Embedding Security into the Education Sector

By Jaspreet Singh, Partner - Information Security, EY

The education sector is increasingly embracing technology and exploring the use of laptops, internet connected devices and other information systems to meet the needs and expectations of students and staff across colleges and schools. While the enhanced use of digital technology contributes to the overall efficiency of the educational system, it also poses substantial challenges for institutes – specifically, in guarding its network against infiltration, attacks or compromises. As a result of this shifting landscape, recognition of the relationship between educational growth and security has now entered into the common lexicon of academics and practitioners working in the field
of education.

Key security risks in theeducation sector:

Some key risks for educational sectors to consider and address:

Multiple gateways- An unsecured network with multiple entry points (devices) and a huge spectrum of users offers an open gateway for the hackers. This risk further increases with the implementation of ‘bring your own device’ (BYOD) policies at colleges and universities.

Personal Data- Schools and colleges hold a gamut of personal data like medical records, financial data and intellectual property, sensitive research all under one facility which makes them attractive to hackers. Ensuring adequate governance and security of this data becomes a challenge for the universities.

Social Media- College students are the major users of social media. This enables the hosting and spreading of malware, and other viruses, through social media sites. Thus absence of social media policies can leave a university vulnerable in terms of the inadvertent sharing of data that may not be meant for the public domain.

Spear Phishing – By accessing deceitful links and attachments students may download malware onto an individual computer that can give the hacker access to the entire college network. Hackers can then download malware to steal information or use a college or university’s computer system to launch an even superior attack.

User education - With the daily busy schedules of students, faculty and staff, cybersecurity awareness and education takes a backseat to teaching and learning.

Cloud security: Although the cloud offers flexible options but at the same time, it involves security concerns hence a lot of due diligence that has to take place
before implementation.

Next-generation security technology planning: It becomes increasingly difficult for universities to keep up with the latest tools and technology due to limited resources and budget.

Smarter students - Hackers are not only external intruders who wish to steal information or compromise systems but also include internal infiltration in the form of academic fraud. Open networks provide easy gateways for students to access devices and other sensitive information.

Why educational institutes should worry about cyber security

One-stop ‘treasure-trove’ to data - Education institutions hold vast collections of sensitive data – data of significant value to hackers such as personal information, corporate strategies sensitive personal information, intellectual property  and internal research.

Loss of reputation - A data breach can raise questions and concerns as to the adequacy of its data security protocols and can lead to loss of business.

Ethical responsibility - Any institute must not reveal sensitive personal information unless they have received informed consent from the client/students

Cyber risk management-Addressing security in educational institutions

With more and more sensitive information being transmitted and stored electronically, and with strengthening ethical and legal requirements to protect the disclosure of that information, educational institutes today need to have defined cybersecurity protections in place.

 Institutes need to assess their environment, including access control systems, defence systems and cloud-based systems on a regular basis and deploy adequate controls to manage risks accordingly. The controls should have the capability of quickly blocking or quarantining compromised hosts.

 They need to document policies and procedures protecting institutional information, credentials and IT resources encompassing incident management and business continuity.

 IT Security should be managed on an organisational level with input from all level of stakeholders with critical control by the board and senior management.

 The management must classify the critical assets and data that are at risk to ensure that there are no gaps in the organisation’s security strategy. Also, universities should also ensure that all legal and regulatory obligations are identified and are considered in planning the security strategy.

 Institutions should ensure that all staff and students are well aware and trained on the leading practices in cyber security.

 Institutes should protect their network where sensitive functions are performed or sensitive data is stored using network security tools like firewalls and access control lists (ACLs). Also use robust and reliable access and identity management techniques is recommended.

 Institutions should document, assess, and maintain up-to-date backup procedures to mitigate risks posed by ransomware and other threats.

In conclusion, as the frequency and veracity of cyber incidents is increasing there is an increasing need to protect educational institutes against data manipulation, frauds and compromises in confidentiality. While there are no easy answers, educational institutions should consider and follow basic guidelines as a starting point to manage their exposure and retort to rapid change. 

Don't Miss ( 1-5 of 20 )