https://er.educause.edu/channels/cybersecurity-privacyThe RSS feed for blogs and articles contributed to the Cybersecurity & Privacy column in EDUCAUSE Reviewen{119181F0-8D85-4F3F-8E80-487F5508D08F}https://er.educause.edu/podcasts/educause-exchange/how-ai-is-changing-campus-cybersecurity-4-key-challengesArtificial intelligence is amplifying cybersecurity risks in higher education by making threats like phishing more effective and vulnerabilities easier to exploit, while increasing pressure on institutions to strengthen security without sacrificing openness, innovation, or the academic mission. This episode examines four key challenges facing cybersecurity leaders.{937718E9-A8DE-4BD7-8194-83B580E88B79}https://er.educause.edu/articles/2026/5/how-higher-education-is-responding-to-the-canvas-lms-incident-and-preparing-for-whats-nextA recent ransomware attack on Instructure's Canvas LMS has raised concerns across the higher education community about cybersecurity, data privacy, third-party risk, and institutional preparedness. More than 950 EDUCAUSE community members joined an EDUCAUSE QuickTalk webinar to discuss campus impacts, share questions, and explore how institutions are responding.{BF4B70DB-32C1-4101-91E7-6926BB63156A}https://er.educause.edu/multimedia/2026/educause-quickpoll-results-higher-education-response-to-mythosAnthropic’s announcement that its AI model Mythos is able to find large numbers of cybersecurity vulnerabilities across a wide range of operating systems and applications has many concerned about the implications of the technology for higher education.{FDEF85FF-F869-4B42-ABD1-08A150D57326}https://er.educause.edu/articles/2026/4/hotline-cybersecurity-and-privacy-april-2026"Hotline: Cybersecurity and Privacy" tackles the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about artificial intelligence–enabled cheating, risk tradeoffs, and audit fatigue.{CD2DB07F-7968-4547-9D4E-E6650E521CB4}https://er.educause.edu/articles/2026/3/hotline-cybersecurity-and-privacy-march-2026"Hotline: Cybersecurity and Privacy" tackles the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about cybersecurity strategy, CMMC/CUI-compliant research computing and storage infrastructure, and the unchecked expansion of cybersecurity job responsibilities.{9078DA51-D115-4A1F-8A4E-2A970130B9CF}https://er.educause.edu/articles/2026/2/reevaluating-the-mission-of-higher-education-meeting-our-cybersecurity-challenges-togetherAs the role of higher education evolves, cybersecurity approaches must adapt. By collaboratively reexamining the cross-functional ecosystem that supports cybersecurity, higher education leaders and cybersecurity professionals can better align risk, security, business, and technology efforts with institutional strategic goals.{D224FC42-1C41-4594-A8BE-369E20E7E135}https://er.educause.edu/articles/2026/1/how-asu-built-a-pair-of-tools-to-help-nontechnical-users-classify-and-secure-dataA team at Arizona State University developed two self-service tools to help staff, faculty, researchers, and student employees classify and store institutional data in compliance with privacy and regulatory requirements by guiding data classification and mapping results to approved storage options.{E006B6C3-DE1C-4EB8-B7B7-21DC9280D2BE}https://er.educause.edu/articles/2026/1/hotline-cybersecurity-and-privacy--january-2026"Hotline: Cybersecurity and Privacy" tackles the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about the nature of cybersecurity, the ethical foundations of policy decisions, and the organizational challenges of incident response.{E397D5DA-763E-4873-BB43-3D154979C7D8}https://er.educause.edu/multimedia/2026/hotline-culture-is-the-cybersecurity-breachWhat’s the real threat to cybersecurity in higher education? Spoiler: It’s not just technology. In this candid Q&A, two higher education leaders unpack why culture and trust matter more than firewalls, and how optimism and collaboration can transform security.{DD180D4C-D1FE-4DDD-87E3-C9717FE8655A}https://er.educause.edu/articles/2025/11/hotline-cybersecurity-and-privacy-november-2025"Hotline: Cybersecurity and Privacy" tackles the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about managing data, navigating cybersecurity regulations, and securing accounts.{BF957BEA-BCEC-47A8-BCF7-0D98102A0276}https://er.educause.edu/articles/2025/11/the-ciso-to-cio-pipeline-leadership-skills-that-scaleCISOs have evolved into campus-wide strategic leaders. Their skills and experience make them ideally suited to step into CIO and other executive roles in higher education.