As schools in the United States have grown more dependent on education technology, they have become more at risk of cybersecurity attacks—and at a rate far worse than other industries across the nation.
The top performers of cybersecurity in the report were the food, energy, and retail industries in order from best to worst.
From April to October 2018, SecurityScorecard analyzed 2,393 companies in the education industry. Both individual schools and entire school districts were studied as well as private companies in the education sector. There was no differentiation between education-related private companies and school districts in terms of their vulnerability to cyberattacks.
SecurityScorecard evaluated the overall score of all the education companies compared to other industries based on 10 criteria. The criteria included DNS security, network security, and application security.
In an interview with Education Week, SecurityScorecard Co-Founder Sam Kassoumeh said that the schools studied were geographically distributed all across the nation and were primarily focused on higher education. But K-12 districts were also included, and many of those systems are vulnerable to attacks, he said.
“The head of IT for a K-12 [school] … usually has a couple of helpers, and security is one of many competing priorities,” he said. “It’s one that’s not going to get a lot of attention or complaints from faculty.”
“This is a really systemic issue,” added Kassoumeh. “Educational facilities, frankly speaking, underfund the security function within their organization.”
Schools tend to underestimate the need for monitoring and protecting network infrastructures, the report says. The growth of academic resources like computer-based assessments also create cybersecurity concerns for learning add extra concerns to privacy if they collect personal information to differentiate between individual students, SecurityScorecard says. In addition, 50 percent of education service providers experienced distributed denial of service attacks in 2017, the report found.
The authors also make several suggestions for improving security in the education industry, including finding more efficient ways to report lost or stolen data. Additional suggestions are to maintain and upgrade equipment, anti-virus, and anti-malware software, as well as incorporate network redundancy and backup recovery plans.
There’s evidence that districts have not taken steps to prepare for the worst. According to last year’s survey by the Consortium for School Networking and the Education Week Research Center, only 15 percent of the country’s K-12 information-technology leaders have implemented a cybersecurity plan in their own district and nearly three in four district IT leaders say they are not “adding security safeguards to vendor negotiations.”
There have been nearly 400 reports of cybersecurity-related incidents involving U.S. public schools since 2016, the K-12 Cybersecurity Resource Center, which is maintained by EdTech Strategies, LLC.
SecurityScorecard, the maker of the report, is a New York-based information security company founded in 2013 that produces letter-grade ratings on the cybersecurity resilience of companies from all around the world.