Learning security: how to prevent a data breach in schools (PaperCut Blog)
Technology has completely revolutionised the way young people are learning… but it also brings the education sector some new risks when it comes to the risk of a data breach. We’re constantly giving out personal information to websites and companies to make things like shopping and banking quicker and easier. But now we’re doing the same in our schools as well.
In fact, schools and colleges hold a large database of their students’ personal information – some of it very sensitive details about their mental health or learning abilities. Unfortunately, this makes them targets for hackers.
Since 2005, there have been over 2,600 data breaches in US schools (and counting…) leading to leaks of over 32 million records. These security breaches were fairly evenly split between K-12 schools and universities, and can result in some pretty devastating consequences. That’s why it’s so important to take steps to mitigate and prevent security threats.
What can cause a data breach in schools?
A data breach occurs when either an internal user or external hacker gains unauthorised access to confidential or sensitive information within a school database. There can be many ways this can happen, but one of the most familiar forms of security breach is via a phishing attack, which are emails or websites containing links to malware or ransomware that are capable of infecting data just from a single click.
This is a particular challenge in a school environment where staff often send out mass emails containing information about test schedules, assignments, and upcoming events – presenting an easy way for hackers to gain access to students’ names and email addresses.
According to a 2020 Verizon report , the vast majority of school data breaches are via a form of phishing known as ‘pretexting’ where the hacker comes up with a story to trick the victim into giving up valuable information. External threats constitute 80% of these data breaches, and while 96% are financially motivated there has also been an increase in large-scale attacks on major ed tech companies.
In some cases, human error can lead to access for cybercriminals, or unethical actions taken by a student or staff member create an intentional data breach – perhaps to harm the reputation of the educational institution.
What are the consequences of a data breach in schools?
A data or security breach at a school or college may expose confidential information about their students. On an individual level, hackers could sell personal data on the dark web or use it to access bank accounts. Even with a very small amount of information, such as a name and email address, cybercriminals may be able to impersonate the victim, hack into social media accounts, or even steal their identity.
Even though small children may not have their own social media or bank accounts, a study showed that over 1200 K-12 schools had stolen data published online – and these security breaches can follow younger children for years.
Increasingly, ransomware gangs are stealing private student records from schools and dumping them online. In some cases, confidential documents have described student sexual assaults, psychiatric hospitalisations, truancy, domestic violence, and suicide attempts .
The damage of a security breach like this may result in significant costs associated with data recovery, reputational damage, and school closures. But the lasting consequence is on students whose highly sensitive information is now available on the internet for anyone to discover – potentially for the rest of their lives.
How to prevent and manage a school data breach
While this might sound shocking, the good news is there some steps you can take to help prevent and mitigate cybersecurity threats. There is no single solution to stop all security breaches – so you need a comprehensive plan that takes as many precautions as you can:
Privileged access. Strictly control access to accounts with higher privileges as these are more likely to be targeted by cybercriminals.
Threat detection. Implement tools that automatically identify malware, phishing, ransomware, and other malicious activities that can lead to data breaches.
Multi Factor authentication. Require users to validate their identity, to prevent cybercriminals from accessing accounts with stolen passwords.
Digital cards. Use a digital card for your school’s online purchases to stop unauthorised access to credit card numbers or bank details.
Regular training. Educate both students and staff around cybersecurity – for example, how to create strong passwords and identify phishing emails.
Secure printing. Printing is one of the most overlooked areas of IT security. Leverage tools and features that help you bolster the physical, administrative, and technological layers of your print environment’s security.
Google alerts. Set a ‘data breach’ Google alert on student accounts so they will find out immediately if any of the websites or services they use have had a data leak.
Virtual Private Network (VPN). Install a VPN on all school devices to disable tools that websites and companies use to track and collect personal data.
Data breach plan. Make sure everyone knows what to do in the event of a data breach, from reporting to IT administrators to updating student passwords.