Living Too Social in the Education Industry?

The 2018 Verizon Data Breach Investigations Report indicates that in the education industry (yes, it’s an industry), the most prevalent type of data breach is “social attacks.”  What’s a social attack?

Phishing is a social attack.  That’s when you get an email with a link or attachment that just begs to be clicked.  And clicking is the functional equivalent of leaving your front door open when you go on vacation.

A more nuanced social attack is now referred to as “pretexting.”  This is sort of like phishing, though it involves more detailed back-and-forth dialogue with the malicious actor, who often takes on a specific persona to facilitate the scheme.  As Verizon more eloquently explains, pretexting is the “creation of a false narrative to obtain information or influence behavior.”  Think impersonating executives or your Facebook friends.

In either case, you are not getting free money or easy business opportunities, and you’re not just doing what your boss told you to do. You’re getting scammed.

So, why is the education industry particularly vulnerable ?  We’re not exactly sure, but the open nature of educational institutions makes it pretty easy to get a lot of information about employees.  It’s therefore potentially easier to mimic someone else’s persona or to target high value data.

Regardless of the reason, education institutions should be mindful that not all social attacks are covered by all cyber insurance policies.  I discuss this in more detail here.  Short version – lying via email to convince an employee to do something he or she shouldn’t may not technically constitute a “data breach” depending on policy language, which sometimes requires actual unauthorized access by a third party into the insured’s network.  On the flip side, your CGL policy may take the position that this is still an excluded “electronically perpetrated” event, which could leave a school or university in a difficult Catch-22 scenario.  Given the Verizon findings, education institutions should ensure that social attacks are covered either by their CGL policies or their stand-alone cyber coverage.  The coverage is widely available.