With the 2016-2017 school year already underway, it’s time to draw attention to an ongoing and very serious problem facing the US education system: our schools are ill-equipped to face the mounting threats posed by hackers.
While the education system isn’t the worst US industry in terms of cybersecurity, it remains high on the list of vulnerable sectors. This is particularly troubling since the education system has access to tens of millions of records on children and young adults ― who are perfect targets for identity thieves.
According to Verizon’s 2016 Data Breach Investigations Report, the education sector ranked sixth overall in the US for the total number of reported “security incidents” last year. This was notably higher than two other industry sectors which have also been plagued with security problems: healthcare (153 percent higher) and retail (160 percent higher).
But student identity theft isn’t the only threat:
University systems frequently have their own medical centers and hospitals which also suffer from a high rate of data breaches.
Key academic services, such as the SAT and ACT, are susceptible to data leaks which can undermine the legitimacy of the college admissions process.
Colleges and universities are a virtual clearinghouse for innovative research in STEM fields ― all of which is easily targeted by foreign governments (particularly China) to aid their own businesses.
Political activist groups which originate from, or operate within, college campuses are also exposed to foreign intelligence service monitoring and hacks.
K-12 school systems across the country are being targeted with “ransomware,” which forces them to spend money they don’t have ― it also puts their operations at grave risk.
Cybersecurity is a constant challenge for all industries, but the education sector has more to lose than most. Reducing this threat won’t be easy, and it will require a greater commitment from school administrators, politicians and taxpayers.
Here are six things to keep in mind about America’s cybersecurity problem in education:
US schools are data rich:
Why do hackers like school systems? Because the education sector, particularly at the college and university level, is a virtual buffet of valuable data.
They contain a little bit of everything hackers want, and often in large quantities: personal information like Social Security numbers, birth dates and email addresses (2016 example: 63,000 current and former students and employees of the University of Central Florida exposed to identity theft); financial data (2016 example: hack of the University of California at Berkley exposed 80,000 to possible financial fraud); medical records and insurance; cutting-edge research in science, technology and engineering; and more.
This makes them a tempting target for a wide range of hacker groups: organized crime, state-backed hackers, criminal opportunists, hacktivists and others.
Health facilities are a top target:
One area of risk that’s often overlooked when we talk about attacks on the education system is that data breaches occur frequently at college and university affiliated hospitals and medical centers.
In 2014, 20 percent of all data breaches in the healthcare field involved teaching hospitals and other affiliated medical institutions, according to records collected by Privacy Rights Clearinghouse. Additionally, in 2015, university-affiliated medical systems accounted for over 52 percent of the total number of medical records exposed by data breaches.
Medical records are a hot commodity on the dark web. It’s estimated that the value of these records is worth up to 60 times more than stolen credit card numbers. For this reason, university healthcare system breaches won’t decline any time soon.
Ransomware is on the rise:
In recent years, a growing number of K-12 public school districts have been targeted by ransomware criminals.
Ransomware is a type of malware that encrypts all of the files it finds stored on a computer system; it can also block access to the actual computers themselves. This type of “crypto-malware” is difficult for the victim to remove without the hacker’s help, so in most cases the only way to get rid of it is to pay off the hacker. Hence the term “ransom-ware.”
While there’s no available data yet on the total number of US school districts affected by ransomware, news reports over the past two years have documented the rise in attacks. School districts in New York, New Jersey, Texas, Florida, South Carolina, Mississippi and many more have already been affected. In most of these cases, the schools had to pay a ransom to the hackers in order to remove the malware and resume normal operations.
Ransomware’s popularity is surging in the black market. According to McAfee, over four million ransomware variants have been detected online, a 270 percent increase since 2013. The reason for its growing popularity is because ransomware is relatively cheap and easy to use ― and it’s highly effective at forcing victims to pay. Ransomware is likely to be a significant long-term problem for educational facilities.
The worst school hacks of all time:
While there have been many sizable education industry hacks over the past two decades, the biggest one ever may just be the 2010 data breach at Ohio State University, which affected 760,000 records and cost the school over $4 million to investigate and remediate.
2014 was another banner year for school hacks, with four massive breaches at universities:
300,000 records at the University of Maryland
300,000 records at North Dakota University
200,000 records at Butler University
146,000 records at Indiana University
However, if we include university-affiliated medical systems, the largest hack of all time was the 2015 data breach at UCLA Health System, which exposed 4.5 million records.
Why are schools so vulnerable?
Schools face a number of basic problems when it comes to cybersecurity. First on the list is budget. This is particularly true for K-12 public school systems. Implementing a robust, modern cybersecurity program for a public school district is expensive (Wichita School Board estimated the cost would be $2 million; Rutgers University spent between $2-3 million in one year) ― both in terms of the initial set up cost, but also the long-term management, maintenance and regular updating that must be done to keep it safe.
With school budgets already stretched, finding the money to support cybersecurity improvements isn’t easy. It may require cutting spending in other areas of a school’s budget, raising taxes or special assessment fees or increasing the tuition rate ― none of which are popular choices.
School networks are also fairly large and, as mentioned earlier, they have a lot of different types of sensitive data. Overseeing all of the potential weak points in the network and data that can be targeted is no easy task, especially for a standard IT team which hasn’t undergone extensive training in cybersecurity.
Accessibility is also a key feature of school networks. The networks and data need to be accessible by students, parents, staff, outside government agencies, third-party vendors and more. This greatly complicates efforts to protect data from hackers. However, at the same time, this type of accessibility is important to the basic functioning of a school.
What is the answer?
School cybersecurity is a challenging issue, but it is possible to greatly reduce the threats they face.
Although this won’t be easy, schools have to invest in modern cybersecurity. A good benchmark is to spend no less than 2.5 percent of the annual budget on IT security improvements and modernization, although more is always better.
Most importantly, however, schools have to do a better job of protecting sensitive data. Every school system needs to determine what its most sensitive data is, map that data throughout the network(s), and prioritize its security. There are multiple steps needed to protect data, which include encryption, reduced access, back-ups/resiliency, etc. Schools also need to consider the possibility of eliminating sensitive data when possible. This will reduce the burden they face for protecting so much information on multiple platforms. For instance, instead of maintaining unique school system-based logins/passwords, outsource that step to third-party enterprises with greater security resources.
While schools will always be a top target for hackers, by prioritizing cybersecurity, investing in updates each year and focusing heavily on data-level protection, schools can reverse the current trend of large data breaches.