How to implement a successful cybersecurity programme

Published on April 13, 2020

Making up more than 6% of the gross world product, the global education sector has been growing at a 4.5% compound annual growth rate and is forecast to be worth $10tn by 2030. As the education sector continues to grow, so does the rate of digitisation in schools. More and more schools are implementing digital solutions to track student performance, schedule classes, monitor assignments, and perform other tasks.

But as educational institutions continue to collect increasing amounts of student information, the responsibility to secure this data also exponentially increases. According to a BBC report, university research projects are major hacking targets, and universities in the United Kingdom were targeted with 1,000 cyberattacks in 2018. In the month of March 2018 alone, more than 300 universities fell victim to an orchestrated attack by Iranian hackers who managed to access 31 terabytes of “valuable intellectual property and data”.

What kind of information is at risk?

Educational institutions store immense amounts of highly sensitive information, like contact information, academic records, Social Security numbers, financial information, and health records, which makes them lucrative targets for hackers. To top it all off, many universities conduct government-sponsored research, which may contain critical government information. Data assets like these fetch thousands of dollars on the dark web.

Many universities conduct government-sponsored research, which may contain critical government information. Data assets like these fetch thousands of dollars on the dark web.

How do we combat the threats that the education sector faces?

Although cybersecurity challenges aren’t unique to the education sector, what’s particularly worrying is that the education industry ranked last out of 17 industries assessed by SecurityScorecard. According to the report, the three biggest security challenges the sector faces are application security, patching cadence, and network security.

As hackers continue to grow more skilled at stealing information, the education sector needs to step up its efforts to protect its highly sensitive systems and information. Setting up an information security programme is key to overcoming these security challenges.

Educational institutions need to go through the following steps to implement a successful information security programme:

  1. Establish an information security team: The first step in establishing an information security management programme is to set up the security champions of the institution. The ideal team is comprised of an executive group responsible for driving the strategy and establishing the objectives, and a cross-functional group responsible for day-to-day IT security operations.
  2. Identify information assets: The next most important step is conducting an inventory of all information assets the institution possesses, including information from third parties, to establish ownership. The inventory should be categorised based on the criticality of the stored information.
  3. Assess the current security posture: Once all information assets are identified and categorised, the institution should conduct a detailed analysis of potential risks and vulnerabilities.
  4. Manage risks: Next, the risks and vulnerabilities should be prioritised based on their likelihood and possible impact. A detailed risk register usually includes all potential vulnerabilities, along with the relevant controls required to mitigate these risks.
  5. Monitor all critical infrastructure: Lack of monitoring may cause many schools to fall for unforeseen attacks. Monitoring tools keep an eye on network activities to ensure that unauthorised actions are caught as and when they occur. They also track activities taking place in all network devices, such as firewalls, routers, and servers, while log analysers can closely monitor all event logs and syslogs.
  6. Create an incident response plan: A good incident response plan clearly defines the process to be followed in a security incident, and identifies what needs to be done, who should be informed, and the steps to ensure timely resolution. A best practice is to identify the tools required during various stages of incident management, such as a help desk tool to log incident tickets and assign technicians.
  7. Spread awareness and conduct trainings: Conductingregular training and awareness exercises for all stakeholders ensures the success of the entire security programme. All staff and students should be periodically trained on cybersecurity best practices, as internal threats continue to be one of the weakest links in the security practices of organisations across sectors.

The challenges the education sector faces may seem overwhelming, but there are plenty of ways to effectively protect IT networks. A proactive approach ensures the safety of the immense amount of information that schools store. Strong access controls, authentication mechanisms, and constant monitoring of all databases that store information will help educational institutions achieve their cybersecurity goals.

Disclosure: This article was originally published in EdTechnology UK.

Leave a comment

Your email address will not be published. Required fields are marked *

four + thirteen =

Topics

As the world moves away from manual, labor-intensive processes, companies are increasingly relying on artificial intelligence to streamline operations. From forecast engines and conversational assistants to anomaly detection and behavior analysis, AI capabilities have been progressing in leaps and bounds in the last few years.
Digital transformation can be a complex process requiring various stakeholders—leadership, partners, and employees—to be on the same page while ensuring the transformation enhances business value. However, despite its growing popularity, many businesses are still unsure what exactly digital transformation entails. Dive in for our take on everything DX.
As the world of cyberthreats becomes increasingly sophisticated, organizations need to develop a multi-pronged defense strategy that includes various layers of protection spread across networks, hardware, programs, and data. The people, processes, and technology in an organization need to come together in order to create an infallible security program.
As we move into an era of information explosion, mounting concerns regarding data privacy have given rise to groundbreaking regulations. Adhering to privacy regulations, such as the GDPR and the CCPA, not only ensures compliance, but can also help an organization develop solid data security policies and prevent breaches.