PRNEWSWIRE: Each time a major retailer, credit bureau or healthcare provider experiences a significant data breach, even the experts in cybersecurity circles wonder, “What could be worse than that?” According to the IT security experts at Logicalis US, an international IT solutions and managed services provider, there’s a simple two-word answer: Higher Education.
“There is urgency among the CIOs and CISOs of colleges and universities across the country to shore up their IT security measures very quickly,” says Adam Petrovsky, GovEd Practice Leader, Logicalis US. “Because of the sensitive nature of the information universities possess, when they are not adequately protected, it’s like they’re waving a red flag for cybercriminals saying, ‘This is the best data – come and get it.'”
The chief problem for institutions of higher learning is that they gather and store very diverse kinds of data – including everything from medical information to financial and credit card data – on both the student and their parents. And, of course, there are transcripts and disciplinary records, class schedules and emergency contacts as well. But colleges are also running bookstores and restaurants and infirmaries, which means they are responsible for complying with at least five major privacy-oriented regulations including the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Children’s Online Privacy Protection Act (COPPA), the Payment Card Industry Data Security Standard (PCIDSS) as well as a host of state-by-state regulations regarding data breach notifications. In fact, experts estimate that, through a single incident, a college or university could be forced to contend with as many as 100 different breach notice laws.1
Unlike enterprise organizations that can both limit access to sensitive or encrypted data and can often remotely wipe clean a device that provides that access if it is lost or stolen, universities are unable to enforce that level of compliance among their student bodies.
For institutions of higher learning, this presents more than an IT – or even a legal – conundrum. Since colleges and universities attract professors, students and donors based on their reputation, a single breach can also impact the school’s personnel, enrollment and bottom line. Today, Logicalis GovEd and IT security experts agree, the industry is at a tipping point; it’s no longer a question of “if” a university will be breached, it’s a question of “when” – and whether or not the school’s response will be adequate.
And it can happen to any school at any time. UCLA, for example, reported a potential breach of 30,000 student records when a hacker broke into a server containing students’ personal data this year. Last year, at Michigan State University, someone breached a database of approximately 400,000 records containing names, social security numbers, MSU identification numbers and other important personal information; the university determined that 449 records had been accessed before authorities were able to take the files offline just 24 hours after the incident occurred.2 And, earlier this year, when the IRS discovered a data breach involving its IRS Data Retrieval Tool – an online tool used to complete the Free Application for Federal Student Aid (FAFSA) – it revealed that as many as 100,000 taxpayers may have had their personal information compromised. In the IRS incident alone, the agency suspects that nearly 8,000 fraudulent returns were processed, resulting in a loss of approximately $30 million. A striking 52,000 fraudulent or suspicious returns were flagged by IRS filters and 14,000 illegal refund claims were stopped.3
In higher education, data breaches are estimated to cost about $300 per student record. 1 But the costs for colleges and universities is much higher than the actual dollar amount. According to consumer studies, 94 percent believe the organization itself is solely to blame for the breach. As many as 62 percent of those queried said being notified of a breach would lower their trust and confidence in the college or university. And perhaps most surprising, 39 percent of respondents said they would consider terminating their relationship with the school, while 15 percent said they actually would terminate their relationship with the organization entirely.1
Four Ways Colleges Can Strengthen Their Cybersecurity Programs
If breaches can’t be entirely blocked, what can IT professionals in higher education do to prevent these kinds of disaster scenarios? The GovEd team at Logicalis US says there are four important steps that will bolster college and university cybersecurity plans.
- Conduct a Data Security Audit: Knowing what you’re trying to protect and identifying some of the common ways that data could be breached is a logical first step. An in-depth data security audit performed by an experienced cybersecurity solution provider like Logicalis, however, digs much deeper. Auditors should look at the types of data the college has stored, where it is located (on campus or in the cloud). They will identify the servers, workstations, laptops or mobile devices that have access to that data. And they will examine the university’s existing policies regarding data breaches. Every institution of higher learning should have a fully documented security framework for data breach prevention, including a training component to keep students, faculty and vendors up to date on the latest safe data-handling policies. Why? Only 35 percent of data breaches at colleges and universities were caused by hackers or malware. But 22 percent were caused by an “unintended” or accidental disclosure of private data, while an incredible 14 percent of data breaches were the result of something as simple as the loss of a portable device that had access to the data.1 As a result, it’s crucial to ensure anyone with access to the university’s compute systems is well informed about the school’s IT security policies.
- Adopt a Common Security Framework: A Common Security Framework (CSF) – also known as an IT Security Framework or an Information Security Management System – is a critical component to any higher education security strategy. The CSF gives you a set of documented policies and procedures that act as a sort of blueprint for your security protocols. While there are a number of reliable CSFs available – including frameworks like NIST SP 800, ISO 27000, SANS 20/CIS20, HITRUST and COBIT – choosing the right one is often a difficult task and is something that an experienced partner can help you do. In addition to being a competitive differentiator, implementing a common security framework can give your college an improved security posture and the ability to meet some very specific compliance requirements.
- Re-Think User Access and Administrative Roles: Denying access to a particular class of data may make some people inside the university system uncomfortable, but it’s a critical step in protecting data from loss. To determine who actually needs access to key types of data, start by classifying the data into categories. By tightening restrictions on data access, it’s easier to prevent unintended disclosures of that data such as the breach that occurred at the University of Oklahoma in which 29,000 instances of students’ personal information – including social security numbers, financial aid information, and grades dating back to 2002 – were accidentally exposed through the university’s document sharing system.3 In addition to re-examining who can access sensitive data, it is also important to think about who really needs administrative privileges. Oftentimes, administrative access is granted to department heads or even groups of support people for internal “political” reasons rather than necessity. In gray areas, relying on an experienced third party may help clarify the access structure that will best protect your data while still satisfying your user’s needs.
- Develop and Test Your Incident Response Plan: As noted earlier, the university’s reputation may depend on how its IT team responds to a data breach, making the development and testing of an incident response plan paramount for every institution of higher learning. Since the cybersecurity community generally agrees that there is no silver bullet when it comes to preventing an attack, it’s critical to have a well-oiled plan in place to detect and stop a breach when it occurs. First, define your incident response plan. Who is your team? Is your plan incorporated – in writing – into your security framework documentation? When was that last time you ran an incident response drill? If it’s been a while since you last updated your incident response protocols, a great place to start is the Educause library where you will find best practices specific to higher education. And if you don’t have an incident response plan, hire an expert in IT security specific to the education market to help you develop one.