According to data retrieved from Privacy Rights Clearinghouse, the number of educational institutions (EDU) records exposed in reported data breaches each year from 2004 to 2017 remained steady at less than 5 million records. In 2017, this number increased to 7.6 million records. However, there was a dramatic increase in 2018 when a single data breach exposed 40 million records, bringing the total number of exposed records for the year to almost 41 million.
During the same time period, the number of reported EDU data breaches decreased from 64 reported data breaches in 2004, climbing to a high of 107 reported data breaches in 2007, and then dropping to 17 data breaches in 2015 and 2018. This demonstrates that cyber-criminals have steadily gotten better at accessing greater amounts of data with fewer breaches—as is most evident in the case outlined above, when the single data breach yielded 40 million records.
Armor, a Cloud Security company, reports that educational institutions have been hard hit by ransomware in the first 9 months of this year. According to Armor, there have been 54 successful ransomware attacks against school districts and colleges from the period of January 1 through September 26, with 15 attacks occurring in September 2019.
Analysis on attack methods for ransomware reveals that most attacks begin with phishing, spear-phishing, and social engineering. For this reason, it’s important that educational institutions train their users via awareness campaigns to help protect their networks. Awareness campaigns should include education about current and emerging cybersecurity risks and phishing emails. Training should focus on policies regarding how to maintain secure passwords and how to properly respond to suspected phishing scams.
LogMeIn, a subsidiary of LastPass Password Management company, published the results of a survey they conducted in the first half of 2018. According to LastPass, even though 91% of respondents said they understood the risks of password reuse across websites, a staggering 59% reported doing it anyway. There are several reasons for user apathy, but the main culprit seems to be fear of forgetting what their password is.
Compounding this risky user behavior, 53% of respondents said that although they were aware of the risks, they had not changed their passwords in the past 12 months or longer. This holds true even when they learn of a data breach that involved user passwords. Adding still more to their risk profile, nearly 60% engaged in these behaviors: password reuse and failure to change passwords despite a data breach.
LogMeIn explored whether there was a significant difference in how users create passwords for personal and work use. Almost half of users said they didn’t do anything unique between creating personal or work passwords and, even worse, 62% said they reuse the same password between personal and work accounts. Only about one in five users reported creating stronger passwords for work than for personal use.
As part of their 2019 National Cybersecurity Awareness Month reporting, TechRepublic highlighted the findings of a recent survey conducted by Google. Here are some of the key numbers on American's cybersecurity habits:
- 37% = Percentage who use two-factor authentication (2fa)
- 34% = Percentage who change their passwords regularly
- 15% = Percentage who use password managers
- 55% = Percentage who wouldn't change passwords following a data breach
- 24% = Percentage who use extremely poor passwords such as "Password," "abc123," or "admin"
- 59% = Percentage who have incorporated a name or birthdate into their password
A further break down of this last percentage reveals:
- 33% = A pet's name
- 22% = Their own name
- 15% = Spouse or partner's name
- 14% = Child's name