Prevention Better Than Cure: Security Breaches Cost Higher EdNovadean Watson-Stone | Program Director for Information Technology, American Public University System
The following email Q&A is with Novadean Watson-Stone, IT program director at the American Public University System. A recent report by BitSight Technologies said higher education institutions are worse-equipped to deal with cyber threats than companies in the retail and healthcare sectors. This is especially concerning given that more administrative processes are taking place online and, more importantly, postsecondary customers — students — expect to be able to have the majority of their interactions with the institution online. In this interview, Watson-Stone discusses the challenge of being cyber-secure in the modern era.
1. Why should student information security be at the top of the radar for every higher education IT leader right now?
In addition to the comments provided by Clay Wilson, security threats and breaches are very real and evident in all industries including the education industry. The threats are becoming more sophisticated as technology advances, so much so that the U.S. Chamber of Commerce established a National Security Awareness Campaign in May 2014 to address the surge in security challenges. The campaign promotes the significance of cyber risk management and guidance for improved Internet security. Thomas Donohue, president and CEO of the U.S. Chamber of Commerce, wrote in the article “Small Businesses Can Beat Cybercrime” that “Many cybersecurity experts say that there are two types of businesses today — those that have been hacked and know it, and those that have been hacked and don’t know it. As large businesses strengthen their cyber protections, small and medium-size ones are increasingly the targets of online criminals.”
This message equally applies to higher education. Several colleges and universities have experienced student information security breaches, which resulted in illegal access to students’ social security numbers, the use of ransomware such as Cryptowall to change the core structure of files, and other exposure to sensitive student data. These security breaches have been extremely costly. Megan O’Neil reinforced in the article “Data Breaches Put a Dent in Colleges’ Finances as Well as Reputations” that “Data breaches in higher education cost colleges an average of $111 per record — a figure that calculates in the damage to the institution’s reputation— according to a 2013 study published by the Ponemon Institute, which studies cybersecurity and data protection. The average per-record cost across industries including government, health care and retail is $136, the study found.”
Benjamin Franklin once said, “An ounce of prevention is better than a pound of cure.” This is an underlining principle institutions should use to drive the need to place student information security at the top of the radar for every higher education IT leader immediately.
2. Have security measures kept pace with other institutional innovations, especially when it comes to moving more administrative functions — such as enrollment and payment — online?
After serious security breaches at several major universities, it’s clear security measures have not kept pace with other institutional innovations, especially when it comes to online administrative activities such as enrollment and payment. Megan O’Neil added, “Few institutions budget in advance for data breaches, according to college officials and data-security professionals. Cybersecurity insurance in higher education remains a rarity, despite a consensus among those working in the field that the likelihood of such a breach involves ‘when,’ not ‘if.’”
The Assistant Attorney General John Carlin recently championed, at the U.S. Chamber of Commerce Third Annual Cybersecurity Summit, some key concerns that continue to trumpet why security measures need to keep pace with other institutional innovations. Carlin cited how statistics such as PricewaterhouseCoopers’ report that a 48 percent increase in cyber- attacks in 2014 should generate a sense of urgency to do better and establish a plan that addresses the who, the what, the when, the where and more of cyber insecurity. He talked about other initiatives to focus efforts on channeling all tools toward cyber threats as organizations and companies have not done enough to protect their students, customers, clients and systems from cyber threats.
Clearly, institutions will need to spend the extra resources to establish risk management plans and strategies that will more effectively meet the expectations of a solid and secured online teaching and learning experience for students and faculty.
3. When it comes to protecting credit card security information, can higher education institutions take cues from what’s happening at major retailers, or are there any sort of specific differences between higher education business and retail business that would suggest a difference in the way credit card information is secured?
Higher education institutions should definitely take cues from what’s happening at major retail stores when it comes to protecting credit card security information. There is strength in partnerships.
Just as Thomas Donohue explained, “the U.S. Chamber of Commerce works closely with industry partners and the National Institute of Standards and Technology (NIST) to come up with a framework of existing standards and best practices to help companies start a cybersecurity program or improve an existing one [; and that by] adopting the practices outlined in the Framework for Improving Critical Infrastructure Security, all businesses can reduce network and system weaknesses and take steps to deter cyberattacks.” Higher education institutions need to adopt similar practices and benchmark when possible.
– – – –
- Higher education data breaches cost universities damage to their reputations, estimated at $111 per record lost.
- Cyber security practices have not kept pace with institutional innovation and change, resulting in security gaps that could affect students.
- Higher education should look to major retailers and banks as examples of how to protect information and should benchmark where possible.
– – – –
 Thomas J. Donohue, “Small businesses can beat cybercrime,” US Chamber of Commerce Blog, June 16, 2014. Accessed at https://www.uschamber.com/blog/small-businesses-can-beat-cybercrime
 Megan O’Neil, “Data breaches put a dent in colleges’ finances as well as reputations,” The Chronicle of Higher Education, March 17, 2014. Accessed at http://chronicle.com/article/Data-Breaches-Put-a-Dent-in/145341/
 John Carlin, “Combating cyber threats to U.S. national security,” C-SPAN, October 28, 2014. Accessed at http://www.c-span.org/video/?322382-5/combating-cyber-threats-us-national-security
 Donahue (2014)
Author Perspective: Administrator