Navigating email security within the complexity of higher education

A review of email encryption, data loss prevention and how they protect your institution and your reputation.


As long as sensitive information and the Internet are around, it seems that cybercriminals and hackers are never going to stop finding new targets.And unfortunately for the IT managers and administrators of higher education institutions, cybercriminals have begun to set their sights on universities.

In recent months, the University of Chicago, Auburn University and UC Berkeley have all reported data breaches exposing the information of thousands of current and former students, employees and administrators.

So, what makes colleges and universities so desirable to hackers?

With the vast amount of information managed by higher education, it’s unlike any other industry. While universities house personal data collected from staff and potential, current and former students, they all also house financial information provided for tuition payments, aid and donations, and the protected health information (PHI) recorded at medical and mental health clinics. But unlike the “traditional” hacking targets, universities also hold proprietary data and intellectual property developed through research that can also be exploited.

This mixture of information creates a treasure trove of data, and IT departments have the seemingly insurmountable challenge of securing it all without impeding daily work and communication.

Protecting the most used communication tool

Despite the popularity of social media and instant messaging, email persists as the top communication tool for universities and businesses alike. The flow of information in a university ranges from sharing research among professors, financial aid discussions between the Bursar’s Office and students, and funding conversations between administrators and department heads.

To protect your institution from email data breaches, it’s critical to classify sensitive messages into three key email groups.

(Next page: 3 key groups; at rest and in transit)

1. Sensitive email secured at rest and in transit

2. Sensitive email secured in transit only

3. Sensitive email not to be exchanged outside your organization

By managing email in this manner, your institution will invoke the appropriate security — encryption or data loss prevention (DLP) — to safely enable or prevent the exchange of sensitive information.

At rest and in transit

End-to-end encryption safeguards email so that unauthorized individuals within and outside the institution’s network are unable to read the message and any attachments. When email needs to be protected, the sender uses an encryption key to secure the message. In order to view the message and its attachments, the recipient needs a decryption key to open it. No matter if the email is stored in the outbox or inbox, it is always encrypted and always unreadable to unwanted eyes.

This level of security is appropriate for proprietary content, such as research, sensitive student and staff personal data or board communication. It prevents curious students and staff from viewing emails that are not relevant to their role and malicious individuals from gaining access to information that is valuable to the outside market.

Similarly, end-to-end encryption offers another layer of protection against malicious threats outside your institution, known as advanced persistent threats.

Despite even the greatest investment in network security and the most attentive IT department, there is no security barrier that is 100 percent fail-proof to hackers attempting to gain access to the institution’s network. Without a guarantee, institutions can use end-to-end encryption — as part of the larger IT security arsenal — to prevent outside, unauthorized individuals from stealing sensitive content transferred via email if they break through network security.

With security a high priority, the use of end-to-end encryption for all emails may be tempting, but its drawbacks shine light on another encryption method.

In transit only

The beauty of email is its functionality and ease of use. The exchange of communication and files is seamless with staff, students, donors, government organizations and partner organizations. By forcing senders and recipients to use a key to encrypt and decrypt every message, the convenience of email is lost, and the widespread adoption of email encryption is too cumbersome to succeed.

In using encryption in transit, your institution can take advantage of innovative solutions that not only secure email if it’s intercepted over the public Internet, but do so without requiring any extra steps from senders or recipients. Encryption and decryption happen automatically, keeping the daily work of higher education flowing and allowing your institution to protect email as it travels outside your network.

Encryption in transit also assists aspects of higher education that require regulatory compliance. For departments that collect PHI or financial data, encryption in transit addresses the requirements outlined in the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). It also assists compliance with data privacy laws in several states, such as California, Nevada, Texas and Washington. Even if your institution does not operate in a state that has passed privacy legislation, it may be obligated to comply with a state law for simply collecting personal data from a student that resides in a state such as Massachusetts. Encryption in transit helps your institution comply without adding a burden.

Another benefit of encryption in transit is the convenience of maintaining security. While the largest breaches at the University of Maryland, North Dakota University and Butler University did not involve email, the vulnerability exploited in those breaches was the result of missed security patches. With all the responsibilities that IT departments hold, it’s difficult for patches to be completed in a timely fashion. Unlike end-to-end encryption, which requires installation and maintenance on each desktop, solutions for encryption in transit are installed on the network and can offer automatic maintenance through a convenient software-as-a-service model.

(Next page: Balancing needs)

Not to be exchanged outside your network

Email encryption can be used to protect sensitive data at rest and in transmission. But what if email shouldn’t be sent in the first place? Even if you exhaust your training options, mistakes are going to happen, because no one is perfect.

However, by employing a data loss prevention (DLP) solution, you can identify and minimize that risk and, more importantly, protect your institution from associated costs such as fraud protection, regulatory fines and potential civil lawsuits.

In the past, DLP has been known for its costly, long implementation timelines. By focusing on the most used communication tool — email — and using a single application solution, IT can decrease the cost dramatically, reduce the deployment timeline from months to hours and roll out security with minimal impact on IT staff.

A DLP solution will scan all outbound emails prior to leaving your institution’s network using standard policy filters, such as HIPAA or Social Security number, or custom policy filters. If a policy is triggered, the email is sent to a quarantine system, where IT or the user’s manager can release the email or notify the user that it cannot be exchanged.

Balancing needs with different security

Given how much we find ourselves clicking the “Send” button, preventing email breaches can seem daunting, but institutions can mitigate the risk by leveraging both encryption and DLP — on top of adequate IT training and a well-rounded arsenal of security solutions, of course.

By categorizing the type of email being sent and using the appropriate security, you can proactively secure varying sensitive information and implement the right protection without unnecessary interference for your institution.

Nigel Johnson is an IT Security and Encryption Industry executive at Zix Corporation .