An education in avoiding data breaches in schools, colleges, and universities

This is a guest article written by François Amigorena. The author’s views are entirely her own and may not reflect the views of IT Governance.

A recent report by Dark Reading uncovered that millions of stolen and fake student, faculty, and alumni email credentials were available to buy on the dark web.

The usernames and passwords were linked to 300 of the largest and most well-known universities in the US. And with prices ranging from $3.50 to $10 per email address, it’s clear that these credentials are in high demand.

From bank details to birth dates, universities and other scholarly organizations collect a vast amount of data on their students and staff, all of which is hugely attractive to cyber criminals. So how can education institutions across the globe protect the sensitive data they look after and reduce the risk of a hack?

The education sector is a target for cyber criminals

Cyber criminals in every country regularly target education institutions. This leaves IT teams responsible for universities, colleges, and schools under increasing pressure to safeguard data from internal and external threats. So why are such establishments so appealing to hackers?

One of the biggest advantages to being a student is getting free or discounted incentives, from food to travel. Students are often only eligible for such perks because they sign up using an email address linked to an educational institution. As such, these stolen credentials could provide hackers with access to benefits they would usually be ineligible for.

But cyber criminals are after more than just a half-price pizza. Stolen scholarly email addresses are particularly appealing because of the considerable amount of information these types of organizations store. Schools, colleges, and universities hold all sorts of medical, financial, and personal data on their students and staff. With stolen but legitimate login credentials, all this information can be hacked into and used for malicious or illegal activities.

Because education promotes the free exchange of ideas and instant access to information, securing academic environments presents an interesting problem. IT teams within such institutions must ensure they preserve these values, promote safe IT practices, and keep sensitive information safe. So what’s the best course of action?

Furthermore, as students are highly likely to forget or lose their login details, they tend to share passwords. This means they’re far easier to steal, and cyber criminals take full advantage of this.

This blasé attitude towards security causes further headaches for IT teams because they often cannot tell who the genuine user is.

By taking pre-emptive measures, such as limiting students to only one possible session at a time, context-aware security can help prevent hacks and poor password practices. If a genuine user was logged in, a malicious or phony user trying to gain access at the same time would be locked out. Using this approach also means legitimate users would be accountable for any dishonest acts or pranks, helping to promote safe and sensible password practices across the board.

Prevention is better than cure

In the past, IT teams within the education sector have only implemented security policies as a reaction to a breach, rather than proactively and preemptively putting policies in place. To better protect education institutions and monitor for potential threats, IT teams must take preventive measures to implement a system of network access control and identity management, stopping hackers in their tracks.

Context-aware security verifies a user’s legitimacy based on information other than simply entering the correct password. This type of security software will grant or deny access using details such as the time or location of the login attempt, or even the device being used. The IT team can then respond to issues before they escalate.

This type of software not only thwarts malicious outsider threats, but also helps crack down on suspicious activity from genuine users. By making every student accountable for their own actions, IT administrators can monitor bad behavior, whether it’s a student prank, a careless user leaving their desktop open, or a pupil attempting an insider attack.