{947CC137-74D2-47C9-80FF-3800B7F7A477}https://er.educause.edu/articles/2025/10/hotline-cybersecurity-and-privacy-october-2025"Hotline: Cybersecurity and Privacy" tackles the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about handling admissions data and avoiding staff burnout.{71B47C0A-D3D5-4D74-B068-0B1C923F82D2}https://er.educause.edu/articles/2025/10/stay-aware-stay-secure-cybersecurity-awareness-month-2025A successful cybersecurity awareness campaign requires intentional planning and thoughtful communication with stakeholders across the organization. The three ideas presented in this article can help you create an awareness calendar using a lightweight risk assessment method.{F98967EB-8E77-46A9-BE1F-16F6552E3EE7}https://er.educause.edu/articles/2025/9/hotline-cybersecurity-and-privacy-september-2025"Hotline: Cybersecurity and Privacy" tackles the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about building cyber skills in the age of AI, shaping cybersecurity habits, and selecting a cybersecurity framework.{0980480D-08F6-43A9-B579-360CE441AA5E}https://er.educause.edu/articles/2025/8/hotline-cybersecurity-and-privacy-august-2025"Hotline: Cybersecurity and Privacy" tackles the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about reporting structures, the line between student success and student surveillance, and transparency in data collection.{3B8B333B-D4D1-43D0-A3FF-55719B94A392}https://er.educause.edu/articles/2025/5/hotline-cybersecurity-and-privacy-may-2025Welcome to "Hotline: Cybersecurity and Privacy." This new monthly column will tackle the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about required security training, trust, and procurement.{2D2B5C8B-1802-43D6-8C55-B3D3CED7C169}https://er.educause.edu/articles/2025/6/hotline-cybersecurity-and-privacy-june-2025"Hotline: Cybersecurity and Privacy" tackles the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about enforcing the rules, reporting metrics, and contextualizing fear.{B440B937-F65A-42E7-8E87-230AC40811D2}https://er.educause.edu/articles/2025/7/hotline-cybersecurity-and-privacy-july-2025"Hotline: Cybersecurity and Privacy" tackles the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about planning for security incidents, building future-focused strategies amid rapid change, and navigating financial challenges.{F1007766-EDC9-490D-B2AB-31F91A6F4AF5}https://er.educause.edu/multimedia/2025/5/libraries-at-risk-brewster-kahle-on-ownership-access-and-controlCyberattacks, licensing limitations, and platform dependence are reshaping how libraries function. Brewster Kahle provides some context around these challenges, and a path toward sustainable access through local control.{69662555-A624-411B-8C21-2972DC0CD81E}https://er.educause.edu/articles/2025/4/accessibility-in-technology-acquisition-with-hecvat-4Following the addition of accessibility questions in 2021, the latest version of the HECVAT implements several important improvements for usability and effectiveness.{8DA1FC14-5980-4103-BF51-6A2229141F57}https://er.educause.edu/articles/2025/3/educause-quickpoll-results-nist-sp-800-171-compliance-efforts-and-challenges-in-higher-educationInstitutions vary in their processes for protecting controlled unclassified information, but taking immediate action, controlling project scope, and seeking support from leadership, cross-functional teams, and collaborative peer networks can help facilitate compliance with security requirements.{358D63F7-B4CF-42B3-8880-0E26CEFE751A}https://er.educause.edu/articles/2025/2/improving-email-security-with-proofpoint-at-university-of-hawaiiInstitutions can reduce human resource needs by working with third parties to help manage and deploy email gateways and firewalls to protect users.{20F277B6-D8AD-43D6-B964-534C30FBF946}https://er.educause.edu/articles/2025/2/hecvat-4-better-than-everHECVAT 4 is here! The newest version of the Higher Education Community Vendor Assessment Toolkit incorporates comprehensive improvements, including new and updated artificial intelligence and privacy questions, training materials for institutions and solution providers, and more.