Why Higher Ed Data Security Depends on People

With more institutions undergoing digital transformation initiatives and more students shifting to remote and online learning, the data perimeter is expanding in higher education – making it a hot target for cyberattacks.

Recent research indicates that the number of attacks on educational institutions has grown faster than in any other sector. This category experienced a 30 percent increase in attacks compared to a 6.5 percent average increase across all industries in just July and August 2020. Additionally, a 2021 Education Cybersecurity Report indicated that data breaches were the main source of risk for higher education institutions.

We connected with Mark Relf, senior security analyst with Collegis Education, to get a better understanding of the security issues in higher ed and how they can be avoided.

Colleges are collecting more electronic student information than ever before

Higher education has become a prime target of hackers because institutions possess large quantities of sensitive, personally identifiable information, Relf explains. This includes things like addresses, financial data and medical records, which can be sold on the black market and used for identity theft and fraud. He also points out that hackers know if that information is combined with a Social Security number and driver’s license number, the price of an individual record can increase greatly in value.

To obtain this information, cybercriminals most often seek to get users to share credentials or other personal information through manipulative tactics, such as phishing and spoofing. These methods trick humans into making security mistakes or giving away sensitive information accidentally. Higher education presents itself as an especially appealing target as most institutions have large, untrained user networks that simply lack security awareness and can unknowingly admit malware users onto their networks through personal devices or applications.

Addressing security issues in higher ed is about more than technology

With heightened awareness around higher education data security and privacy risks, Relf is often asked about how to prevent cyberattacks. He notes that while colleges and universities are clearly concerned about the rise in higher ed data breaches, he worries there is a misperception that an institution needs only software to protect its data.

“Data security is everyone’s job,” Relf says. “The most protected organizations meet security goals through fostering good employee habits system-wide.”

To combat data breaches, Relf underscores that an institution’s first line of defense is its employees and students. Institutions must offer regular information security education and training to students, faculty and staff.

For example, unintentional information disclosures accounted for 27.3 percent of higher ed breaches and the theft or loss of portable devices made up 14.7 percent. Those figures suggest that beyond shoring up sensitive data with digital fortifications, proper training in the handling of data – and physical technology – remains crucial. This also corroborates a study by IBM which found that human error is the main cause of 95 percent of cybersecurity breaches.

4 ways college staff, faculty and students can prevent data breaches in higher ed

With this in mind, below is a short list of basic actions any college or university can require of its employees and students in order to help prevent breaches.

1. Change passwords at least every six months.
2. Don’t use the same password for multiple accounts
3. Never open attachments or click on links from unknown senders
4. Teach employees to verify all requests for sensitive information or funds

The last action in the list, verification, is important because hackers often attempt to impersonate a high-level employee to gain access to sensitive information. Taking a moment to confirm the request with the apparent sender by phone or through an alternative communication method is in everyone’s best interest.

When you consider that the cost of a security breach can easily run into six figures or more, no properly authorized information requestor should object to a safety check. Another good security measure is to implement a multi-step verification process in which authorization of a request must come from a variety of independent sources.

Good data hygiene habits go a long way

No matter how much money is invested in technology, an institution may still not be protected. It’s really about getting boots on the ground and developing a comprehensive security strategy where the responsibility for safeguarding systems and data extends beyond the IT department to everyone in the organization, from students and instructors up through the highest levels of leadership.

Employee habits and processes are critical to preventing a data breach. Teach your employees and students how to be vigilant. Teach them good habits and encourage them to report unusual requests immediately. As with organizational cultures that support an environment of physical security, employees and students who have been taught how to recognize and respond to warning signs can be a powerful force for preventing a crisis.