The education sector is a prime target for cybercriminals: in the first half of 2017, 13% of all data breaches came from educational institutions, more than 32 million records in total. Large student bodies provide huge volumes of personally identifiable information (PII) and financial information, and some institutions also hold highly valuable research data.
Despite this, funding frequently restricts these institutions to doing just enough to stay on top of their security, leading to organizations to continue with the status quo rather than invest in new protection. This leaves many institutions significantly under-protected.
An RSM report highlights the fact that educational institutions are particularly vulnerable to the following attacks:
- Phishing – Readily available user information, including contact details, office hours, and scheduled vacations, make it relatively easy for attackers to put together phishing attacks. This can lead to the leak of further information, including system credentials, that allow the attacker to cause more damage.
- Ransomware – One of the consequences of a successful phishing scam is that the victim will download malware, including ransomware, onto the network. Without effective monitoring, ransomware can quickly spread across large networks, locking out users and erasing data.
- Malicious User Attack – Both employees and students on the network may attempt to access systems for their own personal gain. This may cause damage to systems, leaks of personal information, or the compromising of grades.
The Importance of Data Protection For Educational Institutions
Educational organizations are vulnerable at a time where the consequences of a cyber attack have never been higher. Possible results of a successful attack include:
- Financial Loss – Including extensive regulatory fines and the cost of replacing damaged equipment.
- Potential Litigation – The large volume of personal and financial information held by schools and colleges leaves them vulnerable to litigation.
- Reputational Damage – Damage to the institutions’ reputation may result in reduced student uptake and the loss of key and future research agreements with businesses.
Educational Institutions Have Two Clear Options
Educational institutions have little choice but to invest in their cybersecurity; their only choice is in how they invest their limited funding to achieve the biggest possible impact.
There are two obvious options, either the traditional route of maintaining an in-house IT department or the alternative of outsourcing cybersecurity to a managed IT company:
Option 1: Maintain an In-house IT Department Dedicated To Protecting The Institution’s Data
Traditionally, most educational institutions have used an in-house IT department to manage their data and systems. As cybercrime has increased, this department has naturally taken on the increasing role of protecting the data they manage.
This department requires a broad knowledge of IT security, with examples of tools and processes they would use including:
- Access Control – Firewalls and control lists are essential to ensuring that only valid personnel have access to the institution’s data. User security controls ensure that appropriate access is granted for everyday use and no more.
- Network Monitoring – Monitoring the network for potential attacks, including vulnerability scanning, enables teams to respond to threats before extensive damage is done.
- Compliance – Responsibility for ensuring the institution is compliant to data protection regulations frequently falls under the remit of the IT department.
- Policies and Procedures – IT departments must develop detailed policies and procedures that ensure the correct storage of personal and financial data according to local, state and Federal regulations. The IT team must also develop planned responses to cyber attacks, including the communication with relevant authorities and the notification of the attack to individuals whose data may have been compromised.
- Training – Additionally, in-house teams must provide clear guidelines for staff, visitors, and students in their usage of the IT system, including group and one-to-one training where necessary.
While an in-house team has the advantage of keeping everything within the institution, the time-intensive nature of many of these activities (not helped by a restrictive budget) means that key activities such as network monitoring have fewer resources allocated to them than is preferable.
Option 2: Hire a Managed IT Company Who Specializes in IT Support For Educational Institutions
The second option is to hire a managed IT company, preferably one that specializes in supporting educational institutions. This company will then provide an agreed level of service for a fixed price.
This has significant benefits for the institution:
- Economies of Scale – An IT Company managing multiple accounts can hire a larger team of experts and provide expertise that the institution would not be able to afford if hiring full-time staff. This breadth of knowledge is essential to protecting against the wide range of modern cybersecurity threats.
- Unlimited Support – Support is not limited to 9-to-5 office hours. An outsourced team can provide full 24-hour a day coverage of the institution’s IT network.
- Proactive Defense – Larger resources enables a managed IT company to provide significantly improved network monitoring. Constant monitoring means they are far more likely to catch abnormal network activity as it happens and have the resources and expertise to respond quickly to achieve the best result possible.
Achieving this does require the institution to find an IT company they can trust, since they will be handing over access and control of confidential data. However, by outsourcing IT security, institutions can redirect the focus of their internal IT staff towards the every-day concerns of supporting staff and students, relying on the managed team for security and support.
If you are concerned about cyber security for your school, feel free to reach out to us. We’ll discuss how we can help you protect the private data of your students and staff with a robust cyber security plan from ITS Group.