The price for not adhering to data-protection regulations can be costly for colleges and universities. In many cases, the safest route to full compliance is partnering with experts who can help.
The attack was quick, and the demands were unequivocal: "We have stolen your students' private data. Pay us $450,000 and we will delete it from our system." An inspection of the servers confirmed it. The ransomware had sidestepped the institution's firewalls, and the options were limited: pay the outrageous price, or risk the release of hundreds of students' personal information.
The abrupt shift to virtual learning during the Covid-19 pandemic not only altered the way colleges and universities teach but also fundamentally shifted how they manage and protect their data. Campus IT departments are strained as they work to keep hybrid education humming, and the reduced attention paid to overall security operations and basic compliance with digital regulations makes them potential sitting ducks for malicious actors. Without dedication to the ever-changing, labyrinthine tangle of regulations with which to comply, an institution could be opening itself up to an incident that would corrupt its system for months without detection. Several higher education institutions have learned the hard way that failure to comply can have severe repercussions.
Wading through all the necessary regulations a campus needs to comply with in order to protect its data can be time-consuming and bewildering. Yet every corner of the institution can be affected, from health services to campus police, the registrar's office, and alumni donors. For full compliance, a college or university may want to consider getting help from a partner who knows the ropes not only about regulations but also about other aspects of security and privacy.
Blinders to Compliance
IT departments have been hustling during the pandemic to keep classes running smoothly so that students don't fall behind. Yet every lost connection and every PowerPoint that won't open means less time to concentrate on maintaining rigorous data compliance standards and securing the campus digital infrastructure. This is time that could be devoted to adopting a Zero Trust security model, a kind of "guilty until proven innocent" approach that assumes every connection is a threat. This diminished bandwidth has had profound consequences: according to a report by the cybersecurity company BlueVoyant, between 2019 and 2020 the number of ransomware attacks on higher education doubled.Footnote1
There are perhaps a few teams with the job of ensuring compliance across the institution and securing data regardless of where it lies—each team heads down, working diligently on their own digital domain. These teams may rarely collaborate or even communicate about which regulations they're complying with, which they're falling short on, or even those they're completely blind to. This silo effect of overlapping effort or overlooked neglect not only means that teams are wasting effort and time but also means that lapses in digital protection can go unnoticed. It is critical that institutions bridge the gap and strike a balance between compliance and security teams; doing so requires collaboration and communication between teams across the institution.
This silo effect could help explain why ransomware attacks on higher education spiked 100 percent during the pandemic. If you were a burglar, which house would you target: the one with a six-foot fence, motion lights, and a guard dog, or the one with an unlocked front door? Understanding why online attacks have skyrocketed and how to construct a strong, fully compliant approach to cybersecurity is the key to locking your institution's front door.
The High Cost of Low Compliance and Security
Higher education institutions have been perceived by hackers as "soft targets"Footnote2 for several reasons: state-run or community colleges may lack funds to hire enough IT professionals; 75 percent of schools have open remote desktop ports;Footnote3 students frequently use common passwords, and school systems don't limit login attempts. According to the information security company Security Scorecard, education came dead last out of 17 industries for total cybersecurity.Footnote4
Regardless of the reason, failure to secure your students' personal identification information (PII), proprietary research, or medical data can have costly ramifications. Once attackers implement their ransomware, a frequent tactic is to encrypt or lock an institution's database and demand a hefty price not to publish it online. Known as cryptoviral extortion, this practice surged suddenly in the higher education industry, forcing a growing list of institutions to make some difficult decisions:
- In 2019, ransomware was installed on the network of a private for-profit college in New York City. The attackers demanded $2 million in bitcoin.Footnote5
- In 2020, a large public university in Michigan refused to pay an undisclosed ransom, and hackers began publishing school data to the dark web.Footnote6
- A public university in California paid hackers $1.14 million to recover data stolen from its school of medicine.Footnote7
- In early 2020, the New York Board of Regents adopted full compliance with the NIST cybersecurity framework, regulating the data security and privacy of students' and instructors' PII.Footnote8
It's not just the exorbitant ransoms or the trust lost by students when an institution can't protect their private information. Any lucrative research grants could evaporate if stringent requirements aren't met. In fact, the Department of Defense created the Cybersecurity Maturity Model Certification (CMMC)Footnote9 to avoid the potential misuse of information by any vendors across their supply chain. Institutions that don't meet CMMC by the final implementation in 2025 will be denied contracts. Knowing and complying with multiple education-related federal regulations is the most solid foundation on which to build a security system. Some of the most important regulations include the following:
- The Family Educational Rights and Privacy Act (FERPA) gives parents the right to see students' records and request changes.
