Cyber threats are ever-changing, and colleges and universities are fighting an uphill battle to keep sensitive data safe. In some ways, the older the institution, the harder it is, because there is significantly more data to protect and more entrenched culture to overcome.
But Andrew Hay, chief information security officer at DataGravity and an industry expert in security trends and developing technology, thinks it is possible to achieve airtight cybersecurity. Education institutions, however, are at a distinct disadvantage in this goal. Often, the strength of the security apparatus comes down to the amount of money invested, and higher education historically has invested relatively little, compared to the corporate world.
Colleges that develop security plans but hire too few people to implement them remain unprotected.
“If there’s no teeth to a policy or program, then it’s just another piece of paper that gets ignored, that cannot influence or enforce anything,” Hay said.
DataGravity pioneered “data-aware technology” that helps organizations protect information at the point of storage and better understand the data that exists to have a greater chance of keeping it safe. The industry is full of tools to help colleges and universities monitor data, organize it and lock it up. Even the best tools, however, cannot keep an institution safe without proper policies and procedures.
A significant portion of security breaches and data thefts are caused by human error. There are always employees who are ignorant of or cut corners on safeguarding procedures. It is this element of human error that makes it hard to achieve true insulation from threats. Also, higher education networks are open to encourage collaboration and guarantee access. The more points of entry into a network, the more vulnerability.
A growing number of institutions have turned to cyber liability coverage to minimize the damage in the event a breach does occur. Incidentally, the process of applying for coverage offers an opportunity to evaluate internal security and test policies.
Most insurance carriers ask questions about technical information security, the hardware institutions have in place, their firewalls, antivirus protection, intrusion protection and encryption. Beyond these tools, they want to know what procedures are in place to back them up: How is information security handled internally? Are there tested incident response plans? Who is the contact person in the case of a breach?
Jason Glasgow, cyberrisk product manager at Travelers Insurance, says a small but growing number of colleges and universities have cyber liability coverage. Part of the reason the growth has been slow is the financial issue — higher education institutions don’t have as much to spend as commercial entities — but Glasgow says it’s also a question of awareness. Colleges and universities are not as attuned to their own risks and vulnerabilities, as retail companies are, for example.
Schools face breaches all the time. They have personal information on students, students’ parents, faculty and staff going back decades that hackers want, not to mention confidential research information.
The federal government has organized information sharing and analysis centers, or ISACs, to help organizations in similar industries analyze threats and share information that helps the group achieve greater protection than they might on their own. The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) is the ISAC for higher ed.
Forty-seven states now have legislation requiring notification of data breaches involving personal identification, and institutional reputations are on the line. Colleges and universities must consider the tools, policies, procedures and other protections that can keep them and the information they keep as safe as possible. The threats are not going away.
Would you like to see more education news like this in your inbox on a daily basis? Subscribe to our Education Dive email newsletter! You may also want to read Education Dive's look at 8 pieces of ed tech news to note from SXSWedu 2016.