Over the last year, there has been an industry spotlight on data breaches, many of which have become front page news. Kaspersky and Experian are just two that had significant media attention.
These stories have highlighted that any industry can be a target of a big data breach. We’ve seen huge attacks in retail, financial services and even gaming, but it looks like the education industry is the latest sector to be affected. This was most recently highlighted by a data breach on the University of Greenwich in February 2016.
According to the BBC, personal details of hundreds of London-based research students were posted online, including names, addresses, dates of birth and mobile phone numbers. In some cases, copies of emails between university staff and individual students were also published. In April, a database of 6,500 staff members from Liverpool University were published on a darknet forum, reportedly to be used for targeted phishing attacks. When looking at who and what is behind a data breach, there are two key aspects to consider.
Malicious threats
Firstly, the frequency of breaches and reports of loss of data is growing. According to recent research from VMWare, one in three UK universities suffer a cyber-attack every hour, with 83% admitting that cyber-attacks are increasing in frequency and sophistication. As well as this in its annual report, Fujitsu predicted that the Education sector will continue to be a target for data theft in 2016. It is clear no education institution can afford to ignore the cyber threat any longer.
Due to the vast amount of sensitive data that universities hold and the volume of people joining the network at one time from different locations, the risk of having data stolen has never been higher.
While there is no silver bullet when it comes to cyber security, there are controls educational institutions can implement to prepare for, and defend against, these types of attacks. Some controls include regulating what can be seen by whom, and from where with strong role based access controls, building different levels of access for sensitive data. This way, universities and schools can also monitor who is trying to access data that isn’t relevant to them, highlighting their potentially malicious intentions particularly if those logs are recorded in a central SIEM platform.
As well as this, the Government’s ‘Ten steps to cyber security’ can help ensure various attack vectors are considered, optimal security controls implemented and risks were understood and managed.
Human error
However, we cannot forget about human error and usually this involves someone who genuinely doesn’t understand the risks associated with their actions. Human mistakes can be just as, if not more, devastating than an external attack. What’s most interesting about the University of Greenwich data breach was that it was caused by an internal error at the university.
To combat this, organizations in the education sector need to also educate staff and students. 3 in 5 employees use their own devices to access work files and Skyhigh Networks report found 90% or more of the cloud services in use by the average company are introduced by employees without the knowledge of the IT department – with just 7% satisfying the security requirements of enterprises. It is actually this type of ‘shadow-IT’ activity which poses significant risk to an organization’s data. This highlights the crucial necessity for both employee and student training, regular security awareness education and creating awareness of technology and how to use it.
Next steps
In today’s threat landscape, organizations can no longer afford to be complacent when it comes to security. Educational institutions should do everything they can to keep data safe and look to maintain the trust of their students and staff by demonstrating they are robust in their security. This can be done by not only implementing appropriate security controls to fend off cyber-criminals, but also educating students and staff to ensure data breaches don’t occur because of simple mistakes.