It’s no secret that data analytics are becoming a huge decision-making tool for universities, with quite positive results. One university has even used data to keep students from dropping out.
But it’s not just about the great insights it can provide. Data is also a juicy temptation for hackers.
According to NBC News, 550 universities reported some kind of data breach between 2006 and 2013. The Privacy Rights Clearinghouse reports that universities account for 17 percent of all reported data breaches, ranking second behind only the medical industry.
EDUCAUSE has ranked information security a top 10 IT issue every year since 2000; in 2016, it claimed the top spot.
In 2015, after a cyberattack originating in China, the University of Virginia reported an enhancement of security on research data and personally identifiable information (PII), even though there were no signs those had been accessed.
“The security of [UVA community members’] information and other data stored on university systems is of the utmost importance, and our dedicated teams of professionals will remain vigilant in protecting the university’s information technology infrastructure,” executive vice president and COO Patrick D. Hogan said after the breach.
With October being National Cyber Security Awareness Month, we’ve got some tips for keeping student information safe.
Implement Technical Controls Like Authentication and Firewalls
UVA’s CISO Jason Belford says one of the most important things to consider when instituting technical controls is segmenting the data in terms of sensitivity.
“University of Virginia does it on a three category basis, from public directory information to highly secure data like social security numbers,” says Belford. “You segment that data off so you don’t have your public data with the stuff you are trying to protect.”
After the data has been divided by level, it needs protection. Belford suggests that universities implement firewalls to segment the network and an intrusion prevention system, like what Juniper Networks offers.
Darren Catalano, the president and CEO of HelioCampus, a data analytics company spun out of the University of Maryland University College, says data should be protected at both the network level and the data level.
At the network level, Catalano suggests establishing an isolated network and monitoring alerts that notify the IT department if there is any suspicious access to the network — like from a foreign country.
For the data itself, both Catalano and Belford suggest that universities employ multifactor authentication when someone is logging in to a system that contains sensitive data.
“Phishing is too much of an issue these days that we shouldn’t be relying on passwords when they are so easily taken,” Belford says.
Many universities (including Virginia) have contracted with Duo, a U.S.-based access company focused on device security, for multifactor authentication. With Duo, Belford says staff members register a mobile device and download an app in order to confirm their identity on the device after logging on to a system.
“None of those things are a silver bullet,” says Belford. “But they help things work better and they raise the bar against the bad guy.”
Establish a Data Governance Policy and Enforce It
But what if there is no bad guy? A report from the Southern Regional Education Board indicates that human error is a factor in 95 percent of data security incidents.
Because universities sometimes separate data in terms of how much it should be protected, Catalano and Belford agree that who should have access to what data and how they should access it should be clearly defined. In a 2015 report, EDUCAUSE identified instituting a data governance policy as a key step to safeguarding data.
“Data governance is the starting point for managing data — it is the driving factor motivating institutions to develop processes and actions regarding this shared university imperative,” the paper states.
Belford suggests that universities establish role-based privileges to determine who can see what level of data. For example, information like grades and classes are considered to be moderately protected, but also must be reliably accessed by professors and advisors. However, access to the most sensitive PII should be very limited.
“Other than a few people in financial aid, I don’t know anybody in our university that needs social security numbers and birthdays,” says Belford.
However, even if these data governance policies are put in place, Belford says they will not properly work unless there are consequences for improper actions, like a user not following protocols to save time.
“If there is no punishment for that user, especially if they did it purposely, they are going to keep doing it or others are going to do it,” he says.
Follow the conversation around National Cyber Security Awareness Month by checking out #CyberAware on Twitter.