Cybersecurity | Student Information System

Cybersecurity Practices that Safeguard Student Data

Colleges, universities, trade and vocational schools are gatekeepers for a significant amount of sensitive data on their students, employees and vendors. A cybersecurity breach is not only disastrous and disruptive for the school, but its impacts can potentially ruin an individual’s credit.

Schools process and store significant amounts of personal and financial data that’s spread across admissions, billing, financial aid, and the registrar’s office. Consider this data snapshot: A student record includes at a minimum such personal information as a student’s name, date of birth, Social Security number and email address.

Higher education is an enticing target for cybercriminals, especially schools that have an outdated IT infrastructure. A cloud-based student information system is a good first line of defense and working with a trusted and experienced technology partner can help further fortify your institution with proper cybersecurity training, best practices and contingency plans.

This post will cover what you need to know about higher education cybersecurity to safeguard data.

The bottom line: Work with an experienced, dedicated partner

How do cyber attacks impact higher education?

The free flow of information is the bedrock of a well-functioning institution, with students, faculty, and staff sharing documents and files. But that communication also makes protecting student data and system security a challenge. Combine the various users with extensive personal information and student records, and the cybersecurity risks pile up:

Financial Risk: A cyberattack can be highly disruptive and costly. If your school is hit by ransomware, the costs can be staggering. According to a report from digital security firm Sophos, half of higher education institutions hit by a ransomware attack paid to restore their data, and the average cost was $1.42 million.

There are also costs associated with penalties and fines from regulatory agencies, as well as expenses necessary to restore operations.

Operational Risk: Many schools struggle to return to normal operations after a cybersecurity event. According to Sophos, 40% took more than a month to recover, which was higher than the global industry average of 20%. Even after paying a ransom, only 2% of schools got all their data back, while 60% reported they restored some data.

Reputational Risk: A cyber attack is bad press for your school. Students, staff, prospects and alumni will be concerned about their data and for good reason. If a cyber attack hits your school, your team must spend time and resources communicating with stakeholders to address their concerns. Then, you’ll need to rebuild their confidence.

What are the most common cyber threats in higher education?

Cybercriminals can attack your school’s systems in multiple ways. Below are the most common dangers to be aware of and what to train your staff to be vigilant about.

Malware: This is software designed to infiltrate a computer system and steal or disrupt services.

Ransomware: A type of malware in which a cybercriminal gains access to a computer system or files and locks the administrators out, demanding a ransom to release or restore the data. 

Higher education is particularly vulnerable to ransomware attacks. Among Sophos respondents, 64 percent of schools said they had suffered a ransomware attack, and nearly three-quarters of those attacks were successful.  

Phishing: A cyber tactic in which a bad actor gets access to a user’s computer or data by tricking them into opening or clicking a link in an email or sharing information. 

Phishing is a pervasive problem: More than 90% of all cyber attacks across all industries start as phishing against unsuspecting victims. Once they have access, the criminals can steal data or deploy malware.  

Internal threats: If employees store credit card information or Social Security Numbers on their computer desktop or leave it in their email inbox or outbox, that data is not secured and could be vulnerable. Remind your employees to delete emails and empty their trash. Sometimes, users with access to sensitive material may steal and use data illegally. 

What are Practices to Safeguard Student Data

The best defense against cyberattacks is a potent offense. Campus Cafe recommends that schools take the following measures: 

Training, training, training 

The more training your staff, students and even parents receive on information security, the more secure your school’s information will be. Train your users to identify suspicious emails and never open them. No one should email asking for personal information, passwords, bank account information and credit card numbers. Create an inbox where employees can forward suspicious emails or let them know who to contact. Proactive training can significantly reduce your school’s exposure to phishing. Security companies and agencies, such as Knowbe4, can offer online training services for your employees.

