Security breaches grab headlines and fill TV airtime, especially when they affect big-name retail, healthcare and financial brands. Higher education institutions certainly aren’t the exception to the rule; but thankfully, there are steps and best practices that IT staff at higher education institutions can take to mitigate security risks while allowing students and faculty to thrive and be productive.
Large quantities of student and faculty information, complicated information systems, and distributed environments spread across departments make higher education institutions just as much at risk for security breaches as large corporations.
According to a 2015 study by the Ponemon Institute, the average total cost of a data breach is $3.79 million; for education institutions the average cost per lost or stolen record can be upwards of $300. With this staggering figure, even a small breach is a worst-case scenario for university presidents and department IT staff. Several higher education institution breaches have recently taken place, including Washington State University, Southern New Hampshire University, Southern New Hampshire University and Arkansas State University.
The possibility of hacks such as these can be intimidating, but higher education institutions shouldn’t despair. By understanding the most common types of data breaches and the kinds of institutions that are most vulnerable to each, IT staff at higher education institutions can strike the right balance between user autonomy and smart IT controls, and protect students and faculty.
The first step implementing a successful IT security management strategy is recognizing that breaches come in all shapes and sizes, but can largely be categorized into three types: 1) malicious or criminal attacks, 2) system glitches and 3) human error.
(Next page: The most common types of data breaches and 5 steps to help combat them)
The Ponemon study shows malicious attacks account for 47 percent of all breaches. Less prevalent are system glitches and human error, but these can be just as dangerous given that they often go unnoticed for a lengthy period of time. In fact, the same study shows that it takes an average of 158 days to identify a data breach caused by human error. Such lengths can allow the problem to fester, opening up more devices and data to unsafe practices.
All universities are subject to breaches, but doctoral and master’s institutions are most susceptible, likely because they hold vast records and desirable research data. The numbers support this: According to a Postal Regulatory Commission (PRC) report, 63 percent of breaches occur at doctoral institutions, and 21 percent occur at master’s institutions.
So, how do data breaches “enroll” at universities? Within the three main types of data breaches are five unique subsets that especially harm university systems and can provide a path to vulnerabilities and attacks. These include:
1. Malware and viruses
Malware and viruses enter a higher educational institution’s system with malicious intent or by accident. Once in the system, they go to work deleting files and stealing passwords, bank accounts and other sensitive information.
2. Unsafe software and apps
Unsafe software and apps that are downloaded onto systems or devices open the floodgates for personal information to be shared with the world or cause hardware to completely shut down.
3. Personal services downloads
Most, if not all, faculty and staff at colleges and universities utilize personal email accounts and services such as Dropbox on their devices. While Dropbox itself is not a harmful service, when personal services are downloaded and used outside of a college or university’s scope, these seemingly safe services can be a vessel for data breaches.
4. Unsafe network practices
With today’s mobile workforce, it’s very common for faculty and staff to connect to their college or university network from home or a coffee shop. If users aren’t utilizing a secure virtual private network (VPN), they can inadvertently leave the network vulnerable to attack.
5. Unencrypted devices
Faculty and staff aren’t immune to mistakes and can forget their device or a USB stick on or off campus. When devices are lost or stolen, they become prime targets for data breaches.
In the face of these vulnerabilities, it’s tempting for IT to respond by simply locking down access and restricting unknown software. However, the catch-22 is that when IT is too restrictive, faculty and staff are more likely to circumvent policies and workflows to get the resources and services they want and need.
While the threat of a security attack is constantly present at a campus’ doorstep, there are ways higher educational institutions can work with users to ensure they aren’t the ones inviting them to orientation. Here are five:
1. Make endpoint protection standard to alleviate malware and viruses
A good endpoint protection system can greatly decrease the risk of infection and provide IT with the tools needed to respond to a security breach. To maximize coverage, consider making endpoint protection for all devices – whether institutionally owned or personally owned. This task is greatly simplified with a mobile device management (MDM) tool that can install software on a managed device.
2. Make trusted software and apps available on demand
IT can create an internal app catalog where only tested and college or university-approved software, apps and settings for faculty and staff are made available for download. If a faculty member requires an app that is not available in the self-service style catalog, they simply submit a request to IT.
3. Make IT services equivalent to personal services
If IT services – such as email, backup, file sharing and collaborative services – are as good as what a user has access to outside of work, there’s no need for them to go rogue and rely on their personal services. IT should utilize the services that users are most comfortable and productive with, and make them the standard.
4. Make VPN readily available for secure network practices
Cloud computing makes it easy for users to utilize a VPN. IT can even go beyond simple password authentication and implement certificate-based Wi-Fi authentication to ensure only the devices it wants can access the network.
5. Make data encryption mandatory
Colleges and universities can enforce encryption requirements and easily report on compliance across the entire institution. When built-in encryption technology is leveraged, user devices don’t take a performance hit from a third-party security addition, and IT can manage all recovery keys so they can quickly address password resets, device activation lock bypass, and remote lock and wipe.
When you put users at the center of IT management and give them freedom and flexibility in how they use their devices, the result is happier and more productive employees who are more likely to adhere to your policies. True, this is easier said than done, but leveraging the right guidelines can help provide both user autonomy and a secure IT ecosystem.
Just don’t wait until it’s too late. Align your campus’ security strategy today, and deny admission to costly security breaches before they force their way in.
Dave Saltmarsh is a former classroom teacher, IT and library director, and current educational evangelist for JAMF Software, a leading Apple device management company based in Minneapolis.
- Using real-world tools to prepare students for the workforce - April 18, 2024
- 8 top trends in higher education to watch in 2024 - April 16, 2024
- Defining a path to equitable AI in higher education - April 12, 2024