PRIVACY & SECURITY AWARENESS

101TESTING THE SECURITY AND PRIVACY KNOW-HOW OF EDUCATIONAL EMPLOYEES

KEY FINDINGS FROM THE SURVEY

EDUCATION RISK AREAS

INFORMATION SECURITY

RANKED AS THE #1IT ISSUE AT EDUCATIONAL INSTITUTES.1

EDUCATION RISK PROFILESUsing the skills test from the inaugural State of Privacy and Security

Awareness report, employees at educational institutes were categorized into one of three profiles – risk, novice, or hero based on their score on

the skills test. The numbers represented below indicated the percentage of employees in education that tested into each respective risk profile.

These individuals know their stuff, and are adept in keeping information secure.

Novices have a good understanding of the basics, but could stand to learn more.

These individuals put their organizations at serious risk for a privacy or security incident.

NOVICE

HERO

50%

32%

18%

Novice (77.4%-90.3%)Risk (00.0%-74.2%) Hero (93.5%-100%)

Below are the average scores for education employees for each risk area, with the top four highest risk areas highlighted.

Depending on the nature of the educational institute, these organizations are subject to strict laws and regulations such as FERPA, HIPAA, PCI, and the Gramm-Leach-Bliley Act (GLBA). Due to the growing threat landscape and increasing vulnerability of educational institutes, it’s clear there’s a need to

strengthen the defenses against cybercrime.

455 total security incidents were reported in schools, universities, and colleges in 2016.2

Educational institutes account for 17% of all

reported data breaches, second only to the

healthcare industry.3

26% of educational institutes report

experiencing cyberattacks daily/weekly.4

When asked if their organization is prepared to fight cyberattacks,

education rated as the least prepared and most vulnerable vertical.4

Compared to the industry average of 84%, only 77% of educational institutes

have a security framework in place.5 Educational organizations need to

step up their cybersecurity and data privacy processes to comply with

the Cybersecurity of Federal Networks executive order.

The top two biggest barriers that inhibit defending against cyberthreats:

45% LACK OF PERSONNEL

45% LACK OF BUDGET

40% LOW SECURITY AWARENESS

AMONG EMPLOYEES 6

With the third obstacle being…

Even though educational institutes are subject to many laws and regulations regarding the safeguarding of data, they must also be prepared for cyberattacks due to the wealth of information on students and faculty alike. Solely technical safeguards and only following the letter of the law should not replace a

comprehensive approach to security and privacy awareness.

In our 2016 State of Privacy and Security Awareness Report, we found that 88% of employees in all industries lack the awareness to stop preventable privacy and

security incidents.7

Want to find out how you measure up in your awareness of cybersecurity and data privacy best practices?

Sources

1. EDUCAUSE Top 10 IT Issues, 20172. Verizon Data Breach Investigations Report, 20173. Privacy Rights Clearinghouse’s Chronology of Data Breaches4. Radware Global Application & Network Security Report 2016-20175. Survey Report: Trends in Security Framework Adoption, Tenable6. (ISC)2 Cybersecurity Trends Report, 20177. 2016 State of Privacy and Security Awareness, MediaPro

Educational institutes face a huge challenge against cybercrime. With a vast amount of financial, medical, and personal information all available in one place, there needs to be increased cybersecurity and data privacy measures to safeguard against potential security and privacy incidents.

We tested cybersecurity and data privacy know-how in eight key risk areas and found that:

of employees could potentially put the personally identifiable information (PII) of students, faculty, and employees in danger with risky behaviors.

2/3

respondents in education found that more than904A MediaPro

survey of

Overall, 68% are at risk of a significant privacy or security incident.

Just 32% fall into our “hero” risk profile and are able to recognize and protect against threats.

IDENTIFYING PII

WORKING REMOTELY

ACCESS CONTROLS

MALWARE WARNING SIGNS

IDENTIFYING PHISHING ATTEMPTS

CLOUD COMPUTING

SOCIAL MEDIA

82%

83%

85%

86%

93%

85%

86%

RISK FACTORS: ͷ Lists of social security numbers

ͷ Tax forms with name and

address

ͷ Photocopy of driver’s license or

student ID

RISK FACTORS: ͷ Not connecting to company VPN

ͷ Personal USB for business files

ͷ Using public Wi-Fi for work tasks

RISK FACTORS: ͷ Building entry without

company badge

ͷ Leaving an unauthorized

visitor without an appropriate

contact person

2017 OUTLOOK FOR EMPLOYEE AWARENESS IN EDUCATION

MalwareDistributed Denial of Service (DDoS)Web Application AttackSocial EngineeringRansomware

FXX

X

XX

INDUSTRY AVERAGE

EDUCATIONAL INSTITUTES

77%84%

INCIDENT REPORTING

82%

> 93.5%

85.25%

AVERAGE SCORE FOR A RISK-AWARE EMPLOYEE

AVERAGE SCORE FOR EDUCATION

RISK

Educational institutes historically face both budget and staff constraints. There is often only one central IT information security staffer per 10,000 student, faculty, and staff FTEs.1

RISK FACTORS: ͷ Antivirus software disabled

ͷ Unlocked file cabinet with

personnel files

ͷ Malware infected computer