Audit your system

Many institutions rely on their SIS partner to manage the cloud security for their student information system. A reputable SIS cloud vendor will regularly perform these services on their cloud environment. However, that won’t protect your school’s  internal network or other IT infrastructure. To determine potential threats, have your IT team or a third-party company audit your systems. Perform a pen test, which evaluates your network infrastructure, and other security procedures, including password management, permission maintenance, data storage and backup procedures. At a minimum, your school wants to audit its systems annually and that will provide a roadmap for how to shore up your defenses.  .

Toughen up your security

An audit will give your school a detailed assessment of the holes in your security, but there are also common measures your institution should have in place to fortify your systems. Administrators can tighten users’ access to data via permissions. It’s also good practice to install a multi-factor authentication (MFA) system, which requires users to confirm their identity or password on a second device. Additionally, you can require users to create secure passwords with a longer string over eight characters with numbers, symbols, and letters that are changed frequently. 

Delete sensitive information

Your staff has been trained to shred paper with sensitive information and the same rules apply to electronic correspondence. If personal or financial information such as Social Security or credit card numbers are sent via email, employees should immediately delete the email and empty their trash. If the information goes into a document or spreadsheet, that should be deleted once the data is processed. Information left in email inboxes or on computer desktops is not secure and easy for a cybercriminal to access. 

Limit permissions

To create layers of security, your school can restrict access to sensitive information. Only provide permission to staff who regularly need access to do their jobs. The golden rule is to give employees the fewest permissions to do their job. You can always grant more access as required. 

Upgrade to off-site, cloud-based storage

A cloud-based student information system like Campus Cafe Software is backed up daily and encrypts all your data, which gives you peace of mind that your information is safe and secure. If you are attacked, you can restore your data from a real-time backup on the cloud.

A legacy SIS that uses on-site servers and storage is more vulnerable to cyberattacks and breakdowns, which can impact security and your ability to restore data after a breach. 

Understand and Follow FERPA

The Family Educational Rights and Privacy Act of 1974 limits access to educational information and records. To protect students’ privacy, the federal government requires schools to safeguard student records and maintain FERPA compliance. If schools are not compliant, they can face fines. Adhering to FERPA is a good business practice, too, as it fortifies your school against cyber criminals.

Why you should work with a trusted tech partner

When you have a trusted technology partner on your side, you’re not alone in the fight against cyber attacks. Your school’s student information system is part of your first line of defense and your SIS vendor can help train and support your team.  

When a school is evaluating SIS vendors, we recommend the following considerations:  

  1. Train your team on cybersecurity and information security, recognizing and avoiding threats, and what to do if they are concerned about a breach. Update training annually and require that new employees receive full training.

  2. Make sure you have up-to-date plans for both response and recovery. If your school is attacked and loses data, your SIS vendor can restore information from your latest backup. Will you pay the ransom, and if so, what is your insurance coverage? Find out how long that will take and if there will be any additional expenses. Outline a strategy to communicate with students, staff, and any impacted third parties.

  3. Ask your SIS partner about their security protocols, including MFA and frequently updating passwords. Be sure your IT team and administrators understand how to manage and assign permissions and whom to contact at the SIS provider if they have questions or problems.

  4. Review your SIS provider’s plans to enforce best security practices and protect personal information. Do they use MFA? How often do they upgrade server and system security? What are their disaster plans?

  5. How is financial and billing information maintained? Campus Cafe, for example, does not store billing information in the SIS and integrates with trusted third-party encrypted payment and authorization apps, including Paypal and DocuSign, which comply with Payment Card Industry (PCI) standards.

The Bottom Line: Work With an Experienced, Dedicated Partner

At Campus Cafe, we understand that our partner customers need the strongest protections. We are dedicated to providing the highest-level information security and supporting our clients’ training and data security needs.
We follow strict 2FA protocols, ensure our servers are secure, train our staff regularly on the best information security standards, and follow the highest access and password maintenance standards.

To see how Campus Cafe can improve your school’s cyber defenses and keep your sensitive data secure, contact us for a demo today.

