With Lingering Security Gaps, Higher Ed Student Data Breaches Remain a Concern

Here’s the good news: More higher education institutions in the U.S. have conducted information security risk assessments and have a dedicated person whose primary responsibility is information security. That said, a number of significant holes remain in information security for higher ed, recent estimates from EDUCAUSE suggest.

For example, while an estimated 85 percent of institutions require information security training for faculty and staff, less than half require the same training for students. Required training for students tends to focus more on usage policies over security and privacy policies or self-defense, according to estimates in the 2019 EDUCAUSE Information Security Almanac.

The latest almanac, released in April, also indicates some information on security improvements for higher education. About 41 percent of institutions have a committed person whose primary responsibility is information security, typically a CISO. That’s an increase of seven percentage points from the organization’s 2017 estimations. 

Other highlights from the 2019 almanac:

• Seventy-one percent of institutions track information security metrics. 
• Seventy-six percent of institutions have conducted an information security risk assessment.
• Only 25 percent of institutions have managed an information security risk assessment of cloud service or third-party providers. 

MORE FROM EDTECH: Read about ways research universities are responding to cyberespionage.

Student Data at Risk for Massive Exposure Through Breaches

The exposure of confidential or sensitive information is the most common concern for institutions (79 percent), EDUCAUSE states.

This makes sense, given that earlier this year, hackers accessed admissions databases for three colleges — Oberlin College in Ohio, Grinnell College in Iowa and Hamilton College in New York — and demanded thousands of dollars for the stolen information, according to The Wall Street Journal.

And despite requirements for institutions to use “reasonable methods” to protect student data, “hundreds of educational data breaches happen every year,” the U.S. Department of Education states.

Higher education institutions use data for myriad reasons, from traditional admissions to identifying struggling students to general operations and human resources. Higher education information security leaders should be proactive about protecting student data and other sensitive information.

Here are a few tips leaders should keep in mind:

Start with a security risk assessment. Leaders should understand the biggest risks for their particular institutions and ways to prevent breaches that might expose sensitive information or mar an institution’s reputation.

Boost mandatory training for students. The training required for faculty and staff should also be more comprehensive. In 2018, instruction most commonly focused on regulatory compliance such as the federal Family Educational Rights and Privacy Act (FERPA), EDUCAUSE says.

There should be a greater emphasis on security policies. In the breach of the three colleges’ admissions databases earlier this year, an “unauthorized party” accessed and reset staff members’ passwords, the Journal reported.

Data users should be “safe people,” says Amy O’Hara, a research professor at the Massive Data Institute at Georgetown University, in a report about postsecondary data infrastructure released in June. This means they are vetted and trained before being granted access to data systems.

Create “safe data.” Practices for safely sharing and analyzing data include restricting “what an analyst can use, what an analyst can do, the analyst’s computing environment and the analyst’s physical location,” O’Hara says.