Across the world, the year 2016 turned out to be quite eventful for cybersecurity with multiple, major threats and breaches reported. It is the time to prevent cyber-threats lurking around India’s educational institutions.
Broadly speaking, we understand cybersecurity as the preventive techniques used to protect the integrity of networks, programs and data from attack, damage, or unauthorised access. Over the years, cybersecurity has become a massive undertaking with the growing need to protect information and systems from major cyberthreats such as cyberterrorism, cyberwarfare and cyberespionage. Furthermore, the impact of these threats on a personal level is getting more significant as we immerse ourselves in a world that depends on all things digital.
The awarenessadoption gap
Among organisations in general, there has been greater awareness about the implications of cyberthreats. However, the education sector has somewhat lagged behind industry peers in the APAC region. While studies have not concluded the presence of a direct correlation between awareness and spending, only 66 percent of educational institutions (compared to 79 percent of financial institutions, for example) spent between 5% and 15% of their IT budgets on cybersecurity. Yet, as recent attacks on institutions of higher learning indicate, data on research, enrolment and student records that sit within school campuses can be of great value.
As many as 76 percent of organisations in Asia-Pacific set aside at least 5 percent of their IT budgets towards cybersecurity this year, and about twothirds of them claim an increase in budget allocation from last year. Yet the education sector’s adoption levels, at 66 percent, have remained below average. Despite the less-than-adequate adoption levels, a whopping majority of the education sector reports a feeling of being well-protected.
Need to adopt quickly
Cybersecurity solutions, too, have become more sophisticated – with the most advanced systems integrating automation to optimise prevention. However, the adoption of these measures leaves much to be desired, and this is particularly true for the education sector. In general, adoption is predictably lower in industries and institutions that are less technologically savvy. While 73 percent of the education sector in the APAC region suffers from outmoded infrastructure, as much as 72 percent of the schools surveyed are confronted with the practice of employees downloading unauthorised documents and software. Antivirus and firewalls are no longer adequate by the new standards, yet two out of three companies rely on those methods alone. Meanwhile, two-factor authentication, anti-ransomware, and biometrics have low patronage. In spite of all the low (45 percent) adoption of sophisticated countermeasures, the confidence level among the educational institutions is as high as 86 percent. That lack of threat perception poses the kind of vulnerability that can be disastrous.
Additionally, the ageing internet infrastructure and internal threats constitute the top reasons why the education sector in Asia-Pacific is still vulnerable to cyberattacks. Budget allocation to more sophisticated cybersecurity is a prominent barrier in its adoption – only 42 percent of educational institutions are seen to have adequate allocations.
As the education sector burgeons in India, it is exposed to internal and external threats, leaving schools, colleges and research institutions vulnerable. Experimenting young minds who may take cyber risks at the cost of potential threats – unauthorized downloads are a critical example – pose a special threat. The education sector in India is digitizing itself, with technology driven education coming up as a separate high growth industry as well.
Education technology relies on broadband and optic fibre, and these compound the already existing challenge of relative naiveté among both institutions and users.
Inefficiency or insufficiency of cybersecurity measures put more at stake. The cost of a breach is substantial – arguably, higher than the risks many companies seem to take by not investing enough on cybersecurity. In India, the figure is as high as Rs.25,000 crores and is expected to rise exponentially over the next decade.
Towards a strong policy
The National Cyber Security Policy 2013 is a solid document of vision for the Indian environment. It is especially important in an environment where products and solutions for the education sector are available across international borders, transcending laws. In protecting youngsters from cyber ‘exposure,’ the document could also consider some cyberthreats as threats to national security. Some of these gaps are addressed in the National Association of Software and Services Companies (Nasscom) and Data Security Council of India (DSCI) launched by the Growing Cybersecurity Industry, Roadmap for India report of December 2016. In it, Nasscom identifies the lacuna in India’s cybersecurity policy and recommends 16 progressive policy measures, including tax breaks and cluster-funded cybersecurity ventures.
Meanwhile, the education sector finds itself in a contradiction of sorts. On one hand, its rapid growth in India parallels the growth of IT systems to support it. On the other, the nascence of its growth has placed the sector in an especially vulnerable zone. As is the case throughout the Asian region, the Indian education sector is behind its world counterparts in grasping advanced cybersecurity systems that are available at its disposal. Despite its problems, this is a sector that does not figure on top of policy priority, in preference to finance and IT. As one of the fastest-growing migrants towards technology, and given the massive potential of the emerging technologybased education practices such as massive open online courses (MOOC), the Indian education sector must educate itself on cybersecurity quickly.
By – Anil Bhasin
Regional Vice President, India and SAARC, Palo Alto Networks