The Ultimate Guide to Higher-Education Student Information Systems

Use this guide to find the best student information system for your higher-education institution.

By upgrading to a new, integrated student information system, schools can organize data, improve efficiency and promote better communication.

Continue reading

5 Ways A Student Information System Saves You Money

Sometimes it can be hard to quantify the value of a Student Information System (SIS). You know you need one because it provides necessary user interfaces and critical data for strategic decision making, but does it really translate to the bottom line, and save the institution valuable costs and resources?

The answer is a definitive yes. Intuitively, it’s impossible to imagine running an organization effectively without one. The most obvious tangible benefit is the number of man-hours saved from an integrated student information system rather than tracking information in spreadsheets (or multiple databases that don’t talk to each other). But more specifically, I’ve outlined 5 instances where an integrated student softwarewill directly save your institution money or bring more revenue in the door.

#1. Mastery of Government Funding & Federal Reporting

We don’t have to tell you, but a recent report by the GAO (1) found that the government requirements for student financial aid were the a�?most burdensomea�? on colleges and universities, costing hundreds of man-hours and untold dollars to compile. The National Association of Student Financial Aid Administrators echoed this, saying that handling governance took so much time it left less opportunity for counselors to meet in person with students.

Given the immense sums involved it doesn’t appear these regulations are going anywhere, so it’s best for institutions of higher education to develop ways to minimize the burden. Paramount to this is a good student information system.

An SIS will help collect and compile the data for all the required reports for state and government agencies. These include IPEDS, Title IV/NSDLS, Graduate-to-Employment reports, as well as accreditation with some of the requirements outlined here.


The data collected by the Independent Post-secondary Education Data System (IPEDS) covers seven areas: institutional characteristics, institutional prices, enrollment, student financial aid, degrees and certificates conferred, student persistence and success, institutional human and fiscal resources.

Some of the data that a student information system will have available in real-time for these reports is

  • enrollment by state, age, ethnicity
  • graduate completions by field of study
  • retention and graduation rates
  • faculty and staff demographic data
  • revenues and expenditures

Title IV

The process for administering student financial aid is defined under Title IV of the Higher Education Act. The regulations change annually and a school is responsible for understanding each student’s eligibility for the various grants and loans including, Federal Pell Grant, Federal Supplemental Education Opportunity Grant (SEOG), Federal Teacher Education Assistance for College & Higher Education Grant (TEACH), Federal Direct Stafford Loans ‘ Subsidized, Unsubsidized, Grad PLUS and Parent PLUS etc.

Federal regulations require all schools to apply Title IV financial aid funds to tuition, mandatory fees, housing charges and book deferments.

If these federal funds aren’t tracked and applied to student charges correctly it could be costly in terms of fines and lawsuits. A fully integratedschool managementsystem will either handle all the Title IV reporting or tightly integrate with Title IV specialty software.

The other area that a student information system becomes vital is for the calculations required for meeting Title IV eligibility. In recent years new regulations have been instituted for graduate to employment rates and now institutions must certify that each of their gainful employment programs meets the accreditation requirements.

#2. Increase Student Retention

In a prior post on student retention I describe in detail all the ways a student information system can help keep more students enrolled.

This is of great importance since upwards of 30% of students won’t reach completion. When a student drops out, additional funds must be expended to attract and enroll the next student, in addition to the opportunity cost of future revenue.

Without a strong retention program, cost and reputation become central issues. A good student information system with retention scoring, degree auditing, judicial tracking, student attendance and grade book can make all the difference.

For more on how these features help your retention program check out my post, An Integrated Student Information System is Your Best Friend for Retaining Students.

#3. Integrated Data for Better Decisions

Probably the most important way an SIS saves money for your institution is by giving users real-time access to student recordswithout requiring extra resources. Some small to mid-sized schools fall into a trap of purchasing separate school management systems for admissions or student retention and find they need additional man-hours for keeping the data in sync across all departments.

