Universities: Prime Breach TargetsMaintaining a Culture of Openness While Mitigating Cyberthreats
The University of Maryland notified 288,000 students, faculty and staff early last year that their personal information was breached in a "sophisticated computer security attack."
One month after that breach, the institution suffered a second cyber-intrusion, although it was able to limit the impact, with information on only one senior official at the university exposed (see: University Breaches: A Continuing Trend).
In the aftermath of those incidents, the university is rolling out a data security strategy under the leadership of Eric Denna, its new CIO. He says universities must strike a delicate balance when attempting to stem the tide of data breaches. "As an institution of higher education, our mission is to preserve a culture of openness, innovation and exploration, while simultaneously reducing the likelihood of future [cyberthreats]."
In addition to the University of Maryland, George Mason University, Butler University and University of Wisconsin-Parkside were among the dozens of U.S. academic institutions that experienced data breaches last year.
The Identity Theft Resource Center, in its 2014 breach statistics report, catalogued 57 incidents in the educational sector, up from 54 the previous year.
And Kroll and Experian Data Breach Resolution say academic institutions represented at least 10 percent of their clients for breach response services in 2014, with breaches in the education sector showing no signs of abating.
Universities are prime targets for hackers because they are data-rich environments with multiple access points and a culture of collaboration and open sharing of information, says Brian Lapidus, practice leader of identity theft and breach notification at Kroll. "In other words, it's harder to 'lock down' a college's or university's data, in addition to the fact that there is so much of it that is attractive to thieves," he says.
The types of breaches academic institutions are experiencing include hacker attacks utilizing malware, webcrawlers unintentionally accessing sensitive information, insiders leaking data and even the theft of computers.
So what can academic institutions do to avoid becoming the next breach victim? Experts recommend ramping up security education for faculty, staff and students to address cyberthreats; enhancing risk assessment efforts; implementing stronger security defenses, including data encryption and identity and access management; and instituting data governance and destruction policies to limit the exposure of sensitive data.
Plus, organizations that have partnerships with universities need to be aware of the potential data breach risks. And those who operate in an open, shared environment, as found at universities, should take similar breach prevention steps.
Ramping Up Security
In light of the frequency of university breaches, "cybersecurity awareness and ways of protecting your personal identity information should be included in the base student curriculum," says Michael Bruemmer, vice president of Experian Data Breach Resolution.
In fact, the University of Maryland is helping its faculty, staff and students adopt IT best practices and behaviors, Denna, the CIO, says. "Educating our community members can go a long way toward mitigating additional threats," he says.
Institutions should also review their internal security policies and procedures to ensure security controls are uniformly implemented, Lapidus says.
"In some cases, particularly with very large networks with multiple campuses and lots of legacy systems, security controls tend to be decentralized," he says. This can make it difficult to pinpoint any one person or group of people who are responsible for the overall security of data. "This is a situation that colleges need to be particularly mindful of, as it can cause critical security problems to go unnoticed, and it can impede efforts to fix breaches after they happen," Lapidus adds.
Institutions should also step up the evaluation of their incident response plans so key employees understand their role when an incident occurs, he notes. "Our cybersecurity specialists have recently worked with some colleges and universities on tabletop exercises to run various security incident scenarios so that their policies and procedures are solid."
Open Nature of School Systems
Educational institutions are a target for hackers because they often have more open systems housing more sensitive data than organizations in other sectors, says privacy and security consultant Rebecca Herold. That's because the digital environments at schools must support a large number of students, staff, teachers, alumni and others. So it's difficult for information security and privacy staff at these schools to keep up with protecting against threats, she contends.
"Most educational institutions are already on tight budgets, and putting more resources toward information security tools usually comes at the back of the line behind all the other departments," says Herold, CEO of the consulting firm The Privacy Professor and partner at HIPAA Compliance Tools.
The culture of research, collaboration and education make invasive security controls difficult to implement, adds Rick Holland, principal security and risk management analyst at Forrester Research, who previously worked in incident response for higher education. "Many educational institutions lack security controls that would be implemented in other verticals," he says.
Risk Management Priorities
To help it set security priorities, the University of Maryland is conducting a comprehensive risk inventory, says Denna, the new CIO. "Our IT risk assessment that is currently under way will give us a much better picture."
The university has established a four-pronged strategy to prevent against another data breach. That strategy includes identifying and isolating sensitive and/or regulated data; encrypting that data; monitoring and restricting access to confidential information; and educating the campus community on IT best practices and avoiding behaviors that increase the risk of another data breach.
"Additionally, we will be making significant investments in identity and access management, which is a key part of managing IT risks in the future," Denna says.
Too Much Data
To help stem the tide of breaches against academia, institutions need to ramp up their data governance efforts, Holland says.
"You still see some universities relying upon Social Security numbers as the primary identifier for students," he says. "This is unacceptable. Education must have strong data governance functions with a process for data discovery and classification."
In addition, schools need to set up standards for how long data deemed critical should be retained and delete data when it is no longer needed, Holland stresses.
Institutions also need to prevent over-sharing of information across departments that may not need it, Herold says. "If certain areas of an educational institution don't need to have the student's Social Security number, they shouldn't be given that portion of the student's record," she explains. "Too many institutions share the entire student record with many different parts of the institution ... that truly don't need them."