Cybersecurity Practices that Safeguard Student Data
Colleges, universities, trade and vocational schools are gatekeepers for a significant amount of sensitive data on their students, employees and vendors. A cybersecurity breach is not only disastrous and disruptive for the school, but its impacts can potentially ruin an individual’s credit.
Schools process and store significant amounts of personal and financial data that’s spread across admissions, billing, financial aid, and the registrar’s office. Consider this data snapshot: A student record includes at a minimum such personal information as a student’s name, date of birth, Social Security number and email address.
Higher education is an enticing target for cybercriminals, especially schools that have an outdated IT infrastructure. A cloud-based student information system is a good first line of defense and working with a trusted and experienced technology partner can help further fortify your institution with proper cybersecurity training, best practices and contingency plans.
This post will cover what you need to know about higher education cybersecurity to safeguard data.
- How do cyber attacks impact higher education?
- What are the most common cyber threats in higher education?
- What are practices to safeguard student data?
- Why you should work with an trusted tech partner
The bottom line: Work with an experienced, dedicated partner
How do cyber attacks impact higher education?
The free flow of information is the bedrock of a well-functioning institution, with students, faculty, and staff sharing documents and files. But that communication also makes protecting student data and system security a challenge. Combine the various users with extensive personal information and student records, and the cybersecurity risks pile up:
Financial Risk: A cyberattack can be highly disruptive and costly. If your school is hit by ransomware, the costs can be staggering. According to a report from digital security firm Sophos, half of higher education institutions hit by a ransomware attack paid to restore their data, and the average cost was $1.42 million.
There are also costs associated with penalties and fines from regulatory agencies, as well as expenses necessary to restore operations.
Operational Risk: Many schools struggle to return to normal operations after a cybersecurity event. According to Sophos, 40% took more than a month to recover, which was higher than the global industry average of 20%. Even after paying a ransom, only 2% of schools got all their data back, while 60% reported they restored some data.
Reputational Risk: A cyber attack is bad press for your school. Students, staff, prospects and alumni will be concerned about their data and for good reason. If a cyber attack hits your school, your team must spend time and resources communicating with stakeholders to address their concerns. Then, you’ll need to rebuild their confidence.
What are the most common cyber threats in higher education?
Cybercriminals can attack your school’s systems in multiple ways. Below are the most common dangers to be aware of and what to train your staff to be vigilant about.
Malware: This is software designed to infiltrate a computer system and steal or disrupt services.
Ransomware: A type of malware in which a cybercriminal gains access to a computer system or files and locks the administrators out, demanding a ransom to release or restore the data.
Higher education is particularly vulnerable to ransomware attacks. Among Sophos respondents, 64 percent of schools said they had suffered a ransomware attack, and nearly three-quarters of those attacks were successful.
Phishing: A cyber tactic in which a bad actor gets access to a user’s computer or data by tricking them into opening or clicking a link in an email or sharing information.
Phishing is a pervasive problem: More than 90% of all cyber attacks across all industries start as phishing against unsuspecting victims. Once they have access, the criminals can steal data or deploy malware.
Internal threats: If employees store credit card information or Social Security Numbers on their computer desktop or leave it in their email inbox or outbox, that data is not secured and could be vulnerable. Remind your employees to delete emails and empty their trash. Sometimes, users with access to sensitive material may steal and use data illegally.
What are Practices to Safeguard Student Data
The best defense against cyberattacks is a potent offense. Campus Cafe recommends that schools take the following measures:
Training, training, training
The more training your staff, students and even parents receive on information security, the more secure your school’s information will be. Train your users to identify suspicious emails and never open them. No one should email asking for personal information, passwords, bank account information and credit card numbers. Create an inbox where employees can forward suspicious emails or let them know who to contact. Proactive training can significantly reduce your school’s exposure to phishing. Security companies and agencies, such as Knowbe4, can offer online training services for your employees.
