Educational institutions have been a target for hackers for a variety of reasons in recent years. For one, most public school systems are underfunded and allocate an extremely small percentage of their budgets towards cybersecurity. But what about private schools?
You would think that since there is exponentially more budget flowing through the veins of private schools that it would lead to increased budgets for cybersecurity. Unfortunately, that’s not always the case. With this scenario in mind, let’s review some of the reasons why private schools are more vulnerable to cybersecurity threats and what they can do to address and remediate future cyber-attacks.
Private Schools and Cybersecurity
While it’s unclear how much is spent overall on private schools, the average private school tuition for lower school students is roughly $9,638 per year and $14,522 per year for high schoolers. Above and beyond this, another study found that the United States spent around $668 billion on public education in 2015.
Many educational administrators feel that since cybersecurity isn’t a tangible item that directly impacts instruction, that it is not as worthy of having to take away from the budget set aside for the curriculum, facilities, or staff. Although many administrators and teachers alike agree that cybersecurity is vital to their long term roles, they would rather be reactive to threats if they do arise rather than proactive. This leads to an incredibly risky atmosphere that could be brought to a halt if a single hacker decided to breach their network security.
Private schools focus on setting students up with an elite education that allows them to enter the world ready to succeed. That often means that these students are familiarized with technology at a very young age. This aggressive use of technology in conjunction with a private school’s curriculum is an aggressive move that can leave them more vulnerable to cybersecurity attacks such as ransomware, phishing and more if not kept in check.
Why Are Private Schools So Vulnerable to Cyber Threats?
Of nearly half of reported breaches in 2018 that were caused by students and staff, 60 percent resulted in student data being compromised. While it may feel like there are overwhelming threats headed towards private schools, there are measures that you can take to help reduce the possibility of a breach and improve your school’s ability to quickly remediate any cybersecurity situation.
Even though K-12 public schools maintain a population of 50.8 million and a budget of $694 billion per year (nearly 10 times that of the 5.75 million PK-12th grade private school students in the U.S.), private schools still have the upper hand in connections to wealthy trustees. Unlike public schools in the U.S., private schools have a list of qualifications that each student must meet with personal information that renders private schools a higher risk than most any organization with consumer personal information; including healthcare facilities.
|Average Private School Tuition: 2011-12
Private schools have to store so much sensitive data because parents or legal guardians who are paying for their child’s school must submit their recent pay stubs to prove they can afford the tuition. They must also list important employer information as well as their checking account and routing numbers for recurring monthly tuition payments. If this information got out into the wrong hands, there is no telling how much financial devastation it could cause.
Another reason why private schools are huge hacker targets is that administrators require that parents or legal guardians submit two character references to ensure that on the off chance that they don’t pay that the school still gets their allotted tuition check. This means that a single private school hack could potentially take down three wealthy families’ entire finances for every student enrolled in the school in a single swoop.
Why Are Private Schools Ill-Equipped to Handle Cyber Threats?
A recent study of public and private schools across the U.S. found that only 27 percent believe that ransomware attacks are significant threats, while a mere 20 percent believe that unauthorized disclosure of student data could be a significant problem. What’s worse is that only 15 percent of these schools have a cybersecurity plan in place in the scenario where a cyber-attack was to occur. This is a signal that many schools (public and private alike) are ill-equipped to handle a cyber threat in any capacity.
With phishing scams and ransomware becoming more sophisticated and the number of cyber-attacks increasing to record levels year after year in the U.S., private schools need to be on high alert. Many government officials are seeing an increase in identity fraud now where children’s names and details are used to make official documents, thus revealing that private schools are prime targets.
But since private schools have never really been highly targeted before until fairly recently, staff members haven’t been trained. This leaves entire private schools lacking in the type of training and infrastructure to handle cyber-threats that can cause them quite severe reputational damage. This is why many officials are warning private school parents to keep an eye on their bank statements as a proactive measure until these schools can catch up.
Types of Private School Cyber-Attacks
Some of the most common cyber-attacks to hit private schools are phishing scams. These scams often involve hackers posing as members of the child’s private school, asking whoever is currently paying their tuition to send them sensitive employee information, such as W-2s or other personal materials. Phony emails sent from school executives may also play into the equation, with cybercriminals posing as the payroll department, asking the individual for a wire transfer be made to a certain account to keep it current.
Other cyber-attack examples play out as ransomware that holds stolen private school student sensitive data hostage until a ransom is paid. These ransoms could be threatening violence on the school, a type of public shaming event for a high-ranking official, or the loss of all stolen data to the black market unless the payment is received. For public schools, the FBI usually handles a portion of the cyber-attack mitigation, but since private schools are independent, they don’t often get the same fast response from the FBI.
