TechGuard Blog

Why FERPA Isn’t Enough to Keep Student Data Safe

The new school year marks the end of summer and while some schools are returning to in person learning, the Delta Variant has many sticking to virtual classrooms. Over the last year and a half, we learned that the education industry, like many others, was not prepared for a pandemic or the mass transition to virtual classrooms and e-learning as a result. Schools are typically understaffed and under-resourced, putting them at a high risk for cybersecurity incidents as it is. Add on the stress of a pandemic and trying to transition every student to a virtual classroom and you have the perfect conditions for an attacker to strike.

Despite FERPA, the average cost of a data breach for the education industry is a whopping $3.79 Million, according to the 2021 Ponemon Cost of a Data Breach Report. That's just a little less than the global average of $4.24 Million found by the same report. These numbers should be making education leaders ask the following: Do faculty and staff know the signs of a phishing email? Is there a procedure in place for ensuring no unauthorized person can gain access to sensitive areas? If not, there is a risk of experiencing a data breach, and with that, comes lawsuits, loss of revenue, and a damaged reputation.


What is FERPA?

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. This law gives parents rights to access their child's education records and transfers those rights to the student when he/she turns 18. FERPA protects education records including academic report cards, transcripts, class schedules, disciplinary records, and contact/family information.


The Risks of Education


Think about the atmosphere at a school or university, everyone from the groundskeeper to the higher-ups and every last student has at least one smart device on them wherever they go. Step foot on any college campus and you're sure to find access to Wi-Fi either in the form of the official campus network, a guest network or someone's personal hotspot. Not all of these devices and networks can be controlled directly and secured by the university. Though any given school cannot be wholly in control of their environment there are measures that can be taken to reduce the number of risks they are exposed to. With multiple vulnerabilities, how easily could a hacker steal research data, or students' personal data? According to the Verizon Data Breach Investigations Report, a majority of data breaches in the education industry are caused by social engineering attacks. How easily could your employees be tricked into giving out their credentials, opening an email from an unknown sender, or clicking on an attachment?

Another factor for universities to consider is the increased attention to certain news stories in regards to fraternity hazings, athletic scandals, or sexual crimes. The universities need to know how to publicly address these cases/accusations when they arise while staying in compliance with FERPA. It's much more cost effective to be proactive than having to clean up a breach after the fact.


Cyberattacks are Everywhere

Cyber attacks ramped up in 2020 during the pandemic, and they haven't slowed down. In fact, according to Check Point Research, "In July 2021, education/research was the sector that experienced the highest volume of attacks, with an average of 1,739 attacks per organization weekly. This was a 29% increase from the first half of 2021." Organizations can combat these threats and avoid becoming a statistic with proper training and cybersecurity processes in place. Security awareness training that focuses on threats facing the education sector and role based training for staff will help employees learn the signs of cyberthreats such as ransomware, phishing, malware and more. Training is even more effective when coupled with a phishing simulator, so you can safely test the knowledge employees have gained in a controlled environment, and assign courses for remediation. In addition, regular vulnerability scanning, penetration tests, and assessments of your IT security controls are vital in maintaining a proactive defense against cyberattacks.

To learn about improving your cybersecurity posture, contact the professionals at TechGuard. They will assist you in establishing the most effective plan to fit your organization.

Contact Us