A university was attacked by ransomware that encrypted the few servers they had. For days, they could not issue records, register students, or resume virtual classes. The payments of tuitions were suspended, the systems of inactive grades, and the emails compromised. Some students, teachers and parents did not even know what was happening, while the management team barely managed to understand what had happened; Many of them had only been informed that they had a technological interruption.
The reason? A technical gap, yes. But, above all, a chain of strategic decisions postponed for years.
The education sector usually thinks that it is not a goal for cybercriminals. “We do not handle large sums of money,” some say. “We are not government or corporation,” says others. But underestimating the attractiveness of educational institutions for attackers is a mistake that can be expensive.
Universities, colleges, private and public schools handle immense volumes of data: academic files, financial information, teachers databases, scholarships, exam results, scientific research, identities of minors. Information that, in the black market, has value. But beyond that, they operate with limited resources, decentralized structures, inherited systems and in many cases, a little mature digital culture.
What makes these institutions vulnerable is not only what they have, but how they protect it. Or rather, how they don’t protect it.
Many institutions have lived accelerated digitalization, especially after pandemic. Virtual class platforms, online payments, academic management systems, collaborative tools, digital files and databases in the cloud were incorporated. But in the rush to adapt, it was not always thought of cybersecurity. The urgent moved to the important.
And when the incident occurs, because eventually, the institutional response is usually slow, reactive and chaotic. There are no protocols. There are no responsible. There is no clarity. The systems area is called emergency (if it exists), everything “just in case” will be turned off, and the storm will pass. But it doesn’t happen. It is transformed.
The impact of a cyber attack on an educational institution goes beyond the technical. It can affect registration, academic operation, families confidence and, in some cases, the very viability of the educational model. What happens if a school loses access to the records of its students? If personal data of minors are filtered? If an admission process is interrupted in the middle of the school year? Or if a teacher loses his doctoral research for not having support?
In several countries, in addition, the filtration of sensitive data entails regulatory sanctions. And although the regulations in Latin America are still evolving, the global trend is clear: more and more controls, reports, and responsibility by those who guard the data will be required.
But beyond regulation, there is a human dimension. When we deliver our data or those of our children to an educational institution, we do it from trust. We trust that they will be protected. In which they will not fall into wrong hands. In that someone is dealing with the risk.
What if not?
It is time to stop seeing cybersecurity as a topic only technical, only institutional. This is also a personal matter. Education forms us, but also collects, processes and stores a good part of our life. Therefore, reflection is not only for rectors, administrative directors or council members. It is also for each of us: do we ever ask what data we deliver? What systems protect them? What happens if that institution suffers an attack?
Information protection is not optional. It is part of the confidence pact between an educational institution and its community.
Therefore, responsibility begins from above. Directors of educational institutions must understand that cybersecurity is not a topic “of systems” or another technological burden. It is an institutional sustainability pillar. A trusted axis. An essential component of academic, administrative and reputational continuity.
Because many times, the problem is not the lack of technology, but the same ignorance. Know who decides, who executes and who is responsible for a technological crisis. To have an integral vision and not scattered solutions.
It’s not about buying more tools, but making better decisions.
Today, educational institutions do not need to be perfect. But they do need to be prepared. No one expects an incident to never happen. What is expected and in many cases is required, is that there is a plan. Do not improvise. That is not minimized. Do not hide.
And that, when the digital transformation in the education sector is spoken, do not speak only of innovation … but also of resilience.
Cybersecurity cannot remain invisible in the classroom. It is part of the future that we say being forming.
About the author:
Correo: (email protected)
LinkedIn: https://www.linkedin.com/in/andresvelazquez/
The opinions expressed are only the responsibility of their authors and are completely independent of the position and the editorial line of Forbes Mexico.
Follow business information and today in Forbes Mexico
