Research: Nearly 4 in 5 Education Institutions Lack IT Security Preparedness


Another day, another security breach. The most recent, high-profile breach involving Equifax exposed the sensitive personal data of 143 million Americans. From financial services to healthcare and education, no industry is immune. In fact, a report from Gemalto found that the number of breaches in the education sector doubled from the second half of 2016 to the first half of 2017. Only financial services and healthcare had more data breaches than education.

Despite the spike in cyberattacks and increased awareness of threats, more than three-quarters of IT specialists in education admitted that their institutions are unprepared for cybersecurity risks, according to a recent Netwrix survey. In addition, 79 percent said they don’t use software for information security or risk management, and 72 percent don’t have a dedicated employee to manage IT security.

The most protected areas of the IT infrastructure are endpoints (82 percent), on-premises systems (79 percent) and virtual infrastructure (73 percent). The most neglected areas include bring-your-own-device (49 percent), unstructured data in third-party storage environments (33 percent) and employee activity (17 percent). The failure to get a handle on the proliferation of mobile devices and secure data across distributed networks and external storage is putting many institutions at risk.

Not surprisingly, humans continue to be the weakest link in the IT security chain in education — 77 percent of respondents said employees are the biggest threat to security and system availability. In 2016, more security incidents were caused by human errors (49 percent) than malware (37 percent), and the main cause of system downtime was accidental or incorrect user activity (54 percent).

If there’s a silver lining to the findings of this study, it’s that education institutions seem to have at least a general understanding of their strengths and weaknesses. Once an institution has assessed its risks, it can begin to determine what type of data protection capabilities need to be implemented. Data needs to prioritized based on its sensitivity and the risk of exposure. The most resources should go to protecting high-priority data assets, using tools such as multifactor authentication and encryption. It’s important to take a proactive approach that emphasizes threat detection and prevention, but continuously test incident response plans to minimize the impact of a breach.

From a strategic standpoint, education institutions need to bake data protection into everything they do. That means integrating security not just into all areas of the IT environment, but day-to-day operations, risk management, governance and compliance as well.