universities and K-12 institutions,the average had 153 users granting access to Pokemon Go, and among these institutions CyberLab found institutions with 1352, 2238, and even 4468 users.

 Why is Pokémon Go such a bad idea? 

What sort of risk a K-12 school faces with 4000+ Pokémon Go installs into their SaaS platform?                                                                   

When launched, Pokémon Go was authorized to act on behalf of the user through an OAuth connection, allowing the app, and by extension the vendor, Nintendo to:                                                                     

  • View and modify documents, photos, emails, search history, location, contacts, and calendar
  • Send emails, analyze navigation history, and exfiltrate a user’s data
  • Collect personal data alongside geotagging functionality and camera access

In this case, each instance of this app on a SaaS Platform is a potential gateway for cybercrime.                                                                                                

The Bottom Line: What Should You Do? 

In an era of adaptive adversaries targeting their networks, the education industry needs to build an intelligent security ecosystem investing in best-in-class expertise and technologies, protecting both data assets and user privacy. Universities and K-12 institutions must take a holistic approach to security, giving board/executive level of importance to cybersecurity issues. 

Though cloud application providers are putting great emphasis on securing access at the infrastructure layer, schools are responsible for their users’ behavior. IT admins need to continuously monitor cloud environments to surface any suspicious occurrences indicating a possible breach and take action in near real time. In the case of connected 3rd party cloud applications, for example, they need to evaluate the types of apps users are enabling, create an Application Application Policy outlining which apps should be allowed, reviewed or automatically revoked, and train/notify end users to increase security awareness. 

The stakes are too high for the education industry when it comes to cybersecurity and user privacy, falling behind on IT security is not a viable option.

Ayse Kaya Firat

Head of Analytics and Customer Insights, Cisco



Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community