From April to June 2019, 245 data breaches were reported to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme. Yet again, education was among the top five sectors by notifications in the quarter. With the sector continuing to make this list, it’s clear that educational institutions need to be doing more to prevent data breaches.
Educational institutions hold mountains of personal and often sensitive data, including photos of students, bank details, family information, contact details and health information in the form of medical records or through counselling services. It’s imperative that this information is kept confidential. To do this, educational institutions need to be equipped with the right knowledge, tech and support to reduce the frequency of data breaches and minimise harm for those involved.
Cybersecurity needs to be a priority
Research from Sophos shows that only a third of Australian organisations across all sectors have a dedicated cybersecurity budget. In most cases, the cybersecurity budget is included as part of other broader IT or departmental spend. Too often, under-skilled and overworked IT staff shoulder the responsibility for securing a network. Unfortunately, this leads to slip-ups and oversights that can be damaging to the organisation.
Alarmingly, the research also found IT professionals’ top frustrations are executives assuming cybersecurity is easy and cybersecurity being frequently relegated in priority, as signalled by inadequate allocation of budget.
It’s important that educational institutions learn to prioritise cybersecurity – and this means allocating resources according to the threats. Not every school needs a cybersecurity team in-house; they may choose to outsource the task to a trusted third party, such as a managed services provider. What’s important is that educational institutions can no longer afford to bundle budgets with other responsibilities and de-prioritise cybersecurity. By doing so, these institutions are weakening their cybersecurity posture and increasing their risk of becoming an OAIC statistic.
Education required to strengthen cybersecurity posture
In the most recent OAIC report, the education sector experienced 23 data breaches. Of this, more than 90 per cent were attributed to human error and malicious or criminal attacks. These statistics include attacks like phishing and ransomware, but also errors as simple as mistakenly copying multiple recipients on an email instead of using BCC.
Most of these threats can be attributed to a lack of cybersecurity awareness among staff and students. A lack of awareness represents the most basic vulnerability in an institution’s cybersecurity posture. Think of staff and students as the guards in front of the gates to the network. They are the first line of defence and leaving them uneducated is on par with keeping the front door unlocked in a dangerous neighbourhood.
Proactive cybersecurity education and awareness are essential to a mature security program. Educational institutions need to understand the importance of education and prioritise it, before it’s too late.
Taking the time to educate employees and students to be cyber-aware is a proactive way to minimise the threat of cyberattacks. It could prove to be the best investment an institution makes.
Leadership should set the standard
As with any organisation, leadership sets the standard for attitudes, culture and values; this is no different in the education sector. Setting cybersecurity as a priority from the top down is essential to create a cybersecurity aware culture that values data protection and risk mitigation.
Our research highlighted cybersecurity is not just a technology issue; corporate culture also has a significant role to play. Education leaders must address their IT professionals’ frustrations that cybersecurity is not valued and is therefore under-resourced. This starts with shifting attitudes toward the value of cybersecurity.
Headline-making breaches, such as those impacting Strathmore Secondary College and Nagle Catholic College demonstrate how damaging cyber threats are to an organisation. Data breach incidents not only tarnish an organisation’s reputation, they can also bring operations to a standstill and result in financial losses.
Leaders must grasp that cybersecurity is not just an IT issue, it’s a business challenge that holds the key to overall success.
Solving the problem
Cybercriminals are smart and their attacks are well planned and executed with no regard for company size or industry. In recent years, sectors including healthcare, government, critical infrastructure, small businesses and education have been targeted more aggressively by cybercriminals. This is because they’re often more vulnerable to attacks given their weaker security posture, and therefore they’re seen as easier targets.
For too long, the education sector has repeatedly been the victim of highly targeted cyber-attacks. It’s time educational institutions wake up to the issue in front of them. In addition to prioritising cybersecurity education and technology, institutions need to be applying best practice techniques to strengthen their overall security posture.
The following is a best practice template for all organisations, regardless of sector or size, to adopt.
- Get a holistic cybersecurity health check and review KPIs to make sure they include non-technical metrics.
- Review partners and supply chain risks. It is increasingly evident that the partners you work with are a potential attack target.
- Consider regular hackathons or workshops for security-related issues. Set education and skills as key objectives and goals for these activities.
- Encourage and enable staff and students to undertake security-related training. There are many excellent online courses and resources available. Positive gamification can also help boost engagement and awareness.
- Cultivate and embrace a security-minded culture and make it part of your DNA and value proposition. This will require a long-term commitment from leadership down to students.
- Benchmark against other schools and share best practices. Consider whether you can formalise an exchange of information and insights between schools to uncover different ways to improve in non-technical areas.
- Get ahead of privacy and compliance obligations and ensure all of your people are familiar with their requirements. Brace for continued regulatory changes and pressures.
- Ensure you have pre- and post-breach plans that address key issues such as reporting lines, who has authority to speak publicly if required, who leads the incident response team and what is your internal communication plan? External plan? What are your service provider agreements?
By cultivating a strong security culture, equipping staff and students with the right knowledge, adequate tech and financial support, educational institutions will provide a safe learning environment and reduce the risk of a cyber-attack.
Aaron Bugal is global solutions engineer at Sophos.Do you have an idea for a story?
Email [email protected]