The Cambridge Institute of International Education was breached in June 2016 exposing over 9,000 students and 12,000 host families. The findings of the data stolen includes personal information on the families and the students, although the full extent of the information stolen is still being identified by security experts. The reason this one is of particular concern is because a lot of private schools work with this organization.
This echoes what we have been seeing in the marketplace: Private schools are becoming a huge target. There are specific risks with schools that many organizations don’t have. Schools have student and parent information on file, financial records, and medical records. Schools are simply a plethora of personal identifiable information (PII). What’s worse is that schools often have limited budgets to work with on securing this information.
Here is a list of a sampling of schools breached in the last few months.
Nazareth Area School District - 4/8/2016
Poway Unified School District - 5/16/2016
Kern County Superintendent of Schools Office - 5/11/2016
Olympia School District - 4/13/2016
D.C. Public Schools - 2/10/2016
Palm Bech County School District - 5/2/2016
Pulaski County Special School District - 3/19/2016
Maine School Systems - 3/30/2016
Lauderdale County School System - 5/10/2016
Escambia County School System - 4/6/2016
Alexander School - 4/4/2016
El Paso Independent School District - 4/15/2016
Arlington Public Schools - 4/16/2016
Dothan City Schools - 4/1/2016
Charter School - 4/1/2016
Columbia School District - 3/8/2016
Marion County School District - 3/2/2016
Lovejoy Elementary - 2/15/2016
Guilford School District - 3/28/2016
Riverdale School - 3/20/2016
This is just the list of the breaches made public! This is by no means conclusive. There are more going on as we speak! Schools are a new front in cyber-warfare.
When looking at a typical private school layout and what is at risk, we have to break it out by department.
Advancement Office - Parent, alumni, sponsor, and financial information
Admissions Office - Parent, Student, financial, and medical information
Administration - Student, parent, faculty, staff, and financial information
Business Office - Parent, student, financial, faculty, staff, and medical information
Food Service - Financial and student Information
Securing each department is nearly impossible. The IT departments in these organizations have competing demands from parents, students, faculty, and staff. Parents want restricted access and students want unrestricted access. Faculty wants web access for students. They are increasingly relying on the internet more for content, creating massive bandwidth and network constraints, as well as opening holes in the firewall. Admissions needs to make sure parents are happy to make sure attendance demands are met… You get the point. I could go on for a while about all of the concerns but it becomes fruitless over time.
Security needs to become the forefront of IT in education. Business Office and Boards of Directors need to give IT the permission to veto any request that does not meet standards for security. There has to be a line drawn in the sand before your school becomes the next one on this list.
But there is another aspect to this. IT departments in schools need access to the proper education so they know what they are even supposed to do. I was in talks recently with a school and they informed me that the policies on what to restrict on the web was in the hands of the individual heads of school. This is a very bad idea. IT needs to get the proper people involved to secure and restrict a network. This is not child's play, (no pun intended). Only experts can help protect a network. You wouldn’t want the cafeteria handling the orders for next year’s textbooks. Neither should you want uneducated or unfocused individuals making decision that affect the security of your school.