It’s hard to believe it’s been two years since we experienced the year of the healthcare hack. But now that attention has shifted to that industry, hackers are doing their best to identify the next soft target.
Over the last year or two, attacks against the education sector have been on the rise. The problem is that there are a few unique challenges that make cyber security difficult for institutions from K-12 all the way through higher education. Whether you’re worried about ransomware threats or advanced data breaches, it’s time to reinforce your security and compliance efforts.
Unique Security Challenges in the Education Sector
When you talked to leaders in the education sector about security—whether they were tech leads or superintendents/advisors—three or five years ago, budget was the biggest concern. Most institutions didn’t have the money to funnel into cyber security. However, the education sector is looking increasingly vulnerable to attack and leaders are taking notice. Budget planning is still critical, but the there are two more prominent challenges now:
- Disproportionate Users and IT Staff: For years, the user base connecting to the networks of education institutions has been growing exponentially. Thousands of students are generating traffic simultaneously. And yet, there are still only a couple of IT people on staff trying to keep the lights on. So, while budget is a concern when it comes to the proper cyber security equipment, staffing poses an equal (if not greater) challenge.
- Funding Is Focused on Greater Connectivity, Not Security: More money is being given to the education sector for faster internet and connectivity on campuses. Coincidentally, the cost of bandwidth has come down quite a bit in this space. However, institutions now have funding for multiple gigs of network connectivity but can’t afford the monitoring and security tools to manage even 1G of traffic. There has to be greater awareness driving change in this sector. It takes a lot of CPU power to analyze 1Gb of network traffic, and in most cases we are forced to leverage network taps and packet brokers to filter this down to a reasonable amount of data for inspection.
As focused as the education sector is on delivering powerful connectivity for students; protecting information such as student records, health records, research files, and the like has to be of equal concern. One reason it hasn’t, is the lack of regulatory enforcement of FERPA for cyber security standards. But as more regulations go into place, it’s only a matter of time before you’re faced higher scrutiny on security practices, whether it be from leadership or formal audits—partnering with an MSSP can ensure you don’t experience any issues.
Don’t Get Lost in Compliance Conflicts
Unlike the payment card industry, educational institutions haven’t had to worry about strict auditing processes. But there’s typically been one troublesome issue when it comes to education sector security—if you take government funding and experience a breach, the punishment is loss of funding.
This seems so counterproductive; if an organization experiences a breach with data theft, they clearly need more funding for better security programs. To avoid such a difficult situation, you need to make sure you’re ready to defend your network. It’s only a matter of time before security compliance audits become standard.
It’s easy to get lost in a sea of compliance challenges when you have complicated standards and regulations in place such as:
- Family Educational Rights and Privacy Act (FERPA): The highest security regulation for the education sector calls for the privacy of student records at all institutions that receive federal funding.
- Federal Information Security Management Act (FISMA): A framework for protecting government data and assets that extends to federal contractors (higher education institutions). This framework lays out standards for institutional cyber security.
- National Institute of Standards and Technology Special Publication 800-171: A proposed modification to the FISMA regulation that provides a set of recommended security requirements to keep controlled unclassified information (CUI) confidential. Where FISMA focuses on government information, NIST 800-171 calls for greater security in nonfederal. This is also the framework we base our FERPA audits and security programs on.
All of the compliance concerns that come along with these standards and regulations are just more reasons to take cyber security measures out of your own hands. As your students come in with more and more experience with technology, you can’t afford not to have total visibility into what’s happening on your network. With a limited number IT staff on hand, computer labs could become accidents waiting to happen.
But with the help of an experienced MSSP partner, you won’t have to worry about these issues. If you want to learn more about cyber security and regulations as they relate to the education industry—and hear more about how we partner with Garland Technology to guarantee visibility into every bit, byte and packet®—contact us today for a free consultation.