The Regulatory Burden
Educational institutions face hefty privacy and cybersecurity requirements. Their stock-and-trade is sensitive information. Everything from personal data about students and staff to research data that may include proprietary secrets or have national security concerns.
Given the number of students learning remotely and teachers and school staff working from home, educational infrastructure now extends far beyond the safe perimeters of school networks and security systems. The result is that the cyber security threat is escalating.
In addition to higher education institutions, and particularly those with significant research and development activities and academic medical centers, ransomware attacks against K-12 educational institutions are on the rise. From targeting school computer systems, threatening to leak student data or disrupting live-conferenced classroom settings, it’s imperative to protect sensitive data and the infrastructure of educational institutions.
There are a number of regulatory frameworks that can empower institutions to deal with this complexity, implement a strong data privacy and cybersecurity program and build awareness that will help improve the adoption of security best practices across the institution.
A Framework for Data Privacy Success
The following are just a few examples of the regulatory frameworks that can empower educational institutions to better manage their data and IT systems:
- All the standard privacy laws (HIPAA, GDPR) extend to the personal data of others who might be in a school’s database: faculty, staff, contractors and perhaps even parents
- Most colleges and universities either bid on government research projects or accept federal dollars for financial aid. In that case, those institutions must also meet the security standards of NIST 800-171
- Projects related to military or national security issues (say, artificial intelligence research) can also face export control restrictions where foreign nationals working with the school (a visiting professor from overseas) cannot access project data.
Manage Compliance and Risk with Confidence and Ease
To help organize their risk management, protect data and implement information security programs, institutions need an automated solution to streamline identifying, managing and monitoring their risk assessments and mitigation workflows.
ZenGRC is an IT risk Management system for educational institutions that helps prioritize the most severe risks so that compliance and risk team members know what should be done first and how to do it.
With compliance and security frameworks built-in and maintained by experts along with suggested risk and threat scores and real-time connections between control assessments and risk scoring, you get a unified, real-time view of risk and compliance and significant efficiency gains so that you can stay ahead of threats, reduce risk and strengthen compliance. The end result is better protection for valuable students, faculty and staff data and information.
Educational institutions must use multiple frameworks to address security compliance and data privacy obligations.
For example, colleges can use the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool to help map security controls to privacy rules for personal data.
Colleges can also use the Institutions of Higher Education Compliance Framework to assess and manage security related to federal financial aid.
The bottom line is that while these frameworks are extremely helpful, they can quickly get too cumbersome to manage manually. That’s where ZenGRC can help, empowering you with the guidance and automated workflows needed to:
- Assess the starting security posture of your information systems and any third parties you use
- Establish corrective steps that might be necessary and assign them to control owners
- Identify security gaps you must fill to meet regulatory requirements
- Monitor whether those fixes are on schedule
- Conduct any new risk assessments that might be necessary as new regulations emerge
Frequently Asked Questions
What are the key cybersecurity challenges for educational institutions?
In 2021, the Educause IT Issues Panel shared the key technologies expected to impact cybersecurity for higher education institutions.
- Cloud computing vendors
- Endpoint monitoring and response
- Two-factor authentication (2FA) and single sign-on (SSO)
- Data integrity technology
- Research security
- Data privacy governance
What costs are associated with cyberattacks on educational institutions?
The Ponemon Institute recently shared that the average cost of data breaches in the education sector in 2022 was $3.86 million.
These costs were primarily associated with remediation tactics and productivity lost during an outage. Last year, for example, cybercriminals targeted the Los Angeles Unified School District, the second largest in the nation, with a ransomware attack, resulting in 2,000 student assessment records being posted on the dark web which included email addresses, student ID numbers and some driver’s license numbers and Social Security numbers.
Still, some higher education institutions have been forced to pay a ransom to regain their sensitive data stolen by cyber attackers. In 2020, the University of California San Francisco paid a ransom of $1.14 million in Bitcoin to retrieve critical data related to medical research.
How can educational institutions protect sensitive data?
Educational institutions have, in recent years, made use of large databases to manage data and data and governance programs. Having all of this data aggregated in a single location made it easier to manage and secure.
However, data, intellectual property and research are no longer stored in a single, central location managed by an IT manager or CISO.
Today, user authentication, security patch management, firewalls and anti-virus software must be managed and deployed across a far more complex IT environment.
Yet, the tasks involved should still be managed from one central point to assure effective security and compliance with regulatory obligations.