Education’s openness a unique security challenge, Verizon says in data breach report
The education sector is afflicted by many different kinds of threats, from software errors, social engineering attacks and inadequately secured email credentials, according to annual cross-industry analysis of cybersecurity incidents released by Verizon this week. But the telecommunications giant’s 2019 Data Breach Investigation Report found that while the education sector faces myriad vulnerabilities, not unlike other industries, it must do it in a setting that is very open, a Verizon analyst told EdScoop.
“Education has a very wide array of different kinds of threats they have to deal with,” said Gabe Bassett, an information security data scientist for Verizon. There’s nothing in Verizon’s most recent research, however, to indicate the education industry is any more or less secure than other industries, Bassett said.
Human error accounted for 35 percent of data breaches over the last year in the education sector, according to the report. Email leaks are a common attack vector, and roughly one-quarter of breaches in the education sector were the result of web application attacks, often via phishing links to phony login pages. Stolen credentials comprised 53 percent of data compromised, and such credentials were used in more than 80 percent of hacking breaches, the report found.
Bassett also said that the many different kinds of data educational institutions collect — personal data, financial information, intellectual property among them — can attract more interest from bad actors.
But Bassett said it’s the unique openness of education’s cyber environments that present its largest challenge. Where a business can put in more strict guidelines for cybersecurity, he said, “education has to balance their [security] need with flexibility.”
“It’s a double whammy to have such a broad range of threats as well as less flexibility on how to combat those threats,” he said.
However, working together and collaborating on cybersecurity solutions, Bassett said, can help the education industry better withstand incidents and secure its data.
“There is so much we can learn from working with each other and working with other people both within our industry and with other industries,” he said. “We are always better together than we are alone.”
