Your institution should, therefore, learn and implement information security lessons from the recent security breaches affecting the other institutions.
Security Breaches in Higher Education
How Multi-factor Authentication Safeguards Admission Records
Hamilton, Grinnell, and Oberlin are the three colleges whose admissions records fell in the unauthorized hands of cybercriminals on March 7, 2019. The cybercriminals used the students’ nonpublic personally identifiable details like hostage and birth date to send applicant emails.
Though used by over 800 colleges globally, the violation linked to Slate; software used to manage applicants’ information in the institutions of higher learning. The software sends new applications, texts, and emails. In its defense, slate attributed the unauthorized access to illegal entry into the colleges’ password reset system.
The criminals took advantage of the lack of multifactor authentication for individual sign-on systems to break into the platform. The cyberattack incident placed the student's admission at risk.
If you are a tech-savvy student who is conscious of information security, join colleges and universities with efficient, reliable cybersecurity practices.
Why Protecting Email Matters
On October 19th, 2018, the Florida Keys Community College detected a data breach which happened between May 5th and November 5th, 2018. On 27th February 2019, the college announced the breach whose root cause was an unauthorized collection of workers emails. The announcement followed confirmation of compromised employees’ identities on January 7th, 2019.
Some of the stolen information comprised of the nonpublic personally identifiable information. Such as passport information, username, password, date of birth, social security number and medical information.
The 2018 Ponemon Cost of a Data Breach Report stated that 197 and 69 days as the average time taken to identify a breach and manage it respectively. However, the Florida Keys Community College outdid the record by detecting the breach in 167 days while the response happened in 7 days hence earning a C+ in the identification and an A- for their immediate response.
Though the grading is a positive one, the affected parties; faculty, students, and staff had nothing to smile about due to the compromise of their sensitivity, personal information which ended up with the cybercriminals.
To make the cyberattack successful, the criminals manipulated the weaknesses in the IP and domain configurations. The hackers also used the vulnerabilities on the number of connections to servers, SMTP authentication measures, coupled with a myriad of other network security problems.
How Vendor Risk Management Protects Student Records
The Stanford Daily reported that a campus student identified a vulnerability in the third-party content management system called NolijWeb. The vulnerability allowed Stanford applicants to view their Common Application forms.
Later In 2015, NolijWeb let students access their files using the identification numbers as part of the records' URL. By altering a few characters, you could quickly obtain the information.
Stanford discovered that the system was posing as a potential point of attack. After the realization, Stanford disabled entry to the software and put on hold online student’s access to the application documents. The documents were under the care of the Family Educational Rights and Privacy Act (FERPA).
All you needed to access the site was a valid student login. Later the vendor got cleared by the regular audits. Unfortunately, neither the NolijWeb nor Stanford could identify how long the vulnerabilities lived in the application.
Stanford is however not new to data breaches. Recently in 2017, permission to access a university-wide file sharing system directed all the Andrew File System (AFS) users to view files meant for preparing a sexual assault case.
In the month that followed, Stanford was at it again, but now the weakness was in the Business Graduate School site. The website leaked sensitive workers records.
The primary focus of all these information breaches was weaknesses tied to third-party vendors and those related to permission issues.
Four Steps to Securing Your Higher Education Data
Cybercriminals will manipulate data irrespective of the stage in which the information is. The data cycle has different stages such as collection, storage, and transmission. Despite knowing the sensitive nature of data they handle, the universities and colleges still fail to perform a risk review.
Instead, the institutions convert traditional data into digital data using Software-as-a-Solution enablement without caring if the platform is updated or from a new vendor.
Stanford is a perfect example because six years after 2009 it still used NojiWeb application for its scanned document needs despite NojiWeb’s vulnerability. All this time the application denied the students access to information stored online. Stanford was, however, exposed to vulnerabilities associated with either an upgrade or installation of a new system.
For enhanced safety of your students records irrespective of whether using an updated or newly integrated provider, identify and guard all points at which information gets stored, collected or transmitted.
Even with the increased use of mobile devices and the complex network architecture ranging from email servers, guest wireless and library domains, apply due diligence to secure networks and all your data by developing strong controls.
Focus on User Access and Authentication
Upon graduation, you should deny alumni access to your systems, networks, and software. Giving the graduates access magnifies the authentication threats.
Additionally, enforce the multi-factor authentication in your college or university. Cybercriminals can quickly gain access from a misplaced laptop of Smartphone which is left open thus increasing malicious activities on your information. Increased use of mobile technologies by students call for the establishment of additional measures and procedures.
Monitor Vendor Risk
How proficient is your third-party vendor in matters of information security? Use strict standards such as those you use in the admission of first years to gauge the suitability of your vendor.
Analyze your third-party service provider especially upon identifying a threat to see if they pose further danger to your records. If you are working with a SaaS provider who aids you in the collection, storage, or transmission of staff, student or faculty's information, make sure they do it per your institution's risk tolerance.
Also, ensure you sign Service-level agreements with your vendors. The contracts should document the adequate, standard controls as well as resultant consequences for failure to enforce and maintain the set controls.
What can you learn from higher education security breaches? From their nasty experiences, learn to employ robust control systems for your organization's information system and leverage tools for higher-education that help monitor and maintain your infrastructure’s data security.