Learning From Security Breaches in Higher Education
Higher education is highly prone to threats and risks that target their financial systems and student retention. The increased adoption of mobile technology promotes the proliferation of security threats in institutions of higher learning. Security breaches occur through hacking, disclosure, physical loss of data, portable, and stationary devices affecting the institutions negatively. Not only are security breaches in higher education costs but they tarnish the reputation of the breached institution. Many institutions of higher learning believe they are immune.
Security Breaches in Higher Education
Protecting Admission data: A multifactor authentication platform
In March 2019, hackers accessed admission information from colleges in Oberlin, Hamilton, and Grinnell. Through spear phishing, they sent out emails holding confidential information such as birthdate; they were able to entice the college affiliates to click on malicious links to reset login credentials. The attack was linked to Slate, a system software widely used by over 800 institutions of higher learning globally to manage applicant’s data.
The lack of a multifactor authentication process for single-login systems exposed the software to the cyber-attack. Not only was it a hassle for the colleges to notify students whose data was breached but the institution’s reputation was at stake. If students are worried about the security of their non-public data, they will opt to enroll in institutions that guarantee string cybersecurity over their data.
Importance of protecting Emails
A breach at Florida Keys Community college exposed the health and personal information including names, dates of birth, addresses, Social Security numbers, passport information, usernames, and passwords of employees. The cyber-attack was found to have occurred between May and November 2018. The estimated loss according to the 2018 Ponemon Cost of a Data Breach Report amounted to 167 days in regards to the meantime it took to identify the breach and seven days to contain the risks. Based on the annual averages for similar cases, the Florida Keys Community College response rate was above average for identity and responded to the incident.
The attack on emails of the institution allowed the cybercriminals to manipulate vulnerabilities found in the IP and domain configurations, server connections, and SMTP authentication controls, making it crucial for your college or university to implement proactive and preemptive cybersecurity strategies on affiliate’s email addresses.
Vendor Risk management in protecting students’ records
In 2015, NolijWeb, a Software-as-a-Solution strategy implemented by Stanford Daily allowed students to access their Common Application Forms online. The system required the students to use their identification numbers as part of their records URL meaning that changing a few characters allowed third parties to access the files.
A student on campus had identified the vulnerability in the management system. Immediately after, Stanford disabled and suspended the access of the application forms, which were protected by the Family Educational Rights and Privacy Act (FERPA). The regular audits on the system, which required a user to use authenticated student login to access the site exposed the third-party content threat.
In 2017, Stanford suffered a similar breach where an authorization error in the University-wide files sharing system allowed any users with an Andrew File System to access preparation files for sexual assault cases. The data breach was also found in the Graduate School of Business where the site leaked nonpublic employee information.
In these cases, data breaches arise from permission issues inherent in third-party vendors. Vendor risk management will be necessary for your institution as it prevents loss of data should the vendor update or install new systems hoping to improve service delivery.
Responding to a data breach in higher education
The first step in reacting to a security breach is developing a plan to respond to any data loss. Your plan should contain the following steps:
- Identify the Risks: Colleges and universities often overlook data storage, transmission, and collection points as potential points for cyber-attacks. Hackers target these points since they can access data and use it for nefarious purposes over many years without being detected. The use of Software-as-a-Solution for new vendors or updated systems exposes data to potential hackers. In the case of Stanford, for instance, they had been using NolijWeb for their scanned documents since 2009, six years before allowing students to access the records online. Only after the process was the data hacked evidencing that vulnerabilities occur in storage and access points. Therefore, these institutions need to focus on identifying locations where data is stored, transmitted, and collected. Even when they seek solutions from vendors, they should ensure full accountability in determining the risks.
- Secure the networks: Institutions of higher education install a variety of systems including library domains, guest and student wireless connections, and email servers to help inefficient service delivery. The use of mobile devices by students, staff, and guests contributes to security attacking increasing the need for these institutions to establish controls over these networks.
- Monitoring user access and authentication: multifactor access and authentication process ensures that the specific institution is free from attacks due to the high annual user turnover. Institutions of higher learning allow students to access information even after graduation, exposing data to potential attacks that may be created by alumni. Due diligence is required when implementing the multifactor access process. For instance, a lost smartphone or laptop left open in the library can be an avenue for hackers to obtain information from your database. This makes it essential for learning institutions to incorporate additional control to prevent unauthorized access.
- Monitor vendor risk: Institutions of higher learning always expect an incoming student to prove their academic proficiency. The same approach should be implemented for your vendors, who need to prove security proficiency. Vendors, who store, transmit, or collect any institution’s information should align their security procedure with your institution’s risk tolerance. Moreover, service level agreements between your institution and its vendors should address acceptable controls as well as consequences for breaching data control strategies.
By learning from past examples from security breaches in higher education you can avoid potential pitfalls that can cost you time and money. Following best practices set forth by the InfoSec community and established cybersecurity frameworks married with an agile approach to your compliance, you can navigate emerging risks and keep your customer data safe from bad actors.