Of 17 industries surveyed in the United States, education ranks at the very bottom when it comes to cybersecurity. That’s the finding of the latest report from SecurityScorecard, a company that tracks online data and system protection measures. 

“Alarmingly,” the report states, “out of 17 industries in the U.S., Education comes last in terms of total cybersecurity. This should be a cause for serious concern among students, parents, school boards, and the education industry as a whole. And yet, despite the ubiquity of data collection and the ever-increasing number of schools nationwide storing data digitally, the Education industry is not doing its part to protect its students (and, essentially, itself) from such risks.”

Cybersecurity Findings from SecurityScorecard’s Report

Considering the data at risk involves the personal information of minors, SecurityScorecard’s findings are particularly troubling. What’s more, many if not most of students’ families do not have the ability to opt out of numerous software and online services used by K-12 schools across the United States.

To reach its conclusion, SecurityScorecard surveyed 2,393 companies, each of which had a footprint of 100 or more IP addresses in the education industry between April and October of this year. This data was compared to similar samples of companies in other industries. 

SecurityScorecard found edtech companies tend to score low in four general areas of cybersecurity. These include: patching cadence (the frequency of updates and improvements), application security, endpoint security (protections surrounding an individual’s access to a system), and network security. 

Short on Updates, Long on Loopholes

While numerous U.S. and E.U. laws seek to protect student data, many loopholes allow tech companies to focus less on cybersecurity. Among the most egregious, the Family Educational Rights Protection Act (FERPA) allows individual teachers and school administrators to provide consent for the collection of student data in place of parents. Edtech providers, therefore, need only to convince key players in an institution or district that their data collection practices and cybersecurity measures are sufficient. 

The findings of the report are also consistent with a recent FBI announcement, which warned of the growing cybersecurity threats to edtech systems. 

In their September PSA, the Bureau described numerous hacking attempts in 2017.

“In late 2017,” the announcement states, “cyber actors exploited school information technology (IT) systems by hacking into multiple school district servers across the United States.” The PSA further emphasizes, that in these incidents, “[The hackers] accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort, and threaten students with physical violence and release of their personal information. The actors sent text messages to parents and local law enforcement, publicized students’ private information, posted student PII on social media, and stated how the release of such information could help child predators identify new targets. In response to the incidents, the Department of Education released a Cyber Advisory alert in October 2017 stating cyber criminals were targeting school districts with weak data security or well-known vulnerabilities to access sensitive data from student records to shame, bully, and threaten children.”

As the SecurityScorecard concludes, the collection of student data has vastly improved many educational initiatives, allowing educators to get a much clearer picture of student needs and performance. That progress, however, has not been matched by advances in cybersecurity measures in place.

“All educational institutions,” the report reads, “should have a cybersecurity plan that takes into account technical aspects such as monitoring and managing networks, maintaining and upgrading equipment, estimating network capacity, protection with firewalls and anti-virus/anti-malware software, filtering content and security, and paying for insurance and licensing fees. Additionally, schools should incorporate network redundancy and backup recovery plans. A cybersecurity plan should reflect a holistic approach to student data protection. By incorporating technology and people, a robust program mitigates risks, while also ensuring ongoing education instills good security habits into employees, students, and their parents.”

Read the full report here.

Featured Image: John Schnobrich, Unsplash.