{B5A5239C-B275-4771-9FC2-E77008203A0B}https://er.educause.edu/multimedia/2025/2/privacy-at-the-forefront-of-data-risk-managementAs data risk management grows more complex, privacy has evolved from a compliance concern to a strategic imperative for higher education institutions. In this video, two chief privacy offers explore this evolution and share how it informs their approach to balancing risks and opportunities.{FC450F6A-B10E-47CB-BD59-F5656E84AE19}https://er.educause.edu/articles/2025/2/policies-and-practices-how-to-improve-data-classification-in-higher-educationAs colleges and universities collect and use more data for more purposes, understanding how to organize and safeguard it becomes critically important.{9AB108CE-9900-4F73-B402-82EB7B284D2C}https://er.educause.edu/articles/2025/1/understanding-privacy-and-taking-control-of-your-dataData Privacy Week is January 27–31. This curated list of resources can help spark conversations about privacy and the importance of safeguarding personal information in an increasingly digital world.{3E9FE60F-B6D6-4071-9430-176B9905282B}https://er.educause.edu/articles/2024/11/educause-quickpoll-fastfact-should-cybersecurity-and-privacy-functions-be-integratedIn a recent Cybersecurity and Privacy Program evaluation survey, EDUCAUSE asked IT professionals whether cybersecurity and privacy functions should be integrated or kept separate.{4BE20EF4-436D-4BE2-A2A3-0847D6C01364}https://er.educause.edu/articles/2024/10/coming-in-january-hecvat-4The Higher Education Community Vendor Assessment team is launching HECVAT 4 in January 2025. The updated toolkit will include questions about privacy and artificial intelligence.{D7FC9FC1-D715-45A5-B85D-E38580A85409}https://er.educause.edu/podcasts/educause-shop-talk/2024/takeaways-from-the-2024-horizon-report-cybersecurity-and-privacy-editionEDUCAUSE researchers and panelists discuss takeaways from the 2024 Horizon Report, Cybersecurity and Privacy Edition.{2CCA0139-C31E-4772-96C4-DFAD6C8EC181}https://er.educause.edu/articles/2024/9/beyond-awareness-training-transforming-human-risk-management-into-a-strategic-advantageConventional approaches to security training are insufficient to meet the rising tide of cybersecurity threats. Conducting a risk assessment is the first step in identifying the highest risks to human behavior, and mitigating those risks is how the security culture of an organization is changed.{58CF7B27-DF95-4F32-ADEF-B77FB519FCC2}https://er.educause.edu/podcasts/educause-shop-talk/2024/cybersecurity-as-a-core-competencyHigher education institutions must treat cybersecurity as a fundamental competency, raising awareness among users, developing plans, and assessing tools and resources, as cybersecurity threats expand and evolve alongside the laws, policies, practices, and solutions aimed at protecting data and digital systems, all in order to safeguard institutional assets and train tomorrow’s cybersecurity professionals and leaders.{B10BB135-40EB-4904-A8BA-11CE94B18B9C}https://er.educause.edu/articles/2024/3/7-things-you-should-know-about-third-party-risk-managementColleges and universities implement countless third-party products and services, any of which could pose risks to the institution, its data, and its constituents.{084B36AA-3832-4448-A1ED-67E6803B7544}https://er.educause.edu/multimedia/2024/1/4-ways-to-understand-privacyA chief privacy officer shares four insights to help better understand several nuanced and easily overlooked dimensions of data privacy.{B123E5A3-B310-4DFE-BA0F-21B949673D00}https://er.educause.edu/articles/2024/1/7-things-you-should-know-about-data-deidentification-and-anonymizationAs the types and amounts of personal data increase, users and institutions need to strengthen the ways they protect the sensitive information they collect and use.{5523776A-C6A8-4734-9825-79E31254B26E}https://er.educause.edu/articles/2024/1/cybersecurity-incident-management-and-response-guideEnsuring that your entire team understands what actions to take can make an important difference in how—and how quickly—your institution emerges from an incident.{A6AA8337-A2F3-4C8A-85EA-E81719B982ED}https://er.educause.edu/multimedia/2024/1/privacy-in-higher-education-underinvesting-in-one-of-our-greatest-challengesInstitutions should consider making stronger investments in, and dedicating more attention to, privacy staffing and training.{BA2BAC37-51E9-4E23-B745-D333C36BDF81}https://er.educause.edu/articles/2024/1/cybersecurity-governance-toolkitA vital part of any institution’s cybersecurity efforts is an effective, mission-aligned governance program.