Audit your system
Many institutions rely on their SIS partner to manage the cloud security for their student information system. A reputable SIS cloud vendor will regularly perform these services on their cloud environment. However, that won’t protect your school’s internal network or other IT infrastructure. To determine potential threats, have your IT team or a third-party company audit your systems. Perform a pen test, which evaluates your network infrastructure, and other security procedures, including password management, permission maintenance, data storage and backup procedures. At a minimum, your school wants to audit its systems annually and that will provide a roadmap for how to shore up your defenses. .
Toughen up your security
An audit will give your school a detailed assessment of the holes in your security, but there are also common measures your institution should have in place to fortify your systems. Administrators can tighten users’ access to data via permissions. It’s also good practice to install a multi-factor authentication (MFA) system, which requires users to confirm their identity or password on a second device. Additionally, you can require users to create secure passwords with a longer string over eight characters with numbers, symbols, and letters that are changed frequently.
Delete sensitive information
Your staff has been trained to shred paper with sensitive information and the same rules apply to electronic correspondence. If personal or financial information such as Social Security or credit card numbers are sent via email, employees should immediately delete the email and empty their trash. If the information goes into a document or spreadsheet, that should be deleted once the data is processed. Information left in email inboxes or on computer desktops is not secure and easy for a cybercriminal to access.
To create layers of security, your school can restrict access to sensitive information. Only provide permission to staff who regularly need access to do their jobs. The golden rule is to give employees the fewest permissions to do their job. You can always grant more access as required.
Upgrade to off-site, cloud-based storage
A cloud-based student information system like Campus Cafe Software is backed up daily and encrypts all your data, which gives you peace of mind that your information is safe and secure. If you are attacked, you can restore your data from a real-time backup on the cloud.
A legacy SIS that uses on-site servers and storage is more vulnerable to cyberattacks and breakdowns, which can impact security and your ability to restore data after a breach.
Understand and Follow FERPA
The Family Educational Rights and Privacy Act of 1974 limits access to educational information and records. To protect students’ privacy, the federal government requires schools to safeguard student records and maintain FERPA compliance. If schools are not compliant, they can face fines. Adhering to FERPA is a good business practice, too, as it fortifies your school against cyber criminals.
Why you should work with a trusted tech partner
When you have a trusted technology partner on your side, you’re not alone in the fight against cyber attacks. Your school’s student information system is part of your first line of defense and your SIS vendor can help train and support your team.
When a school is evaluating SIS vendors, we recommend the following considerations:
- Train your team on cybersecurity and information security, recognizing and avoiding threats, and what to do if they are concerned about a breach. Update training annually and require that new employees receive full training.
- Make sure you have up-to-date plans for both response and recovery. If your school is attacked and loses data, your SIS vendor can restore information from your latest backup. Will you pay the ransom, and if so, what is your insurance coverage? Find out how long that will take and if there will be any additional expenses. Outline a strategy to communicate with students, staff, and any impacted third parties.
- Ask your SIS partner about their security protocols, including MFA and frequently updating passwords. Be sure your IT team and administrators understand how to manage and assign permissions and whom to contact at the SIS provider if they have questions or problems.
- Review your SIS provider’s plans to enforce best security practices and protect personal information. Do they use MFA? How often do they upgrade server and system security? What are their disaster plans?
- How is financial and billing information maintained? Campus Cafe, for example, does not store billing information in the SIS and integrates with trusted third-party encrypted payment and authorization apps, including Paypal and DocuSign, which comply with Payment Card Industry (PCI) standards.
The Bottom Line: Work With an Experienced, Dedicated Partner
At Campus Cafe, we understand that our partner customers need the strongest protections. We are dedicated to providing the highest-level information security and supporting our clients’ training and data security needs.
We follow strict 2FA protocols, ensure our servers are secure, train our staff regularly on the best information security standards, and follow the highest access and password maintenance standards.
To see how Campus Cafe can improve your school’s cyber defenses and keep your sensitive data secure, contact us for a demo today.