A data breach is defined by Wikipedia as “the intentional or unintentional release of secure or private/confidential information to an untrusted environment.”
Data breaches take many different forms. Some are caused by simple accidental improper sharing and security settings that don’t result in use of the data. This can be thought of more as “data exposure”. A data breach can also be caused by a calculated, malicious act to gain information that can be used for profit. These types of attacks commonly target personally identifiable information (PII) such as social security numbers, payment card industry data (PCI) a.k.a. credit card information, and/or trade secrets.
It’s worth noting that a data breach and data loss are two different types of risk. However, a data breach can lead to data loss. This is particularly true in the perimeter-less world that most school districts now live in, due to their reliance on cloud applications for everything from learning management systems to HR and financial data storage.
In this article, we will use the term data loss prevention as a way to prevent a data breach. It can certainly be argued that these are two different types of risks that need different security approaches. It is our stance that, in today’s cybersecurity environment, a data-first approach to security is necessary.
There are three common causes of a data breach: accidental, internal criminal, and external criminal.
Accidents happen. Data breaches due to accidental or non-malicious actions are the most common data breaches. Particularly as cloud computing and BYOD drive both classroom and district employee collaboration and productivity, school districts are becoming more susceptible to accidental data breaches.
For example, we see cases where district staff accidentally set a document sharing settings to “visible to the public”. In this case, anyone could find the document and see the information it contains. When this happens, it’s usually unlikely that the document was actually accessed by outside viewers. But it’s not entirely out of the question, and it’s certainly not ideal to have documents and information floating around in the public accidentally. This is particularly true for employees that have access to documents that contain sensitive information, such as student and staff personally identifiable information and district financial and/or payment information.
Accidental data breaches can also occur when a device is lost or stolen. For example, when a staff member accidentally forgets their phone on the bus, access to information granted on that device is granted to whomever finds the device and decides to use it themselves. There have unfortunately been several cases of lost or stolen hardware being used to access sensitive information.
Data breaches that are caused by an internal “bad actor” are notoriously difficult to detect and are an increasing concern. Data breach cases involving disgruntled employees and bribery schemes make data loss prevention even more difficult for IT teams.
In many cases, these types of data breaches involve employees who are leaving the company that steal data. In one such case, a K-12 school district IT contractor stole a database containing information about 70,000 people when she found out she was fired. The files were stored in the cloud, and she was able to access the files remotely before school officials could close her account.
In another case, AT&T employees were caught taking bribes to infect the company’s network with malware. This malware was used to collect data on the company’s internal infrastructure using keylogging. The scheme also included unlocking devices and installing “rogue wireless access points” into AT&T’s network. AT&T reportedly estimates that it lost more than $5 million in revenue each year, over at least a four year period.
The moral of each of these stories is that school districts can’t be too careful when it comes to monitoring for data breaches. We tend to think of data breaches as something that only happens to financial companies, like Equifax and Capital One. And that they only come from the outside. But, insider data breaches are destructive—and are on the rise.
Data breaches from external hackers are most widely discussed and feared in the cybersecurity world. And this is with good reason. While employee negligence is the biggest cybersecurity risk, email continues to be the biggest phishing and malware threat vector.
Cybercriminals outside of your district want to gain access to your information for one reason—to make money. This can be accomplished in a number of ways, with ransomware and selling data on the dark web being the two most common.
Account takeovers (also referred to as account hijacking) are an increasing concern for district IT teams. This is because an account takeover can make an external data breach look just like authorized internal access. Account takeovers are notoriously difficult to detect and can go on for months and even years before they are detected.
As schools become more mobile and remote, detecting and remediating account takeovers is a major focus for companies of all sizes. In the good old days, students and teachers were all in the classroom and employees were all in an office, and those who traveled were required to access the network via a VPN. With the rising popularity of cloud computing, the district’s network perimeter is all but dead. New data loss prevention methods need to be used for new challenges.
Four types of data are typically targeted by cybercriminals—both internal and external. These include payment card industry (PCI) information, personally identifiable information (PII)—such as students’ social security numbers and employees’ W2s, and district financial information. The human and financial toll that students, parents, and district employees experience as the result of a data breach and identity theft can be significant.
Preventing a data breach on a day-to-day basis is difficult, and building an information security and incident response program is worth every penny. When thinking about how to prevent data loss, most people think in terms of data loss prevention tools. But data loss prevention is much bigger than software alone. From a broad view, there are six simple steps your organization can take to improve data loss prevention.