The Cambridge Institute of International Education was breached in June 2016 exposing over 9,000 students and 12,000 host families. The findings of the data stolen includes personal information on the families and the students, although the full extent of the information stolen is still being identified by security experts. The reason this one is of particular concern is because a lot of private schools work with this organization.
This echoes what we have been seeing in the marketplace: Private schools are becoming a huge target. There are specific risks with schools that many organizations don’t have. Schools have student and parent information on file, financial records, and medical records. Schools are simply a plethora of personal identifiable information (PII). What’s worse is that schools often have limited budgets to work with on securing this information.
Here is a list of a sampling of schools breached in the last few months.
- Nazareth Area School District - 4/8/2016
- Poway Unified School District - 5/16/2016
- Kern County Superintendent of Schools Office - 5/11/2016
- Olympia School District - 4/13/2016
- D.C. Public Schools - 2/10/2016
- Palm Bech County School District - 5/2/2016
- Pulaski County Special School District - 3/19/2016
- Maine School Systems - 3/30/2016
- Lauderdale County School System - 5/10/2016
- Escambia County School System - 4/6/2016
- Alexander School - 4/4/2016
- El Paso Independent School District - 4/15/2016
- Arlington Public Schools - 4/16/2016
- Dothan City Schools - 4/1/2016
- Charter School - 4/1/2016
- Columbia School District - 3/8/2016
- Marion County School District - 3/2/2016
- Lovejoy Elementary - 2/15/2016
- Guilford School District - 3/28/2016
- Riverdale School - 3/20/2016
This is just the list of the breaches made public! This is by no means conclusive. There are more going on as we speak! Schools are a new front in cyber-warfare.
When looking at a typical private school layout and what is at risk, we have to break it out by department.
- Advancement Office - Parent, alumni, sponsor, and financial information
- Admissions Office - Parent, Student, financial, and medical information
- Administration - Student, parent, faculty, staff, and financial information
- Business Office - Parent, student, financial, faculty, staff, and medical information
- Food Service - Financial and student Information
Securing each department is nearly impossible. The IT departments in these organizations have competing demands from parents, students, faculty, and staff. Parents want restricted access and students want unrestricted access. Faculty wants web access for students. They are increasingly relying on the internet more for content, creating massive bandwidth and network constraints, as well as opening holes in the firewall. Admissions needs to make sure parents are happy to make sure attendance demands are met… You get the point. I could go on for a while about all of the concerns but it becomes fruitless over time.
Security needs to become the forefront of IT in education. Business Office and Boards of Directors need to give IT the permission to veto any request that does not meet standards for security. There has to be a line drawn in the sand before your school becomes the next one on this list.
But there is another aspect to this. IT departments in schools need access to the proper education so they know what they are even supposed to do. I was in talks recently with a school and they informed me that the policies on what to restrict on the web was in the hands of the individual heads of school. This is a very bad idea. IT needs to get the proper people involved to secure and restrict a network. This is not child's play, (no pun intended). Only experts can help protect a network. You wouldn’t want the cafeteria handling the orders for next year’s textbooks. Neither should you want uneducated or unfocused individuals making decision that affect the security of your school.