Schools and educational facilities can be hit by cyberattacks just as easily as can traditional businesses and large enterprises. Educational organizations may be even more vulnerable to attack due to more limited IT budgets and personnel as well as the tendency to share files without the proper security protections. A recent report from information security firm Netwrix, shows how educational facilities are vulnerable to data breaches and what they can do to better defend themselves.

Based on a survey of IT professionals, Netwrix’s 2020 “Data Risk & Security Report” looked at the security vulnerabilities and measures for a wide range of industries. But a special section and press release focused on the educational sector, specifically on how data sharing poses a risk.

Among the educational employees surveyed, 82% said they don’t track the sharing of data at all or they do it manually. Yet half of the respondents said they were hit by a data breach last year due to the unauthorized sharing of data. Some 28% of those surveyed said they found data stored outside of secure locations, sometimes exposed for days or even months.

Much of the problem lies with weak access controls over shared files. A quarter of the educational respondents said they give access rights to files based solely on user requests, while 22% said they don’t know how access rights are granted. A full 63% said they don’t review permissions for sensitive files on any type of regular basis.

Storing files in the cloud can help many organizations better manage their sensitive data. But even cloud-based access requires that IT and security staff maintain control over file sharing and permissions. More than half of the IT pros (54%) surveyed said that employees put data at risk by sharing it through cloud-based apps outside of the knowledge of IT. That percentage was the highest among all the industries analyzed in Netwrix’s report.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Security can sometimes fall by the wayside in the midst of other priorities and day-to-day tasks. Only 4% of those surveyed said they’ve set up a data retention program to determine which data to erase or archive. Further, just 8% said they’ve designed cybersecurity and risk-based key performance indicators to track the success of their security efforts.

Budget limitations are always an obstacle, and cybersecurity is often placed on a lower rung along the budgetary ladder. Some 44% of the respondents said they don’t expect their security budgets to grow in 2020, while 31% said they didn’t know if there would be any changes. Among those who expect to see their budgets rise, 62% said they don’t foresee an increase any higher than 24%.

The security and data sharing issues were already present before the coronavirus outbreak. But, the shift toward remote working and virtual learning has led to greater difficulties.

“Distance learning creates many challenges for educational organizations and cybersecurity is often taking a back seat to operational resilience,” Netwrix CEO Steve Dickson said in a press release. “The Netwrix survey shows that security processes were not ideal before the pandemic, leaving these institutions even more vulnerable to the growing number of cyberthreats today. To ensure these institutions can secure their student and employee data, IT professionals need to get back to basics.

“First, they need to understand what sensitive data they have and classify it by its level of sensitivity and value to the organization,” Dickson noted. “Second, they need to ensure that the data is stored securely, prioritizing the most important data. And last, they need to adopt healthy security practices for granting permissions in order to avoid data overexposure.”

Ilia Sotnikov, vice president of product management at Netwrix, detailed several security measures that educational facilities should adopt.

“First of all, educational organizations need to identify which data is sensitive for them and place it into categories, such as personal information of students and employees, financial information, scientific research, and so on,” Sotnikov said. “The easiest way to accomplish this is to tag data automatically with a data classification solution, so all employees are aware whether the file is sensitive or not.

“Second, educational organizations need to update their staff on the new rules of data handling in the cloud and explain the risks and the costs of these risks for the organization.

“Third, institutions need to provide a convenient way for staff to collaborate (such as OneDrive for Business) and encourage everyone to use the ‘officially approved’ tool to store and exchange documents. But organizations need to enforce some security measures, such as review access rights in Azure AD, so that employees have access only to the documents they need to fulfill their job function.

“Finally, educational institutions need to monitor user behavior and ensure they can get alerts on suspicious behavior such as an abnormal amount of reads or bulk file copying. The same should be done for the IT team; schools need to hold them accountable for their actions, to prevent incidents with granting direct access rights to sensitive data, for instance.”

Image: iStockphoto/marchmeena29