School Is Back: 4 Steps You Need to Take to Protect Sensitive Student Data

Cyberattackers are targeting educational institutions more frequently. In fact, ransomware was used to attack 966 government agencies, educational establishments, and healthcare providers in 2019 according to Emsisoft. These attacks potentially cost more than $7.5 billion. In one recent case, the University of Utah paid more than $450k to cyber scammers who used ransomware to lock up an entire department’s servers. Given the fact that educational institutions store large amounts of sensitive student data, it’s easy to see why they’re targets. The question is, what can you do to protect students’ privacy and keep your data secure from attacks, especially with remote learning now the norm in many places? Here are a few essential steps to take today.

Bring Systems Up to Date

First, admins should ensure that the solutions they’re already using are up to date. Whether you're talking about malware and antivirus (AV) software, firewalls, or even remote monitoring or management(RMM) software, it’s crucial that admins keep systems updated and patched at all times. That helps ensure that you’re limiting vulnerabilities, quickly addressing zero-day exploits, and keeping your defenses ready.

Address Security Gaps

Most admins have firewalls, AV, and other security essentials rolled out where they’re needed, but these days that is just the beginning. Cybers cammers are incredibly sophisticated, and ransomware scams can be very convincing to end users. Plus, bad actors often use social engineering ploys to gain credentials and access secure systems. You need to ask yourself, where is our institution vulnerable right now? Are our various departments getting the resources they need to stay secure? How can we learn from attacks like the one that cost the University of Utah nearly half a million?

Develop a Backup and Disaster Recovery Plan

A detailed backup and disaster recovery (BDR) plan is often overlooked by institutions—until there’s a costly data breach or ransomware event. Absent backups and a quick way to recover, an institution can lose sensitive data and suffer downtime across departments or throughout its network. Admins need to establish their recovery time objective (RTO) to address this potentiality. Your RTO determines how quickly you must recover following a downtime event. Next, you need to set a recovery point objective (RPO), which sets how much data you can stand to lose, whether that’s an hour or as little as fifteen minutes' worth of data. With these objectives, you can build a system for backing up and restoring data should ransomware or malware come their way.

Educate End Users

Sadly, even backups don’t always eliminate the cost of ransomware. When the University of Utah was struck by ransomware they were fortunate enough to have backups of their servers. The afflicted servers were isolated from the network and the university was able to restore clean backups. In total, the affected data was about .02% of the university’s overall data. Interestingly, the ransom the school paid wasn’t to unlock data affected by ransomware, but rather was a proactive measure to ensure that student information wouldn’t be released to the internet. These days, scammers don’t just lock up data. They’ll steal it and sell it later. That’s why prevention is still the best form of protection. Since most ransomware attacks enter through emails, end users may be your only line of defense if a nefarious attack gets past firewalls and spam filters. Put detailed programs in place to help educate users about various threats to address this. You might even consider testing them with simulated phishing tools like PhishingBox.

Final Thoughts

No data protection plan is complete without the essentials we’ve discussed. When there’s sensitive data available, cybercriminals will stop at nothing to get it, and educational institutions are some of the most lucrative targets out there. Since cyber-scammers are getting more sophisticated and more targeted in their approach, admins must be hypervigilant in how they safeguard student data. If you want sophisticated backup and data recovery across every department on campus, choose the solution that's right for you from StorageCraft’s complete line of data protection solutions.