Unintentional Blunders Still Dog Education Security

hand on laptop with data and lock on screen

People in education are more likely to click on e-mails that have potential for phishing than any other major segment, according to the latest Verizon data breach report. Almost five people in 100 (4.93 percent) in education would mistakenly click on risky links during phishing tests.

For this year's findings, Verizon analyzed a total of 101,168 security incidents across multiple industries from 73 separate data sources (66 of which were from organizations outside of Verizon). The education sector made up a tiny portion of the total — 382 incidents, involving some 99 confirmed data breaches.

Denial of service made up the vast majority of those incidents — about 59 percent of the total. However, the DoS events didn't necessarily result in breaches. Of those, the researchers counted 61 actual breaches. The largest share — 35 breaches — occurred during what they called "miscellaneous errors," incidents in which unintentional actions compromised a security attribute of an asset. Most of the time, these involved sending or publishing sensitive data to the wrong place or misconfiguring servers.

Web application attacks made up about a quarter of breaches in education, most coming from the "frequent compromise of cloud-based mail services via phishing links to phony login pages," the report explained. Verizon's advice: If you use cloud-based mail services, "consider tightening up your password security and implement a second authentication factor and then turning off IMAP."

In those breaches that were "known," the primary motivation was financial, up 33 percent between 2016 and 2018, and the probable perpetrators were "organized criminal groups."

The report noted a drop in "state-affiliated or cyber-espionage cases," down 31 percent this year compared to 2016. However, the researchers warned, this doesn't mean those players have stopped looking for intellectual property on campus servers; rather, the findings are limited to the specific data provided by sources in this year's compilation.

As always, the report offered specific guidance for people in the education sector:

First, stay on top of digital hygiene: "Clean up human error to the best extent possible" and put in place a baseline level of security (two-factor authentication) around internet-facing assets such as web servers.

Second, research universities are more likely than K-12 school systems to be targets of cyber-espionage. But that doesn't mean school districts aren't targets themselves. The bad guys seem to go after personally identifying information on students just as much as they do cutting-edge research.

Third, don't forget the basics. Phishing, general e-mail security, ransomware and DoS continue to threaten education. Make sure they're addressed. "These topics may not seem new, but we still have not learned our lesson," the report noted.

The full Verizon "2019 Data Breach Investigations Report" is available with registration on the company's website.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • data professionals in a meeting

    Data Fluency as a Strategic Imperative

    As an institution's highest level of data capabilities, data fluency taps into the agency of technical experts who work together with top-level institutional leadership on issues of strategic importance.

  • stylized AI code and a neural network symbol, paired with glitching code and a red warning triangle

    New Anthropic AI Models Demonstrate Coding Prowess, Behavior Risks

    Anthropic has released Claude Opus 4 and Claude Sonnet 4, its most advanced artificial intelligence models to date, boasting a significant leap in autonomous coding capabilities while simultaneously revealing troubling tendencies toward self-preservation that include attempted blackmail.

  • university building with classical architecture is partially overlaid by a glowing digital brain graphic

    NSF Invests $100 Million in National AI Research Institutes

    The National Science Foundation has announced a $100 million investment in National Artificial Intelligence Research Institutes, part of a broader White House strategy to maintain American leadership as competition with China intensifies.

  • black analog alarm clock sits in front of a digital background featuring a glowing padlock symbol and cybersecurity icons

    The Clock Is Ticking: Higher Education's Big Push Toward CMMC Compliance

    With the United States Department of Defense's Cybersecurity Maturity Model Certification 2.0 framework entering Phase II on Dec. 16, 2025, institutions must develop a cybersecurity posture that's resilient, defensible, and flexible enough to keep up with an evolving threat landscape.