Risky Practices With Students' Data Security Are Common, Survey Suggests
MediaPro, a company that designs corporate trainings on IT security, data privacy, and compliance, released results this week from a privacy and security awareness survey of over 900 employees in the education sector.
The company asked survey respondents how they would handle various security and privacy issues, like finding a post-it note with someone's password, or seeing something strange pop up on a computer, said Colleen Huber, the director of cyber education strategy for MediaPro, in an interview.
Just over two-thirds of all participants responded to at least one of the hypothetical situations in a way that would have put their students' or employees' personally identifiable information—including Social Security numbers, addresses, or driver's license information—at risk.
Participants self-identified as employed in the education sector, said Huber. They could include K-12 educators, higher education faculty, or employees who work in education-focused organizations, she said.
Increasingly, schools and districts are facing the issue of cybersecurity. In 2017 alone, schools have found themselves the targets of phishing scams and ransomware attacks. And as schools collect more digitized data on students, school leaders have to make decisions about how to store and protect it.
MediaPro sorted participants into one of three categories, based on their survey responses—"risk," "novice," or "hero." Within education, 50 percent received a novice ranking, 32 percent a hero ranking, and 18 percent, risk. Overall, education professionals were "pretty much on par" with the workforce in other industries, said Huber.
But education professionals scored comparatively low in practices meant to ensure safe mobile computing and cloud computing—two areas that are especially relevant to schools and universities, she said.
Bring your own device programs, in which students have the option to use their own computing devices for classwork in school, are categorized under mobile computing, said Huber. Within BYOD programs, students are constantly transmitting information over different Wi-Fi networks, both on and off campus. To keep information secure, she said, both students and educators need to be aware of what they're sharing and with whom.
In some areas, the education workforce outpaced other fields. The industry was especially adept at identifying phishing attempts, which Huber attributed to awareness of vulnerability. "Their risk area was a little bit stronger in phishing, so they responded better than most," she said.
Education employees also scored higher than average in incident reporting, said Huber. In the event of a security breach, they were more likely to know how to report a problem and to whom.
A security-focused school culture starts at the top, said Huber. "Principals, people in executive positions, are certainly well-equipped to set the right tone."