Unintentional Blunders Still Dog Education Security

• By Dian Schaffhauser
• 05/20/19

People in education are more likely to click on e-mails that have potential for phishing than any other major segment, according to the latest Verizon data breach report. Almost five people in 100 (4.93 percent) in education would mistakenly click on risky links during phishing tests.

For this year's findings, Verizon analyzed a total of 101,168 security incidents across multiple industries from 73 separate data sources (66 of which were from organizations outside of Verizon). The education sector made up a tiny portion of the total — 382 incidents, involving some 99 confirmed data breaches.

Denial of service made up the vast majority of those incidents — about 59 percent of the total. However, the DoS events didn't necessarily result in breaches. Of those, the researchers counted 61 actual breaches. The largest share — 35 breaches — occurred during what they called "miscellaneous errors," incidents in which unintentional actions compromised a security attribute of an asset. Most of the time, these involved sending or publishing sensitive data to the wrong place or misconfiguring servers.

Web application attacks made up about a quarter of breaches in education, most coming from the "frequent compromise of cloud-based mail services via phishing links to phony login pages," the report explained. Verizon's advice: If you use cloud-based mail services, "consider tightening up your password security and implement a second authentication factor and then turning off IMAP."

In those breaches that were "known," the primary motivation was financial, up 33 percent between 2016 and 2018, and the probable perpetrators were "organized criminal groups."

The report noted a drop in "state-affiliated or cyber-espionage cases," down 31 percent this year compared to 2016. However, the researchers warned, this doesn't mean those players have stopped looking for intellectual property on campus servers; rather, the findings are limited to the specific data provided by sources in this year's compilation.

As always, the report offered specific guidance for people in the education sector:

First, stay on top of digital hygiene: "Clean up human error to the best extent possible" and put in place a baseline level of security (two-factor authentication) around internet-facing assets such as web servers.

Second, research universities are more likely than K-12 school systems to be targets of cyber-espionage. But that doesn't mean school districts aren't targets themselves. The bad guys seem to go after personally identifying information on students just as much as they do cutting-edge research.

Third, don't forget the basics. Phishing, general e-mail security, ransomware and DoS continue to threaten education. Make sure they're addressed. "These topics may not seem new, but we still have not learned our lesson," the report noted.

The full Verizon "2019 Data Breach Investigations Report" is available with registration on the company's website.