Protecting Student Data: A Cybersecurity ChallengeJane LeClair | Chief Operating Officer, Washington Center for Cybersecurity Research & Development
Institutions of higher education are faced with a troubling paradox. One the one hand their digital systems need to be open and easily accessible to countless users around the globe, and conversely, they need to carefully guard the sensitive information that is held within their servers. This troubling situation has been exacerbated by the rapid movement to online education across the educational spectrum and the growing trend for those with malicious intent to breach the digital systems of learning institutions and steal the wealth of personal identifiable information (PII) that is stored there.
Once upon a time student records and other PII were stored in paper format and judiciously guarded by staff members who rigidly enforced rules of privacy and access. Today that same information, and much more, is stored on electronic servers scattered around college campuses and protected, in many cases, with an ad hoc system of firewalls and anti-intrusion software. The track record of that security has been called into question with the alarming number of recent breaches of learning institutions. McCarthy writes that, “According to information from the massive database maintained by Privacy Rights Clearinghouse on data breaches, 30 educational institutions experienced data breaches in 2014.”
In fact, cyberattacks comprised more than 300,000 records at the University of Maryland and nearly 200,000 records at North Dakota University, Butler University and Indiana University, respectively. At Arkansas University, nearly 150,000 records found their way into the hands of hackers.
The cyber attacks on learning institutions continued unabated into 2015 as well. Williamson notes that in May, “Penn State University was forced to completely disconnect a portion of its network from the Internet in response to multiple cyber attacks.” Even prestigious Harvard was attacked in June of this year. Lunden reported that, “A seventeenth-century university has become the victim of a twenty-first-century crime. Harvard University on Wednesday announced that on June 19, it discovered a breach in the IT systems of its Faculty of Arts and Sciences and Central Administration, currently impacting eight different schools and administrative organizations at the university.”
Based on this, it is clearly evident that hackers have discovered a new source of information (learning institutions) that can be mined for a wealth of data that can be sold stored, or leveraged into access of other systems. Research institutions are extremely susceptible to this due to the many interwoven partnerships they have with other organizations. Penn State is a prime example of that situation. Williamson writes that, “In Penn State’s case, the engineering department performed research that was used by the U.S. Navy, making them even more of a target for both international and industrial espionage.”
Recognizing that the digital systems of higher education must remain open and expand their availability to the learning community, yet somehow thwart the intrusions of bad actors, what can be done to make their digital systems more effective in securing data? The answer is of course not a simple one. If cybersecurity experts could wave a magic wand and somehow produce a silver bullet to thwart evil doers, they would have done so long ago. Institutions must recognize that no digital system is impervious to hacking, even the digital systems at the White House were hacked last year. With that in mind, IT personnel at learning institutions must work to thwart attackers as much as possible using the tools and processes they have at hand.
The first thing that must be done is to identify what are the crown jewels: the most vital and most sensitive pieces of data on the servers. That is what must be first and foremost protected. Once that is identified, then a list of lesser valuable data needs to be compiled, always keeping in mind the requirements of the Family Educational Rights and Privacy Act (FERPA) regulations. When that is accomplished, we can then begin to build our defenses based on the important aspects of cybersecurity—people, process and technology.
While computer software can be programmed not to make errors, the humans that interact with them are a different story. Human beings are fallible and they are prone to making mistakes and have errors in judgment. They also have differing moral and ethical values, differing needs, and different patterns to making decisions that affect themselves and their organization.
To mitigate and reduce the potential for errors or deliberate actions, an institution needs to invest in ongoing faculty, staff, student and employee awareness training. Ideally, this training will help to establish in the minds of system users a cybersecurity culture in which every action they perform is judged against a set standard of security. It should include, but not be limited to password protection, and identifying social engineering techniques.
The digital system at an institution must have guiding rules and policies for users to operate within to prevent data loss. Security policies must be all-inclusive and cover every aspect of the functioning of the system. Access control is of prime importance. It defines the level of access and authorizes specific activities. The watchword should always be least privilege access; ensuring users have access to exactly what they need, no more and no less. The policy will also define a host of other activities such as what files can be moved or exfiltrated, what coding or software can be brought into the system, how often logs are examined, and how files will be stored or siloed. The policy must also work hand-in-hand with the human resources department at the institution with regard to hiring, termination, promotions, demotions, work evaluations, and the ongoing monitoring of employee attitudes and performance. Such policies work to ensure that the system and the employees keep on the rails and if someone or something goes astray, it is efficiently noted and corrective action is taken.
The utilization of technology in preventing data loss through a cyber breach is a key element in a successful cybersecurity program. But it must be understood that technology, while an important key, cannot prevent those with malicious intent from breaching a system. Technology creates a layered defense against intruders and can be very effective in thwarting all but the most determined intruders. Well configured firewalls, continually updated anti-intrusion software, updated operating system software, intrusion detection software in the form of HIDs and NIDs, and automated monitoring for unusual activity can however make it difficult for attackers, both inside and outside, to move within a system and perform their nefarious deeds.
Those who seek to breach the defenses of a digital system, be it a learning institution, business organization, government agency, or a particular portion of our critical infrastructure are very clever, patient, and technologically savvy people. They only need to be right once to gain entry to a system while the “good guys” need to cover all our points of entry as effectively as possible. It is a daunting task especially considering the openness and ease of accessibility that is required of a learning institution’s digital system. The task may be challenging, but with the proper training and education of users, reinforced with well written and adhered to policies as well as up to date technology, those with malicious intent can be efficiently kept at bay.
– – – –
Kyle McCarthy, “5 Colleges With Data Breaches Larger Than Sony’s in 2014,” The Huffington Post, January 15, 2015. Accessed at http://www.huffingtonpost.com/kyle-mccarthy/five-colleges-with-data-b_b_6474800.html
Wade Williamson, “Higher Education Crams for Cyber Security,” Security Week, May 29, 2015. Accessed at http://www.securityweek.com/higher-education-crams-cyber-security
Diana Oblinger and Brian Hawkins, “The Myth about IT Security,” EDUCAUSE Review, January 1, 2006. Accessed at http://er.educause.edu/articles/2006/1/the-myth-about-it-security
Valerie Vogel, “The Chief Privacy Officer in Higher Ecucation,” EDUCAUSE Review, May 11, 2015. Accessed at http://er.educause.edu/articles/2015/5/the-chief-privacy-officer-in-higher-education
“Cyber Security of Higher Education,” Compulink. Accessed at http://www.compu-link.com/main/cyber-security-of-higher-education/
Ingrid Lunden, “Harvard Reveals It Had An IT Breach In June Impacting 8 Colleges and Administrations,” TechCrunch, July 2, 2015. Accessed at http://techcrunch.com/2015/07/02/harvard-reveals-it-had-an-it-breach-in-june-impacting-8-colleges-and-administrations/#.ru75oy:Ozvt
Author Perspective: Administrator