Higher Ed data breaches have been happening for a long time, but recently, it seems to be happening more often. One of the most recent university data breaches hit Georgia Institute of Technology (Georgia Tech), exposing up to 1.3 million individuals’ data.
According to the Georgia Tech News Center, the April 2019 breach exposed information like students’ names, dates of birth, and email addresses. However, these were not just current records. The hackers stole many years’ worth of data.
This breach is only one example of a myriad of universities that have experienced breaches where sensitive and personally identifiable information (PII) data was exposed.
Why university data breaches are so common
Universities and their vendors are prime targets for hackers because they are data-rich environments. They hold everything from medical records to social security numbers, with multiple access points, and a culture of collaboration with the open sharing of information.
The implications of any data theft can be detrimental to an organization. It can result in reputational loss among peers, hefty legal fees, poses economic threats, and exposes operational issues.
Specifically, for universities, a data breach can affect future funding, with possible loss of future student fees and associated income.
What makes higher ed networks weaker
The traditional security processes of a university are drastically different from that of a corporate network. The educational environment and historically open campus mean there is not the tight, security-focused infrastructure corporate networks exemplify.
The way in which a university operates can be a nightmare to an IT Security professional. Often the university sees a regular influx of undergraduates and graduates collaborating and sharing data through their own networks.
Things like BYOD (bring your own device) also leave the infrastructure vulnerable to outside attacks. When an institution thrives on the free exchange of data and ideas, it cannot easily apply the same security measures as larger businesses.
Another challenge is budget limitations and inadequate staffing that can still create openings for a security breach. The boards of universities are usually composed of people who have little to no background or experience in cybersecurity.
This in itself is a risk because they don’t understand the risks in which the university is exposed.
Data protection practices at universities
Despite these challenges, there are ways universities can better protect themselves, their students, and their faculty from threats and higher ed data breaches. One way they can improve is to implement cybersecurity awareness in the student curriculum.
A cybersecurity curriculum will enable students, as well as the university, to take proactive measures to protect their PII. By having universities help students adopt IT best practices and behaviors, it can help mitigate additional cyber threats and future higher ed data breaches.
Institutions should also review their internal security policies and procedures to ensure security controls are uniformly implemented. In addition, they need to step up the evaluation of their incident response plans, so key employees understand their role when an incident occurs.
The continued attacks on universities demonstrate that even well-regarded universities are vulnerable to cyber-attacks and have room for improvement in terms of cybersecurity.
A determined attacker will eventually make their way into any system. Implementing Continuous Security Monitoring can provide IT Security teams with more visibility into system and network
weaknesses, a key factor in identifying entry points, including rogue assets on the network and misconfigurations of known assets.
Continuous Security Monitoring can also be instrumental in detecting unauthorized changes to files and assets, alert IT Security to unknown issues, and enable teams to shore up weaknesses before they are exploited. In short, Continuous Security Monitoring can help improve security and hardening efforts, increasing PII protection.
The mission of any university is to provide the best education possible and to nurture students into their future careers. For a university to deliver on that mission, they need to be able to protect their students’ PII.
Continuous security monitoring efforts support this by enabling universities to continually learn about the causes of error and use this knowledge to enhance the system’s design to be less vulnerable.
Students expect their information to be protected. It is not just for the sake of privacy and preventing identity theft, but also because it can have an impact on their future academic and workplace careers. Universities must take the initiative to protect their students, PII, reputation, and more by preventing higher ed data breaches.