What It Takes to Keep Student Information Safe in the Digital AgeGary Langsdale | University Risk Officer, Pennsylvania State University
The following interview is with Gary Langsdale, university risk officer at Penn State University. IT security is becoming a hot topic for higher education leaders across the country, especially as increasing amounts of data is stored in the cloud, and as more administrative processes are taking place online. In this interview, Langsdale expands on the impact these transformations have on customer expectations in the postsecondary space, how postsecondary IT leaders must react to these changes, and how institutions can improve their data security.
1. Why should student information security be at the top of the radar for every higher education IT leader?
Breaches and the sensitivity around them are increasing, both within higher ed and externally in the general population. There is an exponential increase, particularly in higher ed, in the use of systems for collaboration, which means that more personally identifiable information is out there in more places.
Expectations of privacy remain high on the part of students, the faculty, staff and research subjects. It’s a paradox to me that people voluntarily share all kinds of information on social media yet they are outraged if their name and address are exposed in an accidental breach.
2. Have security measures kept pace with other institutional innovations, especially when it comes to moving more administrative functions — such as enrollment and payment — online?
Security has kept pace with the innovations but security has not kept pace with the sophistication of potential intrusions. They’re moving faster than the innovations themselves.
There’s always a willingness to work with the security operations folks to do what you can to make sure that our systems that are online and elsewhere stored externally are secure. The sophistication of the intruders has become exponentially more sophisticated and more frequent as evidenced by some of the breaches in payment systems in retail within the last six months or a year.
3. What does that do in terms of customer and student expectations and fears when it comes to actually using online administrative tools that can increase efficiency for the institution but also puts more student information, including credit card numbers, online?
I see it two ways. I hear conflicting messages. On the one hand, people are very sensitive to having their information exposed. On the other hand, because of all the breaches, there’s a burnout of breach sensitivity by people, in that they’re no less willing to use their debit card or their credit card at a retailer or to shop online.
This has partly been fuelled by the bank’s willingness to hold individuals harmless from any potential credit card implications once they’re found. You have people who are still willing to do it because they haven’t seen consequences because the banks have been willing to refund the account, so they’re still using it. On the other hand, people still profess to be very concerned about their security.
4. What are some strategies IT leaders can put in place to maximize the security of student financial information?
First of all, they can learn from those who have suffered breaches to keep abreast of what the latest trends are.
IT leaders should take a fresh look to make sure everyone is looking at every system they’re planning to update or put into place. I’m very wary of cloud-based solutions for business programs because of their vulnerability as well. It’s up to the IT leaders and the other business leaders within the university to push the vendors very hard on the vendors’ responsibilities to make sure to safeguard the systems and to accept responsibility [when breaches occur].
The other thing is to continually update systems that are in place to make sure we’re taking advantage of all the technological breach prevention or intrusion detection available to try to minimize the risk of the problem.
5. When it comes to protecting credit card security information, can higher education institutions take cues from what’s happening on the retail side, or are there any sort of specific differences between higher education business and retail business that would suggest a difference in the way that credit card information is secured?
I see no difference between Target, Home Depot and a university in accepting credit cards. They all need to be vigilant. There are rules called the ‘Red Flags;’ they apply regardless of whether you are a retailer, a bank or a university. You have to know your person on the other end of the transaction.
6. Is there anything you’d like to add about how the changes and expectations of students and the changes and capabilities for institutions to serve students online impacts the way postsecondary IT leaders need to look at their jobs?
Expectations are rising about the online capabilities of payment systems. The new Apple Pay system will be fascinating to see how that impacts the technology as competitors try to leapfrog that application. It means the IT leaders within higher ed are going to need to stay current because the innovative people elsewhere within the university are certainly going to work on the next big thing.
This interview has been edited for length.
Author Perspective: Administrator