- The Protection of Pupil Rights Amendment (PPRA) governs how institutions collect and protect students' data.
- The Children's Internet Protection Act (CIPA) stipulates that any institution getting a discount from its internet provider must prove they're safeguarding the connection and using filters to regulate what students see.
- The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive patient health information from being disclosed. The nonprofit HITRUST Alliance created a framework in 2007 to help organizations understand and comply with HIPAA standards.
Taking Steps in the Right Direction
Now that we've outlined the high stakes, here's the lowdown on making sure a digital security system is compliant from the ground up. A plan must be put in place, identifying weak points in the current security plan, investing in new software and equipment, and hiring extra help if needed. Every step of the plan needs to comply with corresponding regulations. This won't be easy, expedient, or cheap.
The benefits of full compliance are incalculable. Sensitive documents and private information can be tracked and protected. How and when information is shared between groups—such as students, faculty, and administration—must be controlled. Valuable research funding must be protecting by implementing more security controls and complying with regulations. Even cyberbullying must be tackled by tracking the evolution of derogatory words and redacting certain slang words.
Even with all of an institution's disparate digital teams working together, there will be long hours and (likely) missteps along the way. A crucial regulation may be overlooked; essential forms may be incorrectly filed. In many cases, the safest route to full compliance is partnering with experts who can help. Many assume full legal culpability and won't store PII. They can work with institutional teams to build a security system from the ground up or to shore up existing infrastructure, in complete compliance with every education-related regulation that applies to the institution.
In any effort to safeguard campus data and privacy, choosing a partner with experience, technical expertise, and a comprehensive suite of tools is essential. Microsoft's approach is not intended to be the sole digital safeguard for an institution. With its dedicated support for third-party software, it will do as much or as little as an institution needs. In addition to security, Microsoft commits to giving customers full privacy control, transparency about data collection, and strong legal protections. Partnering with an expert and taking the preventative steps toward full compliance will save time, money, and reputation. Higher education institutions can use the time saved to focus on a key mission: educating students.
- Cybersecurity in Higher Education (New York City: BlueVoyant, 2021). Jump back to footnote 1 in the text.
- Danny Palmer, "Ransomware: Sharp Rise in Attacks against Universities as Learning Goes Online," ZDNet, February 23, 2021. Jump back to footnote 2 in the text.
- Cybersecurity in Higher Education. Jump back to footnote 3 in the text.
- 2018 Education Cybersecurity Report (New York City: SecurityScorecard, 2018). Jump back to footnote 4 in the text.
- Lindsay McKenzie, "Hackers Demand $2 Million from Monroe," Inside Higher Ed, July 15, 2019. Jump back to footnote 5 in the text.
- Lindsay McKenzie, "Cyberextortion Threat Evolves," Inside Higher Ed, June 11, 2020. Jump back to footnote 6 in the text.
- Kartikay Mehrotra, "California University Paid $1.14 Million After Ransomware Attack," Bloomberg, June 26, 2020. Jump back to footnote 7 in the text.
- Harris Beach PLLC, "New York Board of Regents Approves Part 121 Regulations Required by Education Law § 2-d," JD Supra, January 15, 2020. Jump back to footnote 8 in the text.
- Tina Reynolds, "Department of Defense Issues CMMC Interim Rule, Setting Up a Two-Part Process for Review of Contractor IT Systems," Government Contracts Insights, September 30, 2020; Mark Stone, "CMMC Compliance Explained: What Is the Cybersecurity Maturity Model Certification?," Security Essentials (AT&T blog), October 15, 2020. Jump back to footnote 9 in the text.
Corey Lee is Senior Consultant and Zero Trust Architect at Microsoft.
Steve Scholz is Principal Technical Specialist for Security, Compliance and Identity, US Education, at Microsoft.
Sam Buckhalter is Senior Technical Specialist for Compliance, US Education, at Microsoft.
Microsoft is a supporting partner of EDUCAUSE.
© 2021 Microsoft