By Rich Murphy
Rich Murphy is the Director of Technical Account Management at BlackStratus.
The diverse range of users accessing IT resources both on and off campus presents a number of security issues for higher education institutions. Potential risks can include:
- Students accessing course and administrative information over unsecured wireless networks
- Part-time and sessional instructors who have not been trained on secure resource use
- Researchers communicating with international collaborators
- Administrators accessing sensitive resources from outdated workstations
- Affiliated insurers and care providers transmitting student health records electronically
Particularly in large campuses, budget disparities can also mean that not all departments have the resources available to purchase proper antivirus protection and other security appliances. They may not have the budget to invest in staff training. This presents an additional challenge when attempting to make organization-wide changes to IT policy.
Understanding Your Liability
Understanding the liabilities your organization faces is critical to implementing effective network security policies in a higher education setting. Failing to prioritize network security not only puts your valuable data at risk, but it can also impact the confidence your students and faculty have in your organization.
It can also negatively affect your compliance with HIPAA, GLBA and other regulatory standards, as well as your overall reputation for privacy and academic integrity. Of course, a security breach will also lead to significant financial losses.
Understanding the Costs of a Data Breach
Research by the Ponemon Institute conducted in 2014 estimates that the average cost of responding to a network security breach in higher education is $294 per student record. This means that the compromise of 10,000 student records — relatively small in terms of the damage that can be done on a large campus — would cost almost $3 million dollars to remediate. This figure does not include future revenue losses due to the negative publicity.
Case Studies
Though incidents are not as heavily reported as those affecting retail and financial institutions, there has been no shortage of data breaches in higher education facilities in recent years. Some of the most notable include:
- a June 2012 attack against the University of Nebraska’s Student Information System (NeSIS) database. According to NBC News, the attack compromised the Social Security numbers and other personal information of more than 650,000 current/former students and applicants.
- a 2012 incident at the University of North Carolina. It was reported that over 350,000 student records, including Social Security numbers and financial account information, had been inadvertently made publically available over the Internet for over three months.
- a 2010 breach at Columbia University. While only affecting 6800 individuals, the breach led to the university and its partners having to pay out more than $4.8 million in HIPAA settlements. The compromised data contained confidential electronic health records.
Cyber Liability Insurance for Higher Ed
The costs associated with even a small data breach have led many educational institutions to seek out cyber liability insurance. Cyber liability insurance offers specific coverage for costs that may not be underwritten by conventional policies, including fines and penalties caused by regulatory non-compliance and crisis management expenses.
However, insurance alone is not a substitute for a strong network security posture — part of the underwriting process will asses your organization’s ability to respond to threats and manage risks internally.
Best Practices for Risk Assessment and Management
Keeping your data secure through proper planning at the infrastructure and procedural levels is essential to avoiding the financial and reputational costs of a hack or security breach. While an in-depth discussion of threat management at the organizational level is beyond the scope of this article, one of the first steps you can take is conducting an institution-wide inventory of information assets. This should include a survey of any data with economic or political value, as well as anything covered under state or federal government data privacy regulations.
Ultimately, university administrators must take a top-down approach to data security. It isn’t enough to assume that individual departments and users have taken the appropriate steps to protect themselves — provisions for mandatory staff training and an adequate investment in network security must be implemented and prioritized at the policy level. When a data breach does occur, the entire institution bears the consequences. It only makes sense that senior university staff should take a leadership role in implementing organization-wide network security measures.
© 2014 Rich Murphy