Weak data sharing security controls are keeping several organizations in the education sector at risk of data security incidents. A research from cybersecurity firm Netwrix revealed that the ongoing remote learning due to the COVID-19 pandemic is increasing the rate of cyberthreats.
The research, “2020 Data Risk & Security Report,” found that 82% of educational organizations don’t track data sharing. It is also found that employees at more than half of companies in the education sector use cloud applications to share sensitive data outside of IT control and knowledge.
Nearly 63% of organizations do not review data access permissions regularly and 24% of system administrators admitted to granting direct access upon user request. Around 28% of surveyed educational organizations had data outside of secure locations, which was left exposed for days (40%) or months (33%). The research stated that majority of educational organizations had weak data security controls even before the COVID-19 pandemic.
“The data storage stage turned out to be the most challenging stage for ensuring data protection. Nearly a quarter (24%) of organizations reported they had discovered data outside of secure locations, and it took them days (43%) or weeks (23%) to discover the incident. These figures represent the highest incident rate and the slowest detection time of all the stages,” a statement read from the research report.
Other Notable Findings include:
- 61%of organizations that are subject to the GDPR collect more customer data than the law permits.
- 100% of organizations that have hired a Chief Data Officer (CDO) have implemented data discovery and classification processes.
- 91% of organizations claim they store sensitive and regulated data only in secure locations, but 24% of them admitted they had discovered such data outside of designated locations in the past year.
- 54% of organizations said that they do not follow the security best practice of reviewing user access rights to data on a regular basis
- 46% of organizations that had an unauthorized data sharing incident are subject to the GDPR. However, 38% of them are confident that employees don’t bypass IT control to share data.
- 30% of system administrators granted direct access to sensitive and regulated data based only on a user request in the past 12 months.
- 66% of CIOs don’t have cybersecurity and risk KPIs that are regularly reported to their executives.
- 82% of educational organizations don’t track data sharing at all or do it manually, and 50% of them suffered a data breach due to unauthorized data sharing last year.
- 63% of educational organizations don’t review permissions regularly, and 24% of system administrators admitted to granting direct access rights upon user request.
- 28% of respondents discovered data outside of secure locations, which is the highest number of all industries surveyed. This data was left exposed for days (40%) or months (33%).
- Only 8% of respondents have developed cybersecurity and risk KPIs to evaluate their security posture and track success.
“Organizations are investing more than ever in cybersecurity, yet data breaches and other security incidents are continuing to increase in both number and size. First, while security professionals successfully mitigate security issues at some of the six stages of data lifecycle, they often overlook other stages, leaving their organization’s content vulnerable. In addition, security professionals generally know very little about what data they have, how sensitive it is, where it is stored, and who has access to it,” the statement added.