If you haven’t been watching the news lately and likely not in the education sector, you probably would be excused for your lack of information about data security and higher education technology. In recent years, we’ve seen news of ransom attacks across various universities globally. For instance, the University of Calgary was recently held at ransom and forced to pay $20,000 to cybercriminals.
We’ve also seen malware attacks directed at several universities and high schools in recent years, resulting in widespread and very costly disruptions. An excellent example is when the entire Minnesota School District was forced to shut down for a full day.
The two are just a few examples of the challenges educational institutions face in the modern age. Yet, in the increasingly digital world, a digital presence is essential for the education sector.
Can learning institutions continue to digitize while keeping cybercriminals at bay? That’s the question this answer seeks to answer.
Different attackers have different motives and interests. However, the majority of attackers targeting educational institutions typically have their eyes trained on one more of the following;
Universities collect and store massive amounts of student information. From student names to contact information and physical addresses, the university database will always have this information. Other types of information available on university databases include student hobbies, families, and educational background. Many students also authorize universities to store their personal health information. Hackers can use this information to hold students and their families to ransom.
Universities and other higher learning institutions deal with a massive amount of financial information, from student checks to government loans and independent scholarships. The paying entity’s banking information will always be stored within the institution’s database for record-keeping purposes. Hackers that gain access to this information can use it to break into the institution’s bank accounts.
This especially applies to top universities that regularly partner with government agencies, tech companies, and other organizations to conduct researches. For instance, John Hopkins University frequently partners with leading healthcare organizations to conduct studies on various diseases and other health areas. The result is that universities store propriety information from these researches thus fueling the data security and higher education technology debate.
Finally, hackers and other cybercriminals may also be interested in the data security and higher education discussion as they target these higher learning institutions as part of their fact-finding mission, i.e., to connect the dots. They may break into the school’s servers to retrieve a student or employee’s information, perhaps to target the student/employee’s family. They may also target an unsuspecting part-time student to gain knowledge to infiltrate the student’s workplace.
Fortunately, there are proven steps you can take to protect your institution from hackers and cybercriminals.
The formal term here is minimization. Schools and universities must take stock of what information is necessary and information they don’t need to collect or store, i.e., don’t use a fishing net to collect information, use a fishing rod instead. The argument is that the information you don’t have doesn’t pose any risk to your organization.
Think about Social Security Numbers, for instance. Back in the day, many schools used SSNs to identify students and parents. However, it later became evident that storing SSNs exposes schools to enormous risk. Thus most schools stopped.
Suppose you really need some information, such as student account numbers, but feel the information puts you at significant risk of cyber-attacks. In that case, another alternative is to have a better-equipped organization store the information on your behalf.
Awareness means that you need to speak about cybersecurity risks and challenges as often as possible and schedule talks and training workshops to educate everyone who accesses the institution’s computer systems, including networks, on their role in preventing attacks.
The National Institute of Standards and Technology (NIST) encourages educational institutions to focus their awareness programs and training on two main things – identifying threats and protecting computer systems. Identifying threats means helping the users understand sensitive information that users may target and learn how to tell when someone is attempting to target them.
Meanwhile, protecting computer systems refers to using various means to prevent or repulse attacks. At the basic level, it may mean educating users on the need for strong passwords for all online accounts and antiviruses for their phones and computers.
Security controls aren’t entirely technical; some are administrative. For instance, universities should utilize encryption to protect data at rest and in transit. The type of encryption would vary depending on the sensitivity of the data in question.
Also critical is access control. Access control defines who can access what and who can’t access which areas.
Above all, every institution of higher learning needs a cybersecurity response plan. A response plan states clearly the steps the organization would take in case of a cyber-breach or an attack. For instance, if a student receives a phishing email, where can they report the incident? And, once it’s reported, what follows?
Remember that the above tips won’t make your institution bulletproof – everyone can be attacked. However, implementing all three tips will make you a hard target, effectively minimizing the risk of attack and improving your rating on data security and higher education technology.