Malware, phishing and ransomware are cyber threats that have impacted all organizations including educational institutions – from K-12 to universities. Most recently, one school district disclosed that it was the victim of a data breach when multiple phishing emails from malicious hackers were used to gather login information of staff members. The breach exposed Social Security numbers and addresses of more than 500,000 students and staff.
According to the Cybersecurity Resource Center, 2018 saw 122 cyber attacks on K-12 educational institutions, averaging out to an attack every three days. Schools are vulnerable in part as they have a significant amount of highly confidential information on students, parents, staff, and faculty in their possession. This includes names, dates of birth, Social Security numbers, mailing and home addresses, phone numbers, billing data, health information, and, in some cases, legal notices.
Help Insureds Protect their Information
Following are several steps an educational institution should be taking to protect confidential student and employee data from cyber thieves:
- Boost School Login Requirements: Require all employees to use strong passwords that are complex and hard for hackers to decipher. Install software requiring employees to change those passwords regularly and prohibiting them from utilizing prior passwords. Use “two-step authentication” for particularly sensitive information or for employees who access that information.
- Require Encryption: Ensure that only people with access to a secret key (called a decryption key) can access confidential information. Encryption should be used wherever that data is stored, such as on files, folders, disks, flash drives, and the cloud, as well as when information is transmitted, most commonly by email.
- Limit Employee Access to Information: Minimize the risk of an employee mistakenly providing access to sensitive information to the extent that it is needed for an employee’s job. By limiting who can access certain information the school can also limit the likelihood of a security breach.
- Train Faculty and Administrative Staff: Hackers have become increasingly clever in getting people to open malicious files and attachments or accessing websites that infect their devices. They send emails that look a lot like invoices or other files that appear to be coming from a reliable vendor. Go over these techniques with the staff so that they don’t fall victim to malware. A useful training tool involves conducting unannounced “fire drills” where fake hacks are sent out to test employees. By seeing what fake hacks can look like, and being trained to recognize them and question emails before opening them, potential data breaches can be averted.
- Set Up Remote Protection: Employees may be protected by firewalls and other network security measures while on campus, but also consider measures when employees are traveling or working remotely. Unsecured wireless networks are an area where breaches can occur, as data transmitted over these unsecured channels can be subject to hacking. To address this concern, consult with the IT staff or vendor about using a VPN (virtual private network) for employees to use to access the Internet when they are beyond the protection of the campus.
- Backup Data: Consistently back up data in case there is a system failure, and be sure to include security protection measures for the backup system and store the backup data in an offsite location. It is also important to regularly test the backups to ensure you can gain access in an emergency situation.
- Ensure Vendors Are Cyber-Secure: Assess whether vendors are storing and transmitting information in a secure and protected manner. Include provisions in agreements with vendors requiring them to take security measures to protect confidential information and to indemnify the school if one of their system failures causes a data breach.
- Purchase Cyber Insurance designed for Educational Institutions – Addressing a data breach goes beyond analyzing the breach and how it occurred. The costs include the disruption to the school’s mission and managing the disruption and loss of confidence caused by a breach. The school may also have to notify affected parties of the data breach and offer some type of credit monitoring to those affected. There are also the costs of potential litigation and possible regulatory fines. For these reasons, make sure Cyber insurance is in place to cover data breaches and other cyber-related risks.
RPS specializes in insuring educational institutions including providing comprehensive Cyber Liability insurance solutions. Our Cyber product is ideal for schools and includes privacy liability, privacy notification expenses, regulatory liability, media content liability, network security liability, crisis management, credit monitoring expense, extortion threat and ransomware, and can include cyber deception/social engineering as well.