Protecting Sensitive Education Data in the Cloud

Protecting cloud-stored data can be greatly enhanced if educational organizations take the following 5 steps to protect sensitive student and employee data.

As students and teachers rapidly adopted the virtual classroom to support a “learn from home” educational model in 2020, new security considerations in education have been put under the microscope. In particular, how secure is education data in the cloud?

According to the recent 2021 Cloud Data Security Report on Education, nearly a third (30%) of educational organizations store student data in the cloud, while nearly half (48%) store employee data in cloud platforms. If these educational organizations are not properly prepared, this data may be at risk of a breach. This is particularly significant if these organizations aren’t prepared to discover or address the top three security incidents impacting the education industry, phishing attacks (60%), account compromise (33%) and ransomware or other malware attacks (27%).

The truth is that most education data in the cloud isn’t adequately protected. In fact, 93% of educational organizations reported that they needed days or even weeks to discover accidental data leakage of cloud-retained data. Why so long? Educational organizations are challenged – even more so than many other industries – when it comes to IT/security staffing (53%), lack of expertise in cloud security (52%) and a plain lack of budget (49%) for cybersecurity resources and tools.

Yet, protecting cloud-stored data can be greatly enhanced, if educational organizations take the five following best practice steps to protect sensitive student and employee data alike:

1Audit User Activity.

To ensure the proper usage of data in the cloud, it’s best to have visibility into what users are accessing the data and how it’s being used. Auditing user activity and behavior will also help mitigate weaknesses and identify security gaps such as when permissions have been assigned to too many inactive users. The study has found that educational organizations that audited user activity regularly were able to detect incidents much faster than those that did not.

2Classify Data.

The survey found that 40% of educational organizations plan to deploy data classification to protect cloud data.  This is good news since educational organizations that use processes to properly classify data retained in the cloud also had shorter incident discovery rates. Technologies that can find sensitive content, such as financial data or personally identifiable information such as social security numbers, can help organizations better understand what sensitive data is stored in the cloud, so steps can be taken to better protect it.

3Employ Automation or Managed Services.

For educational institutions, lack of staff, expertise and financial resources were the top three challenges with protecting data in the cloud. To overcome all three of these issues, technologies that will automate critical routine tasks can alleviate staff burden. To further overcome the challenge of limited resources, it may be worth considering outsourcing IT tasks to a managed security service provider (MSSP).

4Be Aware of Supply Chain Vulnerabilities.

Supply chain compromises, such as the event that impacted the customers of SolarWinds, are increasingly commonplace. Supply chain attacks can present exposures to educational organizations through third parties or open source code libraries that become exposed. Ensure that third party solutions that have access to cloud data have taken all necessary security measures and perform third-party audits to assure compliance. Consider, too, limiting liability by contracting with partners to make them assume accountability in the event they experience a breach. Make sure you have extra steps for security review of any third-party or open source code you may use in your in-house projects.

5Assess Security Risk on a Periodic Basis.

To ensure adequate attention to real security risks, every educational organization should identify the potential threats and vulnerabilities and the consequences they pose. Be sure to look beyond classic consequences, such as unplanned expenses or compliance fines. Some threats have far more severe outcomes that can have a negative impact on students, teachers and staff alike. Consider risks as well as the long-term consequences of data breaches when mapping the security strategy that will best protect cloud-retained data. The threat landscape and the regulatory environment are constantly changing, so plan for periodic risk re-assessment. This can be a quarterly or semi-annual exercise, pick the schedule and stick to it.

One in five (20%) educational organizations reported that their cybersecurity spending increased following the pandemic. Yet, even as students return to the classroom and virtual learning becomes less frequent, educational data will still remain in the cloud. But protecting cloud data doesn’t have to be a risky endeavor. By taking clear steps to audit user activity, classify data and automate or outsource security management tasks, educational institutions can continue to realize cost savings in the cloud, while keeping cyberattacks at bay.