Education continues to be plagued by errors, social engineering and inadequately secured email credentials. With regard to incidents, DoS attacks account for over half of all incidents in Education.
382 incidents, 99 with confirmed data disclosure
Top 3 patterns
Miscellaneous Errors, Web Application Attacks, and Everything Else
represent 80% of breaches
External (57%), Internal (45%), Multiple parties (2%) (breaches)
Financial (80%), Espionage (11%), Fun (4%), Grudge (2%),
Ideology (2%) (breaches)
Personal (55%), Credentials (53%) and Internal (35%) (breaches)
It’s in the syllabus
Anticipating the top pattern for Education each year is a bit like playing the "which shell is it under?" game.You know it’s (most likely) under one of three shells, but when you finally point to one, t he data proves you wrong with a deft statistical sleight of hand. There were three patterns in a statistical dead heat, and like the Netherlands’ women speed skaters in the 3000m, it was a dominant podium sweep. Miscellaneous Errors (35%) had a strong showing, because (spoiler alert) people still have their moments. Most of these errors are of the typical misdelivery and publishing error types that we have all come to know and love.
- 2019 DBIR
- Cyber Security Basics
- 2019 DBIR: Summary of Findings
- Results & Analysis
- Event Chains & Attack Paths
- Data Breach Incident Classification Patterns
- Why Hackers Hack: Motivations Driving Enterprise Data Breaches
- 2018 Data Breach Statistics By Industry
- Data Breaches in Accommodation & Food Service Industries
- Data Breaches in Educational Service Industries
- Data Breaches in the Financial Services and Insurance Industries
- Healthcare Data Breaches & Security
- Data Breaches in the Information Industry
- Data Breaches & Cybersecurity in the Manufacturing Industry
- Data Breaches in the Professional Services Sector
- Data Breaches in Public Administration
- Data Breaches in the Retail Industry
- Wrap up
- DBIR Appendices
- Download the full report (PDF)
Web Application Attacks accounted for roughly one quarter of breaches in the Education vertical. This is mostly due to the frequent compromise of cloud-based mail services via phishing links to phony login pages. So, if you use such a service 24/7/...365 you might want to consider tightening up your password security, implementing a second authentication factor, and then turning off IMAP.
Everything Else, as previously stated, is more or less the pattern equivalent of a "lost and found" bin. It contains numerous incident types we frequently encounter but that do not provide enough granularity for us to place in one of the other patterns. For example, there are compromised mail servers, but it was undetermined if stolen web credentials were the point of entry. About half or more of these breaches could be attributed to social engineering attacks via phishing.
When known, the motivation is primarily financial, and is carried out mostly by organized criminal groups. There was a smattering of state-affiliated or cyber-espionage cases in this year’s data set, a reduction from the 2017 report as shown in Figure 49. This finding should not convince our readers that attacks seeking research findings and other espionage-related goals have gone the way of Home Economics in this vertical, but is instead more related to the number and type of incidents provided by our partners.
Things to consider
Clean out your lockers
Many of the breaches that are represented in this industry are a result of poor security hygiene and a lack of attention to detail. Clean up human error to the best extent possible – then establish a baseline level of security around internet-facing assets like web servers. And in 2019, 2FA on those servers is baseline security.
Varsity or JV?
Universities that partner with private Silicon Valley companies, run policy institutes or research centers are probably more likely to be a target of cyber-espionage than secondary school districts. Understand what data you have and the type of adversary who historically seeks it. Your institution of learning may not be researching bleeding-edge tech, but you have PII on students and faculty at the very least.
There are threats that (no matter how individualized one may feel) everyone still has to contend with. Phishing and general email security, Ransomware, and DoS are all potential issues that should be threat modeled and addressed. These topics may not seem new, but we still have not learned our lesson.