Pass or Fail? 5 Ways to Secure Higher Education
Diplomas, student loans, and data breaches? For those working in education, the latter may not be so surprising. Higher education has consistently had one of the lowest rankings in terms of handling cybersecurity issues - 58% of institutions reported at least one public breach. Of those, 51% cost upwards of $500,000. From slow system patching, to federated content, educational institutions continue to draw the attention of cybercriminals looking to exploit a shaky tech infrastructure that houses incredibly valuable information: student data. And in the event of a breach, the consequences can be severe for students - from credit score damage, to delayed or canceled student loans. So just how bad is it in higher ed, and what you can do to keep your students safe? Read on to find out.
The State of IT
In 2017, Tech Republic reported that 73% of higher education institutions took more than 3 days to patch their systems, after being notified of an attack. Meanwhile, the cost of domain name system (DNS) attacks rose by 68%, costing an average of $690,000. Some other numbers to note, courtesy of Student Clearing House's cybersecurity whitepaper:
- 91% of cyberattacks originated in a phishing email
- 66% of malware was installed via malicious email attachments
- 62% of breaches featured hacking, and 81% of those leveraged stolen or weak passports
- 51% included malware or unauthorized software
- 43% leveraged a social tool such as email
Malware and ransomware, though devastating in and of themselves, are not the only factors that ultimately translate to a weakened cybersecurity posture in schools. 41% reported budget limitations, which would go toward upgrading and managing systems. But of course, the budgetary restrictions do not stop at digital infrastructure level. 27% reported an insufficient number of trained personnel. For context, most industries have a median number of 40 security personnel, while colleges hover around 20. For those institutions, 31% stated that their current workload inhibited any new tech initiatives, such as investigating threats or implementing new security systems that successfully integrate with the existing ecosystem.
These campus IT departments are also contending with increasingly IoT-reliant and BYOD campuses. Unless properly secured, these devices can pose a considerable risk to the school's network, and are increasingly out-numbering traditional computing equipment. 71% of institutions report serious concern over the future of IoT on their campuses. Another consideration for IT in higher education, is the use of 3rd party vendors, such as transcript services. These vendors can be essential to colleges and universities, but can prove a security liability if not properly secured. Student Clearing House reported:
- 56% of respondents experienced a data breach caused by a vendor
- 57% were unable to determine if their vendor's safeguards were sufficient to prevent a breach
Pass / Fail
As mentioned above, the consequences of a data breach can be devastating on both institutions and their students. For students, there is the initial wave of changing passwords, freezing credit cards and requesting reports, establishing fraud alerts. Then, there's enrolling in identity monitoring service, potentially completing police reports and formal identity reports to the Federal Trade Commission. In the worst case scenario, long term impact on a student's credit report and student loans.
So, what steps can educational institutions take to help negate external security threats? On the vendor level, always ask:
- If they use multi-factor authentication
- How they notify parties of security incidents
- If they have an incident response plan in place
- How often they patch their servers, endpoints, and devices
On the institutional side, staff must play a central role in strengthening their school's cybersecurity posture. This is particularly true for registrars and enrollment managers, who directly oversee and impact student data, including social security numbers, birth dates, financial information, and contact information. They are, in a sense, the business owners of the most sensitive student data. As such, they must have a strong line of communication with the campus' IT staff and institutional leaders, to address cybersecurity issues, and proactively plan security initiatives. Not only will this strengthen the ties between otherwise disparate departments, this communication will help ensure high-level compliance, including the Gramm-Leach-Bliley Act protections regarding student data.
Further precautions should include:
- Formulating an incident response and risk management plans
- Implementing staff training programs, and educational opportunities
- Automating endpoint updates, and basic cyber hygiene procedures
- Installing multi-factor authentication on:
- publicly accessible servers
- administrative access to web sites
- any device that allows remote site access
- systems that store sensitive student information
- cloud services and third party solution providers
For more information about securing your educational institution, contact iCorps today.