Higher education institutions’ data have long been under attack, but recently, attacks seem to be happening more often. One of the most recent university data breaches hit Georgia Institute of Technology (Georgia Tech) exposing data of up to 1.3 million individuals.
According to the Georgia Tech News Center, the April 2019 breach exposed information like students’ names, dates of birth, and email addresses. These were not just current records–the hackers stole many years’ worth of data. This breach is only one example of the myriad universities that have experienced breaches exposing sensitive and personally-identifiable information (PII) data.
Universities and their vendors are prime targets for hackers because they are data-rich environments. They hold everything from medical records to social security numbers, with multiple access points, and they maintain a culture of collaboration with the open sharing of information.
The impact of any data theft can be detrimental to an organization. It can result in reputational loss amongst peers and hefty legal fees, it poses economic threats, and it exposes operational issues. Specifically, for universities, a data breach can affect funding, with possible loss of future student fees and associated income.
The traditional security processes of a university are drastically different from that of a corporate network. The educational environment and historically open campus mean there is not the tight, security-focused infrastructure corporate networks employ. The way in which a university operates can be a nightmare to an IT security professional.
Often, the university sees a regular influx of undergraduates and graduates collaborating and sharing data through their own networks. Things like BYOD also leave the infrastructure vulnerable to outside attacks. When an institution thrives on the free exchange of data and ideas, it cannot easily apply the same security measures as larger businesses.
Another challenge is budget limitations and inadequate staffing, which can create openings for a security breach. The boards of universities usually consist of people who have little to no background or experience in cybersecurity. This in itself is a risk, because they don’t understand the ways in which the university is exposed.
Despite these challenges, there are ways universities can better protect themselves, their students, and their faculty from threats and data breaches.
One way institutions can improve is to implement cybersecurity awareness in the student curriculum. A cybersecurity curriculum will enable students, as well as the university, to take proactive measures to protect their PII. By having universities help students adopt IT best practices and behaviors, it can help mitigate additional cyber threats and future data breaches.
Institutions should also review their internal security policies and procedures to ensure security controls are uniformly implemented. In addition, they need to step up the evaluation of their incident response plans, so key employees understand their role when an incident occurs.
The continued attacks on universities demonstrate that even well-regarded universities are vulnerable to cyber-attacks and have room for improvement in terms of cybersecurity. A determined attacker will eventually make their way into any system. Implementing continuous security monitoring can provide IT security teams with more visibility into system and network weaknesses–a key factor in identifying entry points, including rogue assets on the network and misconfigurations of known assets. Continuous security monitoring can also be instrumental in detecting unauthorized changes to files and assets, alert IT security to unknown issues, and enable teams to shore up weaknesses before they are exploited. In short, continuous security monitoring can help improve security and hardening efforts, increasing PII protection.
The mission of any university is to provide the best education possible and to nurture students into their future careers. For a university to deliver on that mission, they need to be able to protect their students’ PII. Continuous security monitoring efforts support this by enabling universities to continually learn about the causes of error and use this knowledge to enhance the system’s design to be less vulnerable.
Students expect their information to be protected. It is not just for the sake of privacy and preventing identity theft, but also because it can have an impact on their future academic and workplace careers. Universities must take the initiative to protect their students, PII, reputation, and more by preventing breaches.