A ‘Teachable Moment’ for VARs and MSPs: Security in the Education Sector

The next entry in our ongoing series covering industry-specific security issues is the education sector. Whether it’s higher education or K through 12, education has its own unique set of information security challenges and risks.

As with other industries, managed service providers (MSPs) and value-added resellers (VARs) have a great opportunity to share their expertise on security threats and solutions with clients in education. But they need to have a clear understanding of what technology and security managers in the industry are trying to achieve, and the unique hurdles facing organizations in this environment.

Challenges in education

Higher education can present a particular challenge when it comes to providing information security. Few environments offer end users as much freedom as do colleges and universities in terms of which mobile devices they can use and how they use them. Bring-your-own-device (BYOD) is basically a way of life on many campuses, at least for students and faculty.

This is not necessarily a bad thing, and in fact in terms of supporting BYOD and “everything-as-a-service,” higher education might in fact be ahead of many businesses. Delivering services that users want and need via the cloud can be a proactive step to avoiding shadow IT efforts that can lead to a number of security and management problems.

To help bolster security, IT leaders within higher ed and K-12 institutions need to deploy security tools to control access to the network, and create guidelines for device protection. But it’s also a matter of knowing who has installed the latest anti-malware software, and whether a given device poses a threat to the overall security of the institution.

This can be a tall order, but that’s where having a strong security policy and strategy can help. Unfortunately, a lot of institutions are lacking in this area.

Education at risk

According to the SANS Institute’s inaugural survey of security in institutions of higher education, there are several problems in the sector, including a lack of risk assessment practices, the existence of unclassified and unmanaged data, and understaffing and underfunding of security efforts.

The study by SANS Institute, an information security cooperative research and education organization, is based on a survey of nearly 300 higher education IT professionals who answered questions about the challenges of making their environments secure while maintaining the openness needed by faculty, staff, students and benefactors in traditional educational settings.

Of the organizations surveyed, only 45% say they have formal risk assessment and remediation policies in place. The situation is worse in smaller institutions, SANS Institute says, where only 31% have such policies. All of the survey respondents say their organizations are required to secure a variety of personally identifying information across different types of networks, with often competing privacy requirements. But only 57% classify their sensitive data and provide guidelines for safe data handling, and even fewer (55%) define appropriate owner, user and administrative roles.

Behind the curve

Staffing and budgeting for information security are major reasons why educational organizations are failing to protect confidential data, according to the survey. While 64% of the respondents think they need additional staff, 43% think they cannot pay premium rates for skills needed. About three quarters of those surveyed say a lack of budget is the reason they are not able to maintain or increase IT staffing.

Another study has some telling data with regard to education and security. The report, “The Global State of Information Security Survey 2015” by consulting from PwC and CIO and CSO magazines, which surveyed 9,700 business and technology executives worldwide from March to May 2014, asked respondents to identify the number of security incidents they had detected within the past 12 months.

More than one in five (22%) of the respondents from the education/non-profit sector said they did not know, and this is substantially higher than the 10% average for survey participants from all industries. The report also asked participants to estimate the likely source of security incidents. Nearly one third of the respondents from education said “unknown,” which is way over the 18% average for all industries.

These findings from the PcW report might not indicate anything significant. But then again, they might show that many educational institutions are not as equipped as other types of businesses to monitor security incidents.

The final grade

With information security in education, it’s not just a matter of protecting data and defending against threats to prevent loss. Institutions need to be in compliance with government regulations that address security and privacy issues.

For example, portions of the Gramm-Leach-Bliley Act (GLBA) are aimed at ensuring the safeguarding and confidentiality of information, such as data related to student loans. And the Family Education Rights and Privacy Act (FERPA) protects the privacy of student education records.

Much is at stake when it comes to information security in education. For VARs and MSPs, this is an opportunity to provide security knowhow as well as effective solutions.

Want to be the first to read our upcoming entries in our series covering industry-specific issues?