A bigger issue is schools who already have an SIS but purchase the latest new stand-alone software (admissions, for example) with a slick new user interface, hoping to integrate it with their existing SIS. Unfortunately, they realize afterwards the added costs required to maintain both systems outweigh the benefits, and often they plot a costly new course with additional software, training and implementation expenses.

For more details on why this can be a mistake check out, Student Management Software ‘ Integrated ERP or Best of Breed.

#4. More Effective Recruiting

The cost of recruiting a student who eventually enrolls is over $2,400 (2). So all the time and money planning, managing and measuring the recruiting and admissions programs shouldn’t be wasted. The distribution of texts, emails and letters that are well tracked in a workflow that triggers automatic follow up is essential to an efficient recruiting operation.

While efficiency of operations is beneficial, what’s more important is how effective the recruiting operation is at finding and attracting the right candidates. An SIS with a robust admissions module will offer key insights into outreach programs that bear the most fruit and provide the tools for admissions counselors to focus on the most receptive candidates to grow enrollments.

#5. Better Accountability and Fraud Prevention

When mistakes or errors occur, it can be difficult to determine the source. If it’s an honest mistake you want to identify it so it can be rectified. Schools are under increasing scrutiny to guard against unauthorized or malicious activity and need tools to quickly identify areas of concern.

In either case the goal is to hold people working in the system accountable for their actions. That’s why a robust student information system will have an in-depth audit trail and user permission system that allows granular access and records of all changes.

Mistakes can occur when individuals are given access to areas they don’t need, so they inadvertently make a change to something they don’t understand. Robust controls are the key to accountability. User awareness that the system keeps tabs on all activity is a strong incentive for good behavior and accurate recording of data.


Institutions should routinely examine their school administration systems to ensure that they are providing a strategic advantage. If the system is not providing a high level of service or does not provide accurate and easy to obtain reporting, then alternatives should be investigated. The costs associated with poor recruitment, retention, reporting, and accountability may outweigh the cost of replacement. Return on investment should always be measured against these costs to keep your organization running smoothly and efficiently.

Any questions?Contact Us

Sign up for a Free Online Demonstration of Campus Café

About the Author

Joe Stefaniak has been a leading expert for almost 30 years in the development and implementation of software solutions for higher education. His expertise is in helping colleges and schools streamline operations and manage information for better decision making through analysis and application of best practice software. He founded SCAN Business Systems in 1986. Its flagship product, Campus Café, has grown into a leading provider of educational student information systems. He holds a degree in Business Administration from Northeastern University.


  1. The Hechinger Report
  2. NACAC Admission Trends Survey, 2012.

Student Management Software – Integrated ERP or Best of Breed

Deciding on a single fully-integrated ERP system or multiple Best-of-Breeds?

For educational institutions, performing tasks like nurturing prospects, providing portals for students and faculty, maintaining ongoing relationships with graduates while managing financial operations and compliance regulations presents challenges that require a significant investment in student management software. Each task is part of a separate functional area with distinct processes and needs for collecting and utilizing data.

Selecting the best student information software to manage these disparate operations will involve a complex set of decisions. There is never a perfect solution, so prioritizing what’s most important is critical, since compromises must be made.

The final decision always comes down to a choice between either one fully integrated system software or multiple niche’ software systems, a.k.a. Best of Breed (B.O.B.). Either choice offers positives and negatives that should be weighed against the goals of your organization and the available technology resources.

A Fully-Integrated Information System

The main distinguishing benefit of a fully-integrated student information system is that it utilizes a single database for the entire organization. If implemented correctly, each individual has a single file housing all their information, which means all the data about that person is typically accessible in real time. Since all information is entered into a single system, the back-end inner workings are relatively seamless and the data integrity is usually very good. But there is a downside.

