Colleges and universities need to continuously invest in their data security infrastructure as malicious hackers relentlessly target higher education institutions.
“If you think that only student data is the only data at risk, think again. Would-be hackers have a multitude of motivations for taking aim at the data in your institution,” said M. Dee Childs, Special Advisor at Clemson University. “These motivations are both similar to and different from corporations and hackers who are trying to get into your personal information.”
Childs addressed an audience in a session of Fierce Education’s recent online event, “Higher Education: Technology Profiles in Success.” The session, “Data Safety is Job #1: Keeping Student/University Data Secure”, looked at the reasons hackers hack, what’s at risk for institutions and what every school can do better to get their data security, privacy and compliance under control. Access the on-demand sessions here.
In the session, Childs took a data-driven approach to examining the data security issue, taking her information from the Annual IBM Cost of a Data Breach report and the annual Verizon Data Breach Investigations report.
The number one reason hackers hack is financial aid. This represents 95 percent of university data breaches. “What they’re really after isn’t financial information, but they’re interested in credentials and other personal information that will lead them to financial information,” Childs explained. For example, many universities don’t keep credit card information any longer, but hackers are interested in that. They’re also interested in student credentials and social security numbers since these are the keys that unlock the doors to getting access to bank accounts, social security payments, retirement accounts and more.
“This business of credentials is super important since they really are the keys to the kingdom,” Childs said. User names and passwords are primarily obtained through phishing, so there’s been a huge increase in phishing emails, a 65 percent increase over the previous year. “Universities in general are struggling with how to distribute emails students and faculty need to get and preventing recipients from falling for scams.”
Nation-State actors, hackers who represent the interests of foreign countries that may have a political or economic agenda, also are involved in cyberespionage, looking to steal research from universities. These attacks often occur through the removal of hard drives and photos on mobile devices.
“When they think of security, most universities think of the business of the university and the academic part of the school and not thinking about protecting raw data or research data,” she added.
Other cyber attacks are hactivism and grudges, individuals or groups that want to further a social or political cause – like hackers protesting animal testing, for instance – or that have a real or imagined ax to grind with the institution.
The total cost of a major data breach to a university is an average of $3.8 million per incident.If their data security is not adequate and they are hacked, institutions also risk reputational losses, which may have long-lasting and far-reaching implications. Also, there’s still potential financial risk for the institution, including scams involving illegal money transfers, identity theft, tax fraud and even ransomware payments. “Many of these are not so much about the direct cost of the actual loss of the data, but the indirect cost. The university would have to notify victims, they may have to make reparations and the marketing department would need to send out emails,” Childs explained. “So there are many costs involved in a data breach, including staff time.” There are also impacts of exposure of HIPAA data and exposure of other data.
Universities can develop a framework to take better control of data security and compliance, according to Childs. She offered 10 security principles to help institutions become more data secure:
- Engage with security. Leverage existing shared governance to involve, collaborate and commit to leading practices for security and privacy.
- Create a culture of safeguarding data.
- Limit the data the institution collects, stores, archives and reproduces.
- Restrict access to sensitive data, both logically and physically. This includes research data.
- Educate the entire university community about their security responsibilities.
- Hold staff and faculty accountable for security compliance.
- Establish formal, written policies for data protection and compliance.
- Take a risk-based approach to data management.
- Use the risk-based approach to evaluate the cost of security tools, outside services, use of the cloud, cyber insurance and personnel.
- Continuously assess compliance with security principles and continue to nurture the culture of security.
For more articles from the Fierce Education event see:
Higher Ed Must Make Significant Investments in Connectivity
Technology Takes Center Stage in the Decision-Making Process
Ensuring Engagement: Reaching and Keeping Students’ Attention