The data-rich environments are very attractive to malicious parties. Steps must be taken to secure this sensitive information to avoid costly disruptions.
The education sector has a wealth of highly sensitive information traveling through its IT systems containing data largely related to students, faculty and other faculty members. For example, a university will collect, store and use medical, financial, personal and educational data – and the same can be said for all levels of educational institutions.
The huge benefits of accessing and stealing this PII are enough to incite threat actors to attack schools, because they can then use all this information and monetize it, all the while causing as much disruption as possible: the two threat actors’ favorite activities, unfortunately.
Over the course of this year, we’ve seen hackers successfully attack and disrupt schools and colleges of all sizes and levels of prestige. A recent report revealed that there have been more than 400 cyberattacks on US public schools, and recently, for example, Howard University had to temporarily close following a ransomware attack.
Decision makers – from IT managers to boards of directors – oversee and control these data-rich environments, so they need to take the right steps to prevent such accidents and incidents. To do this effectively, they need to strengthen the overall security awareness culture on campus, especially with regard to data security and data privacy.
Only the top of an organization (educational or otherwise) can initiate a strong data security culture. Opening the dialogue to frank discussions about security mandates and privacy policies reinforces the message of good cybersecurity hygiene throughout the institution to both staff and students. If school leaders don’t take it seriously, why should students or staff? The truth is they won’t.
Getting security in place
Unfortunately, we are well aware that every year there are breaches of schools and universities where cybercriminals target the crown jewels: all that personal, highly sensitive data. But as more of these institutions adopt better technology and software, it becomes increasingly important to strike a balance between security and privacy. Of course, educational institutions are not exempt from data privacy laws like CCPA and GDPR, so it is their duty to effectively secure, protect and keep sensitive data private.
Implementing the right tools to meet this requirement should be the starting point. Methods such as tokenization replace sensitive data elements with representative tokens, so even if the data falls into the wrong hands, the sensitive information is undecipherable and cannot be used by hackers. This data-centric method of protection (meaning it protects the data, not the supporting infrastructure around the data) also preserves the original format, so it’s quite “friendly” to the business applications that the administration implements on campus.
To better understand where your institution fits on the privacy security scale, conduct an audit to identify current approaches and tools, while also honestly assessing the strength of your data security culture. More importantly, identify how the institution protects data, where it stores it, and what layers are in place to protect it. The focus should always start with protecting sensitive data as it enters the campus data ecosystem, while not ignoring the infrastructure surrounding data.
In terms of who should have access to what information, only those who have an absolutely critical need should have access to it, and this access should be challenged every time. With data-centric security in place, even those who access the data won’t be able to see the most sensitive data elements (think a tokenized Social Security number), while still being able to perform any task.
With so many millions of students around the world returning to start a new school year, it is time for industry leaders and decision makers to take the necessary steps to develop a healthy safety culture, starting with themselves and the institutions they operate. If they didn’t, they’d be completely negligent (and missing out on a huge educational opportunity for their students), but this oversight would ultimately lead to a completely avoidable cybersecurity incident. None of those administrators want to attend a live workshop on data breach mitigation!
Trevor J. Morgan is responsible for product management at comforte AG, where he focuses on developing and marketing enterprise data protection solutions. He has spent most of his career working in technology organizations that market software, hardware and services for enterprise and government customers. Trevor has held senior-level leadership roles in sales engineering, product management, software architecture and product marketing at companies such as Cisco, Capital One and Ciena. He has a Ph.D. from Texas Tech University and a bachelor’s and master’s degree from Baylor University.
More from UB