novice - digital security awareness training built to ...€¦ · privacy & security...
TRANSCRIPT
PRIVACY & SECURITY AWARENESS
101TESTING THE SECURITY AND PRIVACY KNOW-HOW OF EDUCATIONAL EMPLOYEES
KEY FINDINGS FROM THE SURVEY
EDUCATION RISK AREAS
INFORMATION SECURITY
RANKED AS THE #1IT ISSUE AT EDUCATIONAL INSTITUTES.1
EDUCATION RISK PROFILESUsing the skills test from the inaugural State of Privacy and Security
Awareness report, employees at educational institutes were categorized into one of three profiles – risk, novice, or hero based on their score on
the skills test. The numbers represented below indicated the percentage of employees in education that tested into each respective risk profile.
These individuals know their stuff, and are adept in keeping information secure.
Novices have a good understanding of the basics, but could stand to learn more.
These individuals put their organizations at serious risk for a privacy or security incident.
NOVICE
HERO
50%
32%
18%
Novice (77.4%-90.3%)Risk (00.0%-74.2%) Hero (93.5%-100%)
Below are the average scores for education employees for each risk area, with the top four highest risk areas highlighted.
Depending on the nature of the educational institute, these organizations are subject to strict laws and regulations such as FERPA, HIPAA, PCI, and the Gramm-Leach-Bliley Act (GLBA). Due to the growing threat landscape and increasing vulnerability of educational institutes, it’s clear there’s a need to
strengthen the defenses against cybercrime.
455 total security incidents were reported in schools, universities, and colleges in 2016.2
Educational institutes account for 17% of all
reported data breaches, second only to the
healthcare industry.3
26% of educational institutes report
experiencing cyberattacks daily/weekly.4
When asked if their organization is prepared to fight cyberattacks,
education rated as the least prepared and most vulnerable vertical.4
Compared to the industry average of 84%, only 77% of educational institutes
have a security framework in place.5 Educational organizations need to
step up their cybersecurity and data privacy processes to comply with
the Cybersecurity of Federal Networks executive order.
The top two biggest barriers that inhibit defending against cyberthreats:
45% LACK OF PERSONNEL
45% LACK OF BUDGET
40% LOW SECURITY AWARENESS
AMONG EMPLOYEES 6
With the third obstacle being…
Even though educational institutes are subject to many laws and regulations regarding the safeguarding of data, they must also be prepared for cyberattacks due to the wealth of information on students and faculty alike. Solely technical safeguards and only following the letter of the law should not replace a
comprehensive approach to security and privacy awareness.
In our 2016 State of Privacy and Security Awareness Report, we found that 88% of employees in all industries lack the awareness to stop preventable privacy and
security incidents.7
Want to find out how you measure up in your awareness of cybersecurity and data privacy best practices?
Sources
1. EDUCAUSE Top 10 IT Issues, 20172. Verizon Data Breach Investigations Report, 20173. Privacy Rights Clearinghouse’s Chronology of Data Breaches4. Radware Global Application & Network Security Report 2016-20175. Survey Report: Trends in Security Framework Adoption, Tenable6. (ISC)2 Cybersecurity Trends Report, 20177. 2016 State of Privacy and Security Awareness, MediaPro
Educational institutes face a huge challenge against cybercrime. With a vast amount of financial, medical, and personal information all available in one place, there needs to be increased cybersecurity and data privacy measures to safeguard against potential security and privacy incidents.
We tested cybersecurity and data privacy know-how in eight key risk areas and found that:
of employees could potentially put the personally identifiable information (PII) of students, faculty, and employees in danger with risky behaviors.
2/3
respondents in education found that more than904A MediaPro
survey of
Overall, 68% are at risk of a significant privacy or security incident.
Just 32% fall into our “hero” risk profile and are able to recognize and protect against threats.
IDENTIFYING PII
WORKING REMOTELY
ACCESS CONTROLS
MALWARE WARNING SIGNS
IDENTIFYING PHISHING ATTEMPTS
CLOUD COMPUTING
SOCIAL MEDIA
82%
83%
85%
86%
93%
85%
86%
RISK FACTORS: ͷ Lists of social security numbers
ͷ Tax forms with name and
address
ͷ Photocopy of driver’s license or
student ID
RISK FACTORS: ͷ Not connecting to company VPN
ͷ Personal USB for business files
ͷ Using public Wi-Fi for work tasks
RISK FACTORS: ͷ Building entry without
company badge
ͷ Leaving an unauthorized
visitor without an appropriate
contact person
2017 OUTLOOK FOR EMPLOYEE AWARENESS IN EDUCATION
MalwareDistributed Denial of Service (DDoS)Web Application AttackSocial EngineeringRansomware
FXX
X
XX
INDUSTRY AVERAGE
EDUCATIONAL INSTITUTES
77%84%
INCIDENT REPORTING
82%
> 93.5%
85.25%
AVERAGE SCORE FOR A RISK-AWARE EMPLOYEE
AVERAGE SCORE FOR EDUCATION
RISK
Educational institutes historically face both budget and staff constraints. There is often only one central IT information security staffer per 10,000 student, faculty, and staff FTEs.1
RISK FACTORS: ͷ Antivirus software disabled
ͷ Unlocked file cabinet with
personnel files
ͷ Malware infected computer