Cyberattacks on colleges and universities are on the rise following many institutions’ transition to online and hybrid classes.
Higher education institutions’ databases are gold mines for cybercriminals because they store massive amounts of personally identifiable information (PII) like social security numbers and payment information. If an attack is successful, cybercriminals can expose this data, risking identity theft, fraud and exorbitant costs for schools. In 2019, the average cost for data breaches in the U.S. education industry rose to $142 per record loss–$45 above the worldwide average.
As education becomes more digitized, the pressure to keep student data safe and mitigate the impact of costly data breaches is at an all-time high. Devaluing students’ data could be the solution for this issue that many institutions face as they transition to e-learning environments.
Attackers targeting colleges and universities: Why and how?
The primary motive for data breaches is financial gain. Cybercriminals use social engineering tactics, like phishing, to obtain PII and sell it on the black market, often for hundreds of dollars. Attackers also use ransomware, which is a form of malware that encrypts a victim’s files, essentially holding the victim’s data hostage until they pay the attacker.
Human error accounts for 35 percent of data breaches in the education sector. Institutions spend little time training educators in cybersafety, and most still don’t have adequate cybersecurity training. It doesn’t help that only 5 percent of college and university budgets are allocated to IT services. The lack of cybersecurity training within institutions, along with the thousands of users on the network who are using personal devices creates easier access to data for attackers. They often can take advantage of unsuspecting students and faculty by tricking them into clicking on phishing links in emails and other malicious tactics.
As more colleges and universities switch to online and hybrid learning environments, the risk of data breaches and compromises is even greater. Institutions need to prioritize preventing these incidents — for safety and financial reasons alike.
Defending your data isn’t enough anymore
The terms “data theft,” “data breach” and “data compromise” are often used interchangeably, but their meanings aren’t the same. Data theft occurs when an attacker acquires data from an institution’s system, and a breach occurs when the attacker gains unauthorized access to data, whether they steal it or not. But compromising data is something completely different, occurring when attackers sell or expose data they’ve stolen.
The problem is that many organizations spend most of their already limited IT resources trying to prevent data breaches and theft. For example, many higher education institutions implement multi-factor authentication and attempt to train employees to spot phishing emails and other social engineering attacks. While these efforts are important and necessary, they aren’t enough to keep bad actors from accessing sensitive data, because all the cybersecurity training in the world can’t eliminate human error.
Think of your cyberdefenses as a wall: They are sturdy and they are there for a reason — to protect what’s inside of them — but they aren’t invincible. Eventually hackers will be able to break through your digital walls, which is why your top priority should be to ensure your data is unintelligible in the event of an attack — in other words, you’ll need to devalue your data.
Devaluing your data
There are two main approaches to devaluing your data — encryption and tokenization. Both of these tactics make data within your network indecipherable, so if it gets into the hands of attackers, they can’t compromise it.
- Encryption is a method of securing data while a transaction is in progress and when the data is in transit. It makes the information unintelligible to any person who doesn’t have an affiliated digital key.
- Tokenization is best used for long-term storage of PII, like when a campus bookstore keeps students’ payment information on file. Each piece of PII is encoded with a random string of numbers that are stored on your servers instead of the information itself. The “token” can be linked back to the PII via information stored in a secure, outside location.
Both encryption and tokenization are essential in protecting students’ data, payment information included. Payment data is the easiest kind of PII for attackers to monetize because they can sell this data to fraudsters online, making it a high priority target for hackers. And higher education institutions are hubs for digitized payments — dining hall purchases, athletic ticketing, parking and tuition payments. It’s essential that students can securely make these transactions, which is where PCI-validated point-to-point encryption (P2PE) plays an important role.
P2PE enciphers payment data at the point of sale (POS), and it cannot be decrypted until it’s securely transported and processed by the payment processor. By using a P2PE-approved device, you prevent hackers from compromising card data at the POS — which is a classic cybercrime maneuver.
Whether you invest in tokenization, encryption or both, devaluing your data will help keep students’ information safe from cyberattacks.
Secured data is the new norm
While educating your faculty and students on potential cyberattack threats can help keep their data safe, in the end, the best defense is devaluing your data. No matter how strong your cyberdefense walls are, there is a criminal somewhere who will find a way to infiltrate them.
Security solutions like tokenization and encryption help mask valuable data that would otherwise be accessible in the event of a breach. Protecting student data this way isn’t just a “nice-to-have” anymore — it’s a must.
Ruston Miles founded Bluefin and also serves as the company’s chief cybersecurity advisor. Ruston brings over 20 years of payment and security experience, having architected Bluefin’s payment gateway and PCI-validated point-to-point encryption (P2PE) solutions, as well as contributing to the innovation of the company’s tokenization solutions. Ruston is a national speaker on cyber and payment security topics and was featured in more than 12 publications in 2020, including Forbes, TechCrunch, ZDNet, PaymentsSource and Yahoo! Ruston is a PCI Professional (PCIP), Certified Payment Professional (CPP), Certified Internet Business Strategist (CIBS), and an active participant with the PCI Security Standards Council (SSC).
- 8 top trends in higher education to watch in 2024 - April 16, 2024
- Defining a path to equitable AI in higher education - April 12, 2024
- Leveraging AI-driven edtech for continuous improvement in higher ed - April 11, 2024