With more colleges and universities incorporating Software-as-a-Service (SaaS) platforms to support registrars, admissions, and financial aid offices, schools are collecting more electronic student information than ever before.
Combine that with weak networks and systems, however, and the state of cybersecurity in higher education earns an F. Higher education needs to focus more efforts on protecting this information from cybercriminals.
What is the state of cybersecurity in higher education?
Recent research indicates that colleges and universities rank third for data breaches. Additionally, a 2021 Education Cybersecurity Report indicated that data breaches were the main source of risk for higher education institutions.
That shouldn’t be a surprise. With more institutions putting old processes through digital transformation and more students using technology in classrooms, the data perimeter is expanding rapidly.
What are the key challenges in cybersecurity in higher education?
In 2021, the Educause IT Issues Panel spoke to a panel of 50 IT experts who listed the key technologies expected to affect cybersecurity for colleges and universities. They were:
- Cloud vendor management;
- Endpoint detection and response;
- Multi-factor authentication and single sign-on;
- Preservation of data authenticity and integrity;
- Security of research; and
- Student data privacy and governance.
Why Higher Education Struggles with Creating an Information Security Strategy
Offices within higher education, such as admissions and registrars, are not the only locations where people can access student data. Increasingly, faculty and staff use cloud-based platforms that contain personally identifiable information (PII) to send academic warnings, submit grades, and communicate with students.
Moreover, these individuals often use mobile devices or connect to the platforms remotely. So the number and location of threat vectors are increasing, giving cybercriminals more opportunities to exploit vulnerabilities.
Higher education struggles to inventory data assets, including all the devices, networks, systems, and software accessing student information. Since creating a catalog of assets is the first step to establishing a risk-based security strategy, higher education is failing even before it starts the process.
Why Higher Education Struggles with Privacy
With the large numbers of people handling student data (particularly after the increase in online learning and remote work for educators during the COVID-19 pandemic), struggles to align with student data privacy laws have never been more apparent.
For example, faculty might incorporate free services into classroom instruction, such as TED talks on YouTube. Some of those services collect information such as IP addresses; others require logins. All of this information places student data and institution data at risk.
Students may not understand how to manage their data, either. For example, students might use their school email addresses for logins across social media and the internet. If the students also use poor password hygiene, then cybercriminals can use those emails and passwords to gain unauthorized access to databases containing private information.
Why Higher Education Struggles With Securing Digital Integrations
The short answer is that schools struggle because faculty and students often use cloud platforms. As they use Google Cloud or Microsoft Azure for document sharing or for aggregating big data, they’re sending information across more services and education networks, which increases exposure to cybersecurity threats.
Different departments might also use different applications for research or other operations. Each database requires a new API that enables data sharing back and forth; all of these new vendors and applications increase the data environment’s perimeter.
And academic departments might not communicate effectively with their IT departments. Particularly at large research institutions, the number of applications can be overwhelming. Monitoring all those security issues means engaging in more “cross-campus” conversations.
Why Becoming a Data-Enabled Institution Increases the Security Risks
Every year, new data analytics tools to promote student success appear on the market. The more data institutions collect about their students, the argument goes, the greater their students’ success levels will be.
Those tools gather student data in myriad forms, including student location data and students’ interactions with other students; many times, students might not even realize they can opt-out of such data collection. As successful as those tools might (or might not) be for student success, they also put student privacy at risk by collecting all that data.
The bottom line: higher education needs to focus on securing data as part and parcel of becoming the data-enabled institutions they want to be.
What are the costs associated with cyberattacks in higher education?
The Ponemon Institute states that the average cost of a data breach in the education sector was $3.9 million in 2020. Much of that can be attributed to lost productivity or remediation costs, but some universities have also been forced to pay a ransom to gain access to sensitive data locked up by attackers.
For example, last year the University of California San Francisco paid a $1.14 million ransom in Bitcoin to recover important medicine research data.
How can higher education institutions protect student and staff data?
Higher ed’s data management and governance programs started by using large databases. These single sources of information, aggregated in one location, were easy to manage and to keep secure.
Unfortunately, that model is not sustainable in the modern era. Too many parties (students, faculty, administrators) want easy access to academic information and often process that information on a variety of cloud-based applications.
Data, research, and intellectual property are no longer located in a single location that can be managed by a single CISO or IT manager. User access and authentication, firewalls, security patch management, and anti-malware/anti-ransomware software all need to be implemented across a complex IT landscape. The tasks involved in doing that all need to be managed from one central point, to assure effective security and compliance with regulatory obligations.
What are some ways to help protect student data online?
A cybersecurity program in higher education must include:
- Training faculty, students, and staff on good cyber hygiene
- A documented and tested incident response plan
- Penetration testing of security measures
- Continuous monitoring for security intrusions
- Guidance from cybersecurity frameworks to remediate weaknesses in your security program, and assure compliance with laws such as Family Educational Rights and Privacy Act (FERPA).
How ZenGRC Enables Higher Education
To help organize their risk management and information security programs, institutions need an automated process for tracking and documenting their security reviews.
ZenGRC provides higher education compliance software that allows organizations to prioritize tasks so that everyone knows what to do and when to do it, so that stakeholders can more rapidly review the “to do” lists and “completed tasks” lists.
With our workflow tagging capabilities, CISOs and other cybersecurity professionals can assign tasks to the individuals responsible for the activities involved in risk assessment, risk analysis, and risk mitigation.
Finally, with our audit trail capabilities, institutions can document remediation activities to prove that they maintained data security, integrity, and availability to protect student privacy.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.