Education sector sees more security incidents and longer fix times
A new report from NTT Application Security shows that last year the education sector saw 408 publicly-disclosed school incidents, including student and staff data breaches, ransomware and other malware outbreaks, phishing attacks and other social engineering scams, plus a wide variety of other incidents.
This is 18 percent more incidents than were publicly-disclosed during the previous calendar year and equates to more than two incidents a day. The sector also has lower remediation rates and a higher than average time to fix.
Across all industries only 46 percent of critical vulnerabilities are ever fixed, which is worrying but only part of the story. The 46 percent of the critical vulnerabilities that do get remediated take on average more than 200 days to fix once an organization takes action. Combined, these two factors are the main contributors to high breach exposure for applications.
In education though things look worse. The average time to fix critical and high severity vulnerabilities currently stands at 206 days and the remediation rate for critical vulnerabilities is only 34 percent.
"The application security statistics for the Education sector indicate a hyper focus among organizations in this sector on a handful of critical web applications and fixing a handful of critical vulnerabilities in those applications," says Setu Kulkarni, vice president, strategy at NTT. "The approach seems to be working given the otherwise stable WoE metrics that are now in fact improving. To accelerate the improvement in the Education sector's overall application security posture, organizations in the sector should expand their approach to identify their overall attack surface and put in place a systematic program that progressively covers all applications. In addition, Educational institutes should provide best-practice training to students so that they can remain safe on the internet regardless of the state of the application security of the apps they interact with on a daily basis. Finally, educational institutions should demand that the SaaS and non-SaaS products they uses in a COTS manner have been through rigorous AppSec programs."
You can get the full report from the NTT site.