Higher education finds itself facing a threat to its financial security even larger than student retention – data breaches. As colleges and universities begin to adopt mobile technologies, they also find themselves increasingly targeted by malicious actors. Understanding the recent security breaches impacting the industry can educate institutions about information security.
Security Breaches in Higher Education
How Multifactor Authentication Protects Admissions Data
On March 7, 2019, cybercriminals accessed admissions information from three colleges – Grinnell, Hamilton, and Oberlin. After obtaining access to the information, they sent applicants emails holding the nonpublic personally identifiable information, such as birth date, hostage.
The unauthorized access traced back to Slate, a software system that many institutions of higher education use to manage applicant data. The Software-as-a-Service platform, used by over 800 colleges worldwide, transmits emails, texts, and new applications. Slate explained that the breach arose from unauthorized users accessing the colleges’ password-reset systems.
A lack of multifactor authentication for single-sign-on systems allowed the cybercriminals access to the platform.
More than merely a hassle over needing to notify students whose data may have been breached, the cyber attack could put the colleges’ student enrollment at risk. Students worried about data protection and control may choose to attend institutions of higher education who have stronger cybersecurity practices.
Why Protecting Email Matters
On February 27, 2019, Florida Keys Community College announced a data breach arising from unauthorized access to employee email that occurred between May 5, 2018, and November 5, 2018. On October 19, the college discovered suspicious activity. On January 7, 2019, the college confirmed the identities of the people whose data had been compromised. The nonpublic personally identifiable information included name, address, date of birth, Social Security number, passport information, medical information, username, and password.
According to the 2018 Ponemon Cost of a Data Breach Report, the Mean Time to Identify a breach was 197 days, and the Mean Time To Contain was 69 days. Based on the timing above, Florida Keys Community College fared better than some. It took 167 days to identify the suspicious activity and 7 days to contain.
In grading terms, Florida Keys Community College earns a C+ for identification and an A- for incident response.
However, given the information obtained from cybercriminals, students, faculty, and staff may not be comforted by this. Depending on the number of email accounts accessed, the cyber attackers could have used vulnerabilities in the domain and IP configurations, SMTP authentication controls, number of connections to servers, or a variety of other network security issues.
How Vendor Risk Management Protects Student Records
According to the Stanford Daily, a student on campus found a vulnerability in the third-party content management system, NolijWeb, that allowed Standford applicants to access their Common Application forms. In 2015, NolijWeb began offering students access to their files. However, the system used student identification numbers as part of the records’ URL, meaning that anyone could access information by changing a few characters.
Stanford immediately disabled access to the application and suspended online access to the application documents which are protected by the Family Educational Rights and Privacy Act (FERPA).
Since a user needed an authenticated student login to access the site, the regular audits gave the vendor a clean record. However, this also means neither Stanford nor NolijWeb knew how long the vulnerability existed.
However, this is not the first data breach Stanford suffered in recent years. In 2017, a permissions error in the University-wide file sharing system led any Andrew File System (AFS) users to access sexual assault case preparation files. A month later, a vulnerability in the Graduate School of Business site leaked employee information.
All of these data breaches focus on permissions issues and vulnerabilities inherent in third-party vendors.
Four Steps to Securing Higher Education Data
All of these breaches began with data storage, transmission, and collection points often overlooked in risk review processes. Colleges and universities know they handle sensitive data. However, increased use of Software-as-a-Solution enablements, whether new vendors or updated legacy systems, transform traditional data into electronic information.
Stanford, for example, had been using NolijWeb for scanned documents since 2009, 6 years before the application allowed students web access to the records. Therefore, the vulnerability may have been a part of the update process or new.
Thus, institutions of higher education need to focus more purposefully on identifying all locations that store, transmit, and collect data. Whether using a new integration or an updated legacy provider, colleges and universities need to be more engaged in the risk identification process.
Higher education incorporates a variety of networks, creating a complex architecture. Library domains, email servers, and guest wireless connections are only a few of these potentially risky networks.
As more students access data via mobile devices, which often lead to man-in-the-middle attacks, colleges and universities need to be more diligent in establishing controls over those networks to protect data.
Focus on User Access and Authentication
Unlike other industries, higher education experiences annual user turnover. Upon graduation, students should no longer be allowed access to systems, software, and networks. Although alumni often love their alma maters, graduates create access and authentication risks.
Moreover, colleges and universities need to be diligent about enforcing multifactor authentication. A lost smartphone or a laptop left open in the library can lead to unauthorized access. Therefore, whether students and faculty like it or not, higher education needs to be more diligent about protecting access by incorporating additional controls.
Monitor Vendor Risk
In the same way that colleges and universities expect incoming first years to prove academic proficiency, they also need to ensure their vendors prove security proficiency.
After identifying risk, institutions need to make sure that they assess and analyze the risk that third parties pose to information. Any SaaS provider that stores, transmits, or collects student, faculty, and staff information needs to align their security controls with the institution’s risk tolerance. Service-level agreements between the institution and its vendor need to document acceptable controls as well as a consequence for failing to maintain control effectiveness.
How ZenGRC Enables Higher Education
Institutions need an automated process for organizing their security reviews.
With ZenGRC’s task prioritization, everyone knows what to do and when to do it, ensuring efficient review the “to do” lists and “completed tasks” lists.
With our workflow tagging, CISOs can assign tasks to the individuals responsible for the activities involved in risk assessment, risk analysis, and risk mitigation.
Finally, with our audit trail capabilities, institutions can document remediation activities to prove that they maintained data confidentiality, integrity, and availability to protect student privacy.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.