Protecting Student Financial Information in the Modern Era: Cybersecurity and Higher Ed
The following email Q&A is with Clay Wilson, cybersecurity program director at the American Public University System. Student information security has risen to become one of the leading areas of concern for postsecondary tech leaders. Security breaches are on the rise in the higher education space, and they’re becoming increasingly dangerous as more and more administrative processes are taking place online. In this interview, Wilson discusses the importance of cybersecurity for today’s postsecondary leaders and shares his thoughts on some of the strategies that can be put into place to minimize the risk.
1. Why should student information security be at the top of the radar for every higher education IT leader right now?
Universities certainly have a requirement to control access to personal information about their students, just as commercial firms are required to protect sensitive personal information about all their customers and users. Loss of control of sensitive student information can lead to identity theft and fraud. However, today, cybersecurity issues for control and use of student information go beyond traditional concerns for personal privacy or protection against criminals.
Universities must also educate their students about why they should observe a high standard of responsibility to actively protect information about themselves. Students, who are usually very active on today’s popular social media web sites, are more willing to openly and voluntarily provide personal information online. However, computer technology has given any other third-party person the ability to collect and combine information from different sources which enables them to discover connections that can lead to serious consequences, such as cyber bullying or cyber stalking. There are also cybersecurity issues related to national security where personal information can be collected and combined by researchers in other countries where extremists may have malicious intent. For example, students who are also military must be careful to not reveal information about their home and friends on their social media websites, because it may make their families vulnerable to threats from extremists.
Also, meta-data is increasingly valuable for use by commercial firms. Information about students can be captured in the form of meta-data that may not disclose sensitive personal information, but which can still reveal the habits of students. This meta-data can be harvested without the knowledge of students. Currently, while this is not illegal, some question the ethics involved. Whenever students use the university computer network, information is captured about their activities, including their financial history, their diet, their friends, or their travel. The sensitive personal information is protected by the university’s cybersecurity procedures and safeguards, but the university also interacts with many third-party vendors on behalf of students. When necessary information is exchanged, vendors may harvest the meta-data that informs them about preferences and habits for individuals or groups of students. For example, vendors for soda machines or operators of food courts may collect this meta-data when credit cards are swiped for student purchases. While this may not be illegal, students should be made aware of how they can be tracked, and how meta-data can be used by vendors to steer their future actions and purchases.
2. Have security measures kept pace with other institutional innovations, especially when it comes to moving more and more administrative functions — like enrollment and payment — online?
Research has shown that cybersecurity cannot be insured by technology alone. Threat actors, hackers for example, simply go around the technology by attacking the users directly. Students must be made aware of good practices to manage their personal cyber-hygiene so they do not respond to suspicious email requests, or open suspicious email attachments, or mistakenly give their user ID and passwords to unknown callers who identify themselves as system administrators.
3. What are some strategies IT leaders can put into place to maximize the security of student financial information?
To protect student financial information, universities must operate with the same level of security found at other banking institutions. User IDs and passwords must be managed carefully by the university IT department. Students must be required to change their passwords on a regular basis, and students must be made aware of the types of attacks where they could be lured into revealing their personal information that would allow an attacker to gain unauthorized access to the university system, and to their financial information.
4. When it comes to protecting credit card security information, can higher education institutions take cues from what’s happening at major retailers, or are there any sort of specific differences between higher education business and retail business that would suggest a difference in the way that credit card information is secured?
Credit card details must be secured along with other financial information using encryption, both during data transmission and also during data storage. It is becoming increasingly common to read stories about how retailers have credit card information stolen by hackers who find new ways to get around cybersecurity protections. Recent articles show that the credit card companies are now moving to embed extra protections onto newer versions of these cards to make unauthorized use much more difficult if the credit card information is stolen.
Author Perspective: Administrator