A fully-integrated system is very broad in functionality, fulfilling a wide range of needs for the organization. But like any software, it’s difficult to do everything well and in order to maintain this seamlessness for the full scope of the organization (which is no small task) other aspects of the system are usually de-prioritized. In most cases what you’ll find lacking are the user experience and some specific features that are not critical or essential for the majority of their customers.

A Fully-integrated ERP System: The Pros and Cons

Below I’ve listed the most important benefits and drawbacks to consider when comparing a fully-integrated ERP with B.O.B. software.


  1. More accurate and complete data.

  2. Consistent processes throughout the student lifecycle.

  3. Lower maintenance costs due to common architecture.

  4. A single user interface throughout the system.

  5. The overall Total Cost of Ownership is usually lower due to a unified business process.

  6. Single vendor is more accountable for solving issues.

  7. Fewer training costs due to common architecture.

  8. Subject-matter expertise levels are reached faster for the chosen technology.

  9. Single platform decreases evaluation, testing, proof of concept, and time to deployment.

  10. Economies of scale may afford opportunities for bundled (more price-competitive) license fees.


  1. Risk of sole reliance on one vendor.

  2. Risk outdated technology and features.

  3. Less flexibility when adding new features and functionality.

  4. Downtime affects the entire system.

  5. Increased control and permissions required to ensure institutional data integrity.

Best-of-Breed Software

A best of breed system has the advantage of focus. These systems specialize in smaller functional areas like Admissions or Financial Aid and the features, user experience and look are built without much consideration for the other operational aspects of the organization. The features and functions are focused on user experience with added bells and whistles, but there is a significant downside: data integrity and accessibility.

Utilizing multiple database systems usually runs the high risk of information getting stuck in silos inaccessible to other parts of the organization when they need it, or the creation of multiple incomplete records for a single individual. For an organization to operate effectively it’s important that the information is complete, accurate and accessible and it can be a challenge getting multiple B.O.B software tools to operate together.

In an educational organization, there is no more dramatic example of this than the admissions department.

Best-of-Breed Software for Admissions

Admissions departments are under pressure to increase the pool of quality prospects. New marketing technologies seem to emerge every day with the promise of finding and attracting new prospects. The problem with adopting such new technology is the usual suspect: data integration.

Many inbound marketing technologies have two weaknesses, one they’re industry agnostic and don’t have all the specific admissions functionality like (application tracking, financial aid, transfer credit eval etc). Also these tools generally use implicit data with limited biographical information to find, track, and nurture prospective students. All student records should have a unique identifier (Name/DOB or SSN) to tie the data together. For many standalone marketing or admissions products, a cookie or email address is often used as the unique identifier. The problem is that cookies and email addresses change frequently based on who is performing the search or what computer/phone performs the request. Therefore the data does not lend itself to later integrating with the student information database because by its nature, it contains little actual biographical data about the person to match up.

Since this data cannot easily be integrated into the ERP system, the organization is faced with some difficult choices.

  1. Either, use the best of breed software for the entire admissions cycle which means specific functions like common application, Department of Ed integration, financial aid, transfer credit evaluation, and many other necessary functions are not available.

  2. Another choice is to manually enter, batch upload, de-dupe and correct the data. This can be very labor intensive and usually yields only an 80-90% accuracy rate.

  3. The third approach is to not integrate the best-of-breed software at all. Just import data into it and take advantage of its strengths and let it function in a silo.

Best-of-Breed Software for Financial Analysis

The Accounting/Finance department is the other place where B.O.B software is often found. This does not present a problem if the data from the ERP is only exported to the B.O.B tool for analysis and reporting.

However, there is often a temptation to create a shadow system where the financial package is maintained and synced manually with the ERP. This always presents a problem, since these departments usually require immediate access to real-time data for critical strategic decisions and there can be a lag between one system synchronizing with the other. There’s also the added man hours required to keep both up to date that should be factored in.