{B591D92B-7425-4EF7-9B1C-8A668A7FE7EF}https://er.educause.edu/articles/2023/8/how-the-university-of-illinois-system-conducted-a-massive-failover-test-to-reduce-risk-exposureAfter discovering that it had outdated disaster recovery plans and enormous risk exposure in 2018, the University of Illinois system embarked on a five-year plan culminating in a massive failover test.{81A576F9-653C-4EB8-9EDB-7D9BAC645C9D}https://er.educause.edu/articles/2023/6/the-chief-privacy-officer-positioning-privacy-in-higher-edTo be successful, the chief privacy officer needs to collaborate with many other administrative and academic offices to converge on an institutional approach to privacy in higher education.{E1ED560E-F8B1-4979-BB85-F86A31F59049}https://er.educause.edu/articles/2023/5/run-toward-the-incident-collaboration-between-academia-and-law-enforcement-for-cybersecurityCollaboration and partnership between academia and law enforcement can bring about positive contributions for future research and activities in cybersecurity.{16791D6A-A798-4359-B10E-8A311A2823A7}https://er.educause.edu/articles/2023/4/the-biden-administration-issues-a-national-cybersecurity-strategyThe Biden Administration has released a National Cybersecurity Strategy, a comprehensive plan to address the most pressing cybersecurity issues. The National Cybersecurity Strategy does not explicitly include policies for higher education, but some policies may open or strengthen opportunities for institutions to participate in federally funded cybersecurity programs.{BF39E581-333D-47C8-91E6-7F5CB490D6D1}https://er.educause.edu/multimedia/2023/4/introducing-joe-potchanant-the-new-director-of-the-educause-cybersecurity-and-privacy-programJoe Potchanant, the new Director for the EDUCAUSE Cybersecurity and Privacy Program, talks about his ideas for making the program more effective for members and institutions.{4B9852AD-2BD3-4905-BC3A-31F00C8DAC66}https://er.educause.edu/podcasts/educause-community-conversations/new-directions-for-the-educause-cybersecurity-and-privacy-programJoe Potchanant, Director of the EDUCAUSE Cybersecurity and Privacy Program, talks about new directions for the program, his background, and his ideas about how institutions of all types can best meet the challenges around keeping data safe.{B57C2DF6-28E8-45A5-81C0-9F3310C6F5AB}https://er.educause.edu/articles/2023/1/how-case-western-reserve-university-responded-to-the-cybersecurity-insurance-crisisCybersecurity is becoming more expensive for higher education institutions. Case Western Reserve University is responding to the challenge by prioritizing its security controls.{EDF8D7D3-6D78-46E3-ADED-D98234888772}https://er.educause.edu/multimedia/2023/1/ask-a-privacy-managerBen Archer, Privacy Manager for Arizona State University, answers some questions about privacy and the strategy he employs at his institution.{B17A812D-BBDE-4AB8-8278-FAA69AA3EC90}https://er.educause.edu/articles/2022/10/end-user-admin-rights-in-higher-ed-still-securing-the-keysThe landscape of admin rights across academia looks much the same today as it did five years ago. While many institutions still grant admin rights to all employees, no questions asked, others are looking to strengthen their policies.{33FDB26F-D367-4CDD-9059-7BA231CAD350}https://er.educause.edu/articles/2022/10/cybersecurity-and-privacy-perspectives-on-the-educause-2023-top-10-it-issuesEDUCAUSE community members offer cybersecurity and privacy perspectives on the 2023 Top 10 IT Issues.{0A6EF3CA-96CD-4385-9F74-DF591BD8AA32}https://er.educause.edu/articles/2022/10/an-inflection-point-for-the-creation-of-new-cybersecurity-operating-models-in-higher-educationAccumulating pressures on higher education have created an inflection point requiring two new cybersecurity operating models.{7B88C6B1-2C66-417B-8316-E962D5AC680C}https://er.educause.edu/articles/2022/9/cisa-cyber-incident-reporting-rulemaking-is-on-the-horizonWhile higher education is not covered by a pending rulemaking on cyber incident reporting, EDUCAUSE is monitoring the process given the possibility that colleges and universities could face a similar requirement in the future.{F1995849-12C1-4509-A242-6D173C0A2E0D}https://er.educause.edu/multimedia/2022/5/corporate-conversations-hitachi-id-systems-on-the-challenges-facing-higher-edCEO for Hitachi ID Systems, Nick Brown, talks about the challenges of identity strategy in higher ed.