Protecting Private Schools from Security Breaches
Of 17 sectors in the U.S. that were studied recently, the education industry had the worst cybersecurity vulnerability by far. The study found no differentiation between education-related private companies and school districts in terms of their vulnerability to cyber-attacks.
What is apparent from these findings is that victims of education-based cybercrime are unprepared in budgets, staffing, and technical solutions, making them a prime target for hackers. Due to the highly sensitive data stored within their systems, education IT infrastructure is consistently a top target for cybercriminals. K-12 school systems and higher education saw more than 48 million records exposed through data breaches in 2017 and 2018 alone.
As more students and teachers connect their personal devices to their school’s Wi-Fi network, new potential vulnerabilities will continue to pose problems for private schools. This means that, as more time passes with less cybersecurity action being taken, the prospect of protecting a private school from a data breaches will require many more proactive steps to accomplish.
Best Practices For Fending Off Education Cyber Threats
Private schools must take cybersecurity threats seriously and put effective safeguards in place if they plan to be operational in the foreseeable future. As technology becomes even more prevalent in every aspect of K–12 education, from the classroom to record-keeping, every campus needs to be one step ahead of the game when it comes to their cybersecurity plans and policies. Here are a few of the best practices that private schools should focus on to keep their network safe from cyber threats big and small.
Develop a Formal Program With Written Policies
Developing clear and concise written information security plans and incident response plans for your private school can help to take a proactive stance towards combating cyber threats. Try not to get too complex with what is included in the written policies though. Just make a general overview of the information security measures currently in place that include physical, administrative, and technical security controls.
The incident response plan, on the other hand, should break down what will happen after a cyber threat has been identified. By deploying cybersecurity solutions that feature dynamic, behavior-based detection criteria that shield students and faculty from ransomware, trojans, and other active malware families, private schools can increase their potential for beating cyber-attacks to the punch. Developing these written policies will help prepare private schools in the event of a breach.
Conducting Regular Risk Assessments
Once these written policies have been implemented, private schools should outline a schedule for conducting regular, thorough risk assessments to reassess cybersecurity risks. By periodically revisiting and reconsidering written policies via a risk assessment, private schools can better identify cyber threats and vulnerabilities that can be linked with specific policy elements.
Active monitoring and ongoing review of school security procedures are a vital element to ensure that private schools are adequately sheltered from cyber-attacks. When you are conducting these risk assessments, make sure that all security protocols and procedures are assessed including the role-based assignments for each user on your platform. This allows your private school to become familiar with what student and faculty information you collect and how that information is stored and used.
Even if these physical barriers to entry for cyber threats are in place, you still need to address the largest threat to your private school’s cybersecurity: your users (personnel, students, parents/guardians). This is because an overwhelming 35% of all education sector data breaches have been caused by human error. By training faculty on the merits of cybersecurity, private schools can offer useful protection against certain negligence arguments that could arise in litigation.
Some of the most likely risks, such as malware infections from email phishing attacks, can be lowered by training employees. Make sure to not only give faculty members with access to sensitive student and employee information the necessary training, but also the tools they need to recognize scams and spoofs.
How can private schools protect their students?
Getting involved in your child’s private school is the first major step in lowering their risk to be affected by a cyber-attack. Before you enroll your child, have a frank discussion with your private school’s administrators about their cybersecurity policy. Ask how strong their firewalls are, if their email security is up to snuff, and the amount of encryption they apply to their data storage systems.
Even before speaking to school administrators, make sure to have a chat with your child about the real risks of cybercrime and how they can be safe in this new digital world. One of the best things that you can do for your child is to teach them from a young age how to recognize phishing attacks. You can teach them this just as if it were another part of normal everyday safety such as looking both ways before crossing the street or stopping at a red light.
What Happens If a Private School Gets Breached?
Most private schools have parents or legal guardians sign a document that promises that their personal information would not be disclosed to third parties without their consent. In the case of a data breach, this document would be referenced by a legal counsel to make a case that the private school had a breach of its fiduciary duty. This would typically come with a hefty fine and a blow to the private school’s reputation.
The resulting educational disruption including the potential loss of saved work can also have detrimental effects on a student’s education, as well as reputational damage to the school, lost business income, and legal and regulatory fines. In effect, the possibility of negligence liability may create an obligation to take reasonable cybersecurity measures. But it doesn’t need to come to this.
Private schools can make the necessary proactive cybersecurity policy and plan changes easily, but only if they prioritize it. By referencing the information divulged in this article into consideration, private schools of all sizes can create a lower risk atmosphere for students and faculty to create positive learning experiences far into the future. If you are simply interested in learning more information on cybersecurity solutions, give our professionals at RSI Security a call today.