The education sector has a wealth of very sensitive information traveling through its IT systems with data largely relating to students, teachers, and other members of faculty. For instance, a university will collect, store, and use medical, financial, personal, and educational data – and the same can be said for all levels of educational institutions. The vast benefits of accessing and stealing this PII are enough of an enticement for threat actors to target schools, because they can subsequently leverage and monetize all this information while at the same time causing as much disruption as possible—threat actors’ two favorite activities, unfortunately.
Over the course of this year, we’ve seen how hackers have successfully targeted and disrupted schools and universities of all sizes and level of prestige. A recent report uncovered that over 400 cyberattacks against US public schools took place, and as an example, just recently Howard University had to close down temporarily after suffering a ransomware attack.
Decision-makers—from IT managers to boards of directors—oversee these data-rich environments and call all the shots, so they must take the appropriate steps to avoid such mishaps and incidents. To do so effectively, they must strengthen the overall security-awareness culture on campus, particularly regarding data security and data privacy.
Only the top of an organization (educational or otherwise) can kick-start a strong data security culture. Opening the dialogue to frank discussions about security mandates and privacy policies reinforces the message of good cybersecurity hygiene across the institution for both staff and students. If school leadership doesn’t take it seriously, why should students or employees? The truth is, they won’t.
Getting security in place
Unfortunately, we are well aware that breaches at schools and universities occur every year with cybercriminals targeting the crown jewels: all that personal, highly sensitive data. Yet, as more of these institutions adopt better technology and software, it is increasingly vital to strike a balance between security and privacy. Of course, educational institutions are not exempt from data privacy laws such as CCPA and GDPR, so it is their duty to secure, protect, and keep sensitive data private effectively.
Implementing the right tools to meet this requirement should be the starting point. For example, methods like tokenization replace sensitive data elements with representational tokens, so even if the data falls into the wrong hands, the sensitive information is indecipherable and cannot be leveraged by hackers. This data-centric method of protection (meaning it protects the data, not the supporting infrastructure around the data) also preserves the original format, so it is quite “friendly” to the business applications the administration deploys around campus.
To understand better where your institution fits on the privacy-security scale, conduct an audit to identify the approaches and tools currently in place, while also assessing honestly the strength of your culture of data security? More importantly, establish how the institution protects data, where it stores this data, and the layers in place to secure it. Focus should always begin with protecting the sensitive data as soon as it enters the campus data ecosystem, while simultaneously not ignoring the infrastructure that surrounds data.
In terms of who should have access to what information, only those who absolutely have a critical need should be able to access it, and this access should be challenged every single time. If data-centric security is in place, even those who access the data might not be able to see the most sensitive data elements (think of a tokenized social security number) while still being able to carry out whatever task is required.
With so many millions of students across the globe returning to start a new of school year, it’s time for leaders and decision-makers within this industry to take the necessary steps to develop a healthy security culture, starting with themselves and the institutions they operate. If they don’t, they would be wholly remiss (and would miss out on a huge educational opportunity for their students), but this oversight eventually would lead to a completely avoidable cybersecurity incident. None of those administrators want to go through a live workshop on data breach mitigation.
Trevor J. Morgan is responsible for product management at comforte AG, where he is dedicated to developing and bringing to market enterprise data protection solutions.