Is Your Student Data Safe and Secure?
Clearinghouse CISO Provides Lessons to Protect Your Institution’s Data
By John Ramsey, Chief Information Security Officer, National Student Clearinghouse
Ransomware has become a dangerous situation in our country with our elementary, high schools, and colleges under attack. From coast to coast, the cases are mounting.
In March, hackers demanded $40 million from the Broward County, Florida public school district. After the school district refused to pay, the hackers published nearly 26,000 files from the district’s servers, including sensitive financial records and confidential employee and student data. In Baltimore, 115,000 students were unable to take classes because of a ransomware attack that disabled its network systems. Similar attacks in places like Fairfax County, Virginia, Hartford, Connecticut, and Fort Worth, Texas, have rocked the nation’s education system.
Unfortunately, the nimbleness of the education system to teach remotely during the pandemic came with unintended harmful consequences. With online learning, educational institutions are increasingly the targets of cyberattacks, jeopardizing the well-being of students, educators, and staff.
Research from the K-12 Cybersecurity Resource Center found an 18% increase in cyberattacks on schools during 2020. Further, 28% of all reported ransomware incidents involved K-12 schools from January to July of 2020, according to This Joint Cybersecurity Advisory, which includes the F.B.I. In August and September of 2020, that number jumped to 57%.
The financial losses are staggering. The average total cost of a data breach for an organization across all industry sectors amounts to over $7 million. Yet, the most lasting damage may result from the loss of trust from students and the belief that school is unable to keep their most sensitive information safe. Cyber breaches can cause long-term reputational damage that can plague institutions for years.
There are several ways breaches can take place. 91% of cyberattacks started with a phishing email, while 81% of hacking-related breaches leveraged either stolen or weak passwords. 66% of malware was installed through malicious email attachments. Hackers have even disrupted virtual learning by entering virtual classrooms and verbally harassing students. These tactics can be relatively simple, but also devastating.
It’s critical that educators, law enforcement, and cybersecurity experts collaborate to secure our nation’s schools. This means institutions must prioritize cybersecurity, and policymakers must provide the necessary funding so networks can be updated and strengthened.
There are also steps that institutions can take today to immediately increase their cyber readiness. The Clearinghouse’s 28-year record of maintaining the confidentiality and privacy of student records has yielded important insights on how to keep confidential information safe and secure.
- Pinpoint your risks: Meet with your organization’s IT department leaders. By partnering with them, you will gain a clearer understanding of what they are able to do to protect data, and what security steps you should take.
- Be diligent about patching major systems: Student information systems are often large and complex, sometimes highly customized and configured, third-party software. Ensure that your institution has good patch management processes.
- Implement multifactor authentication: Multifactor authentication (MFA) is a system that relies on more than one layer of security to authenticate a user; a user needs the ID and password, plus an extra authentication step.
- Create an incident response plan: The best time to plan an incident response is before an incident happens. If an incident occurs, the stress of the crisis makes it difficult to approach communications strategically and respond appropriately. Be prepared for the worst.
- Model good security practices and discuss best practices with your staff: Since information security is everyone’s job, recognize and reward staff who educate themselves on information security and compliance requirements as they relate to your business function. Talk with your staff about best practices for handling student data and make those discussions a regular part of your meetings.
While the cyber threats facing education institutions can appear daunting, it’s important to remember that 93% of breaches could have been avoided with basic cyber hygiene. Empowering school communities to take ownership of cybersecurity can go a long way toward securing institutional networks.
As we emerge from the pandemic, now is the time to evaluate the lessons learned and how to build our education system on a stronger foundation. An essential pillar is ensuring that educational institutions are equipped to protect sensitive information of students, educators, and administrators.
“The Clearinghouse’s 28-year record of maintaining the confidentiality and privacy of student records has yielded important insights on how to keep confidential information safe and secure.”
Chief Information Security Officer, National Student Clearinghouse