more likely to exhibit risky behavior in

some categories, such as incidents involving physical security and social media.

Using the same survey that formed the basis of our 2017 State of Privacy and Security Awareness report, we gauged the privacy and security awareness of employees in the education field. We surveyed 1,011 U.S.–based employees in the education sector and compared these results against the broader sample of employed adults in our larger report.

Overall, of education sector employees surveyed,

due to showing a lack of preparedness when handling the common privacy and security threat scenarios presented the survey. Compare this to the results of employees sampled across all industries from the same data set: 70%.

76% SCORED “RISK” OR “NOVICE”

CONCLUSION

5 KEY FINDINGS FROM THE SURVEY

EDUCATION INDUSTRY AT A GLANCE

EDUCATION RISK PROFILES

THREAT VECTORS

EDUCATION SECTOR EMPLOYEES PERFORMED WORSE

in all eight threat vector categories, when compared to the general population of

employed adults.

FACULTY PERFORMED WORSE

in most categories when compared to general staff, with

the exception of identifying phishing attempts.

PRIVATE SCHOOL EMPLOYEES

performed worse in each of our eight threat vector

categories, compared to public school employees.

They were up to

8%

Only

24% of education employees surveyed

SCORED IN THE “HERO” CATEGORY,

meaning they showed a strong understanding of security and

privacy best practices.

36% of employees in education surveyed

SCORED IN THE “RISK” CATEGORY,

meaning their actions could put their organizations at

serious threat of privacy or security incident.

The numbers below represent the percentage of respondents who chose incorrect answers or risky behaviors in each of the eight threat vectors, compared to the general population surveyed in our

2017 State of Privacy and Security Awareness Report:

Like how each student number represents a living, breathing person, the numbers here also represent actual humans that can present a real risk when it comes to protecting

your organization’s data in these eight common areas.

Educators also know better than most that holistic learning models with regular reinforcements of key principles are the only way to get long-lasting results when it comes to learning new material. Once-a-year training does not prepare employees for pop quizzes on what constitutes legitimate asks for information, what makes an email phishy, and when to raise the red flag around security or privacy incidents. Only a fully-formed awareness program will allow your organization to create a risk-aware culture that is ready for daily real-world “quizzes” of these essential topics.

But first, you need to gauge your organization’s state of risk. After all, you can’t lower your risk if you don’t know where to start! MediaPRO’s Behavioral Risk Assessment tool, based on the survey we distributed for this report, is designed to be easily deployed to your employee population so that you can address your organization’s unique risks when

building a comprehensive awareness program.

1 According to a 2016 report by BitSight, cited in DarkReading article https://www.darkreading.com/attacks-breaches/education-now-suffers-the-most-ransomware-attacks-/d/d-id/1326960?

Sometimes it can be scary to raise your hand in class. Maybe that’s why education sector employees were less likely to report a variety of potential security or privacy incidents, including unsecured personnel files and potentially malware-infected computers.

20% of respondents failed to recognize some examples of personally identifiable information, or PII.

31% of respondents reported they would take unnecessary risks in scenarios related to allowing others access to school buildings. Private school employees were 7% more likely to maintain physical security than their public school counterparts.

Overall, 17% of employees identified phishing attacks as legitimate emails. This includes phishy links to fake stock advice, a congratulatory email from Craigsl1st about winning a new iPhone, and an email with a phishy attachment.

23% of respondents failed to recognize a variety of common signs of malware-infected computers. Specifically, 31% of employees failed to recognize that a sluggish computer may indicate malware – perhaps because this may be status quo in underfunded school environments with outdated technology.

Almost a quarter of employees (24%) chose risky options when asked about mobile computing or working remotely, such as accessing work-related documents from an unsecure Wi-Fi hotspot.

Overall, 18% of respondents chose risky actions when presented with scenarios involving storing company data or files on personal cloud-based storage or sending work documents via personal email. Private school employees were 5% more likely than public school employees to choose risky behaviors in this area.

30% of employees said they’d take potentially risky actions related to their company on social media. Respondents seemed especially unsure about rebutting a blog post written by local journalists highlighting the pros and cons of working at their organization, with 41% finding it an acceptable behavior (it isn’t).

INCIDENT REPORTING

IDENTIFYING PERSONAL INFORMATION

PHYSICAL SECURITY

IDENTIFYING PHISHING ATTEMPTS

IDENTIFYING MALWARE WARNING SIGNS

WORKING REMOTELY

CLOUD COMPUTING

ACCEPTABLE USE OF SOCIAL MEDIA

23%

20%

31%

17%

23%

24%

19%

19%

24%

8%

12%

19%

GENERAL POPULATION

GENERAL POPULATION

GENERAL POPULATION

GENERAL POPULATION

GENERAL POPULATION

GENERAL POPULATION

GENERAL POPULATION

GENERAL POPULATION

EDUCATIONSECTOR

EDUCATIONSECTOR

EDUCATIONSECTOR

EDUCATIONSECTOR

EDUCATIONSECTOR

EDUCATIONSECTOR

EDUCATIONSECTOR

EDUCATIONSECTOR

These individuals know their stuff, including how to identify and properly dispose of personal information, recognize phishing attempts and malware, and keep information safe while working remotely.

36% 40% 24%

RISK

77.4% - 90.3%0% - 74.2% 93.5% - 100%24 - 280 - 23 29 - 31

SURVEY SCORE RANGESURVEY SCORE RANGE SURVEY SCORE RANGEPERCENT RANGEPERCENT RANGE PERCENT RANGE

NOVICERISK HERO

NOVICE HERO

These individuals put their organizations at serious risk for a privacy or security incident. Such incidents can mean big trouble for an organization, including loss of consumer trust, financial and reputation damages, and more.

Novices have a good understanding of the basics, but could stand to learn more. They should remember that even one wrong decision or mistake can lead to a security and/or privacy incident.

INDUSTRY INSIGHTS:EDUCATIONSTATE OF PRIVACY AND SECURITY AWARENESS

The education sector is now the number one industry victimized by ransomware attacks.1 Some attacks have involved holding student and staff data for ransom – a situation that in 2017 the U.S. Department of Education warned was becoming common even at the K-12 education level.

In other cases, hackers aimed to steal university research. In 2017, cyber-espionage was present in 26% of breaches of higher education organizations, according to the 2017 Verizon Enterprises Data Breach Investigations Report (DBIR). Though cybercrime may grab more headlines, a nearly equal percent of breaches was caused by simple mistakes made by someone inside the university: human error accounted for 22% of 2017’s breaches in

the education sector, according to the DBIR.

As schools and universities are increasingly targeted by cybercriminals, educational organizations face a unique challenge in that their user population is constantly shifting, and has varying degrees of technical proficiency. Can the base principle of a free and open exchange of information be wrangled into better security and privacy awareness education

for this at-risk population?

#1

18%

30%

11%

20%