Back to school for the education sector when it comes to data security

In 1975, Apple began donating Apple 1 model desktop PCs to schools. In 1990, the Internet became available to students in classrooms. If you scanned a school library back in 2010 you would see nearly as many iPads and Tablets as books. Fast forward to 2018 and there are reports coming out of Singapore of robots being used as aides to teachers in kindergartens.

Just as technology has become mainstream in homes and offices, it too has entered classrooms, auditoriums and libraries. However, as we introduce these gadgets and gizmos we must be mindful that it is not without risk. More endpoints mean a greater attack surface and the confidential nature of student and staff information makes educational institutions an attractive target for cyber criminals.

Take the risks associated with BYOD schemes. With a university hosting thousands of students on a network at any time, the risk of connecting an infected device is heightened. Or phishing and social engineering attacks. All it takes is one click to potentially compromise an entire network.

Faced with these various threats, does the education sector receive a ‘High Distinction’ for its efforts to protect its troves of student and staff data? Not according to the recent findings of the inaugural Canon Business Readiness Index on Information Security.

More than 400 Australian business decision-makers took part in the survey revealing that 75% of respondents from the education sector have not sufficiently implemented 6 or more of Australian Signals Directorate's Essential 8. This is a basic list of practical actions organisations can take to make their systems more secure.

When it comes to keeping abreast of regulation, our Index found 3 in 5 organisations that will be affected by the recently introduced Notification Data Breaches Scheme are unaware of it and what it means for them. While retailers and manufacturers are seen to have more security measures in place than any other industries, the ‘Education and Training’ sector is one of the least prepared for the new laws.

When asked how concerned they were about suffering a data breach in the next 12 months, only 42% of business decision makers across the ‘Education and Training’ sector stated that they were ‘slightly’ or ‘not at all’ concerned, while just 39% are ‘very or extremely concerned’. This finding is out of sync with an evolving risk landscape. With student and staff data at risk, this lack of awareness is concerning. Finally, while 58% of institutions in the sector have been assessed for security risk management, the sector has by far the highest number (17%) of decision makers who are unsure if any security assessments have been completed.

Education lays the ground for a maturing society and thankfully there are tools and expertise on offer to safeguard against cyber risks that may jeopardise this growth. Just as we never stop learning, the threat landscape never stops evolving. The learnings from our Business Readiness Index on Security indicate there is an opportunity for the education sector to improve its approach to cybersecurity and stay in step with the regulatory frameworks.