Best-of-Breed Software: The Pros and Cons

Below I’ve listed the most important benefits and drawbacks to consider when evaluating B.O.B software.


  1. Ability to choose the most feature rich product and latest technology for each department.

  2. Industry familiarity.

  3. Greater flexibility for replacing software modules.

  4. Maintenance and upgrades can be performed module by module without disrupting the entire system.

  5. Easier to implement a smaller department more quickly.

  6. Avoids single vendor dependence.

  7. Allows each department to operate independently of a centrally administered system.

  8. Often involves lower initial costs through more competitive licensing fees.


  1. Added complexity of multiple systems, multiple databases and multiple vendors.

  2. High potential for data integrity issues, duplicate data, missing data, incomplete records.

  3. Increased costs from data warehousing, complex networking.

  4. Integration points must be continuously updated and maintained.

  5. Increased difficulty troubleshooting due to added complexity and finger-pointing from multiple vendors.

  6. Multiple user interfaces increases training costs and confusion.

  7. Difficult to get a complete set of reports in a timely manner.

  8. Duplication of effort (e.g. address change must be entered into several databases).

  9. Architectural complexity creates high downstream costs to integrate and maintain diverse systems.

  10. Testing and running proof-of-concept trials involving disparate platforms and architectures increases time to deployment.

  11. Higher training costs; team members rarely achieve subject-matter expertise levels across every technology.

  12. Higher risks, as incompatible product road maps may create unforeseen disruptions, such as one vendor opting to stop supporting another vendor’s products.

  13. Lack of coordinated effort at shaping vendor roadmap for organization-wide functionality.

Mapping a software’s strengths and weaknesses to your priorities

Like with any software decision, it’s good to determine whether the strengths of the vendor aligns with your organizational priorities. The a�?must havesa�? should map to the vendor strengths and the vendor’s weaknesses should be similar to the a�?can live withouta�?.

The major areas to consider for making these decisions can be broken down into:

  • Data accuracy – How correct is the information?

  • Efficient operations – How much time will be saved?

  • Data accessibility – Can I get the information when I need it?

  • User experience – How easy is the system to use?

  • Cost – What is the return on investment *?

The following chart compares the strengths and weaknesses of a fully integrated system or B.O.B. software by evaluating data accuracy, efficient operations, data accessibility, user experience and cost, as it relates to the entire organization and a specific department. This is not scientific and can vary by organization but it serves as a good rule of thumb.

Bob Chart.JPG


Even after all this assessment, there are other factors that can tend to add further complexity. Competing interests are usually at play where a department will favor a best-of-breed over an integrated system, even though it might not be the best choice when considering the bigger long-term picture.

It is important with any software choice that the organizational buys into the decision. A lack of buy-in may otherwise undermine any potential productivity gains.

The evaluation should always include an understanding of the level of integration that can be achieved especially from a technical standpoint since the other variables are subjective. The best way to do this is to look at other institutions and look at the support mechanism for user support, data integration, data warehousing needs, and institutional reporting. If all of these are being provided at a high level without large staff investments, then the solution should be considered.

Any questions?Contact Us

Sign up for a Free Online Demonstration of Campus Café

About the Author

Joe Stefaniak has been a leading expert for almost 30 years in the development and implementation of software solutions for higher education. His expertise is in helping colleges and schools streamline operations and manage information for better decision making through analysis and application of best practice software. He founded SCAN Business Systems in 1986. Its flagship product, Campus Café, has grown into a leading provider of educational student information systems. He holds a degree in Business Administration from Northeastern University.


* It is extremely difficult to actually compare the return on investment and total cost of ownership of an integrated system vs a best-of-breed approach. But the variables to include are:

  • Staffing levels and/or savings based on ERP approach.

  • Productivity gains or losses based on which approach is chosen.

  • Cultural issues sometimes referred to as turf issues.

  • User bias and/or lack of buy in which can undermine the efficiency of any organization.