Building a Security Awareness Program in the Education Sector
Introduction
There are few things as important to the professional development of people as the education sector. Despite this importance, the education sector is currently the industry most victimized by ransomware attacks and among the top three industries targeted by data breaching hackers. Using this revelation as a backdrop, it is clear that more focus needs to be placed on building security awareness programs in the education sector.
This article will address three points: How do we begin building security awareness concepts from within education? What are three steps required in the short term to promote security awareness in education? What does the future landscape of security awareness in education look like?
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
How Do We Begin Building Security Awareness Concepts From Within Education?
To begin to answer this question, we first need to look at the risk level of the industry and what areas are at most risk. Some food for thought:
- A recent database breach of a major state university revealed 287,570 records of students, staff and faculty affiliated with the university
- According to the 2017 Verizon Enterprises Data Breach Investigations report, 26% of higher education institutions had cyber-espionage present. This figure is significantly higher than the value given to human error
- The education sector is the industry ranked #3 in the list of those most targeted for data breaches, with only the finance and healthcare industries being targeted at a higher rate
- Each stolen or lost data record costs educational institutions approximately $246
This glaring lack of strong information security in the education sector is compounded by the information security weakness present in education sector employees and staff. In 2017, a State of Privacy and Security Awareness survey was offered to 1,011 employees in the education sector of the United States that exposed some concerning issues. Consider this information gleaned from the results of the survey:
- Employees in the education sector performed far worse than the general population of adults in the United States
- Of the 1,011 employees surveyed, 76% earned a score designating them as a security risk or novice
- Private school employees fared worse than public school employees — some as much as 8% more likely to exhibit risky behavior
- Faculty fared worse than general staff
- Static, annual security awareness programs do not adequately prepare employees in the education sector for real-world information security application or teachable moments that may arise
- An important Australian study found that an employee’s intention to comply with security awareness programs is dependent upon the employee’s level of information security awareness
So, what is it that we can say with these findings? Can we say that the education sector is full of faculty members that are really more of a security risk than anything else? Sure we can, but even more important is that we know where the problems lie so we can address them.
The question of where to begin with building security awareness in the education sector is where the problem lies — most notably with employees of the education sector itself. Employees are the weak link in security, but we also know that annual security awareness training is a losing strategy.
Sage advice in this case is to craft security awareness programs that target the weaknesses present in education sector employees but done in a way that the programs are flexible and permit the employees to learn as they go. Event-Activated Learning (EAL) is a good method to provide flexible, teachable moment-based information security education as the need arises. This should, of course, be just part of the overall information security awareness program strategy implemented at an education sector institution.
What Are Three Steps Required in the Short Term to Promote Security Awareness in Education?
While some aspects of addressing the problem of information security in the education sector are long-term solutions, some solutions can definitely be implemented in the short-term to remedy the situation.
Implement More Efficient Issue Notification Between Employees and IT Departments
One of the fastest and easiest ways to remedy an information security scenario where stale and outdated security awareness training is implemented is to require as close to real-time issue reporting to the IT department as possible.
This small change will pay dividends, as it will make some of the recommendations below more feasible to implement. As shown above, most faculty members in the education sector can be referred to as “computer illiterate.” Reporting issues with greater frequency will not only smash this often-internalized apprehension about technology but also teach faculty members what issues to look for as they come up.
Implement Event-Activated Learning to Address Teachable Moments
A great way to address the need to have a flexible security awareness program within the education sector is to use Event-Activated Learning. EAL is a way that industries can use information as it arises to ensure that it sticks in the employee’s mind enough to apply it in practice in the workplace. This approach to teaching employees information, coupled with teachable moments that can pop up at any time, equals an approach to information security that will address issues as they come up and help ensure that it is applied where needed.
An example of this approach would be where an information breach happens to an institution in the education sector. The breach is reported to the institution’s IT department, and the IT department would then quickly assemble a short lesson to illustrate the issue that occurred and how it should be addressed in the future.
Create Information Security Surveys for Employees in the Education Sector
Another short-term step to promote security awareness in the education sector is to require employees to take an information security survey. This survey should be offered as soon as possible, especially for new employees, to gather appropriate information about employee security awareness. As mentioned above, when employees are more aware about information security, they will be more likely to comply with information security programs.
Information security surveys in the education sector will accomplish some important goals that can be quickly used for the respective institution’s benefit. First, as mentioned above, the education institution will have a much better feel of the information security aptitude of their employees. This information can be used when establishing a baseline of information that needs to be taught in the institution’s next security awareness training program.
Second, this survey can be used to document that the institution is going the extra mile in meeting any applicable compliance requirements. Documenting efforts like this will look good the next time compliance auditing comes due.
Third, the survey can be used as an extra reporting method for current employees that did not report information security issues properly when they occurred (as they should have, with the heightened IT department reporting requirement explored above). Timid employees can use the survey as a catch-all to get outstanding issues in front of the IT department, so they can be properly addressed.
What Does the Future of Security Awareness in the Education Sector Look Like?
The future of security awareness in the education sector, as things are going now, does not look the best. The education sector is the most at risk for ransomware attacks and at high risk for data breaches, and its employees are in a worse spot regarding information security than the general adult population.
See Infosec IQ in action
However, if the short-term steps listed above are implemented and followed by long-term steps on an institution by institution basis, the education sector can have an information security renaissance.
Sources
- Education Industry Insights: State of Privacy and Security Awareness, MediaPRO
- Managing Cybersecurity in Higher Education, United Educators
- Security Awareness in Higher Education, The Edublogger
- Significance of Information Security Awareness in the Higher Education Sector, Hong Chan, Sameera Mubarak
102
In this Series
- Building a Security Awareness Program in the Education Sector
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness