With more colleges and universities incorporating Software-as-a-Service (SaaS) platforms to enable registrars, admissions, and financial aid offices, they are collecting more electronic student information. Couple that with weak networks and systems, and the state of cybersecurity in higher education earns an F. To remain solvent in an era of continued student recidivism, higher education needs to focus more efforts on protecting this information from cybercriminals.

Information Security Issues Facing Higher Education

What is the state of cybersecurity in higher education?

Recent research indicates that colleges and universities rank third for data breaches. Additionally, a recent 2018 Education Cybersecurity Report indicated that application security, endpoint security, security patch management, and network security increasingly plague the industry. With more institutions enabling their processes with technology and more students using technology in classrooms, the data perimeter is gaining a freshman fifteen. In 2018, the Educause IT Issues Panel sent a survey to 11,397 institutions listing the top 15-20 topics it felt placed the industry at risk. Although only 405 responded, the top ten list for 2019. With six of the top ten relating to data security risks, it is important to review some of the reasons for these systemic issues.

Why higher education struggles with creating an information security strategy

Official offices within higher education, such as admissions and registrars, are not the only locations where people can access student data. Increasingly, faculty and staff use cloud-based platforms that contain personally identifiable information to send academic warnings, submit grades, and communicate with students. Moreover, these individuals often use mobile devices or connect to the platforms remotely. Thus, the number and location of threat vectors increase giving cybercriminals more opportunities to exploit vulnerabilities. Thus, higher education struggles to inventory data assets, including all the devices, networks, systems, and software accessing student information. Since creating a catalog of assets is the first step to establishing a risk-based security strategy, higher education fails even before it starts the process.

Why higher education struggles with privacy

With the large numbers of people handling student data, privacy struggles align to data perimeter size. Although integrated with security, privacy also incorporates control over how information is used. Thus, all individuals within an institution need to be thoughtful in their data collection processes. Faculty, attempting to help students bombarded by increasing debt, often incorporate free services such as YouTube for TedTalks. However, these services collect information such as IP addresses while others require logins. All of this information places student data and institution data at risk. Moreover, students may not understand how to manage their data. They assume that they need to opt into services and information sharing and may not be aware that they can control it. Thus, they use their school email addresses for logins across social media and the internet. If the students also suffer from poor password hygiene, then cybercriminals can use those emails and passwords to gain unauthorized access to databases containing private information.

Why higher education struggles with securing digital integrations

The short answer here is the incorporation of cloud platforms. Whether institutions of higher education are using the Google Cloud for document sharing or for aggregating big data in the Google Cloud Platform or Azure, they’re sending information across more services and networks. Moreover, different departments may be using different applications to enable research initiatives. A sociology department and a biology department require access to different databases. Each database requires a new API that enables the data sharing back and forth. All of these new vendors and applications increase the data environment’s perimeter. Moreover, academic departments may not be communicating effectively with the IT department. Particularly at large research institutions, the number of applications can be overwhelming. Monitoring their control effectiveness means engaging in more interdepartmental conversations. Thus, institutions focusing their vendor risk management programs on initial installation and cost may be neglecting the security risks these integrations pose.

Why becoming a data-enabled institution increases the security risks

Every year, new data analytics to promote student success appear on the market. The more data institutions collect, the greater their student success levels will be. New behavioral tracking gathers student data in a myriad of forms. For example, a researcher at Arizona State University triggered data privacy concerns looking at freshman retention rates based on student ID card use. Student routines and relationships were tracked by their locations and, despite the researcher anonymizing the data, students did not realize they could opt out. Despite seeking to predict behaviors promoting student success, the collection put the students’ information at risk by tracking it. Additionally, institutions may need to collect this information to provide better insights. Aggregating student academic warnings in real time and slicing it by demographics can help provide more insight into how to promote success. Thus, higher education needs to focus on securing data so that they become the data-enabled institutions of the future and remain relevant.

How data management and governance need to be retooled to protect student information

Higher education’s data management and governance programs started by using large databases. These single sources of information, aggregated in one location, were easy to manage. Unfortunately, this model is not sustainable in a data-driven era. Students want access to grades. Professors want access to research. Administrators want access to analytics to enable student success. Data is no longer located in a single location that can be managed by a single IT manager, CISO, or CIO. More stakeholders mean more conversations need to happen so that higher education can establish security controls across the IT environment and its expanding ecosystem. User access and authentication, firewalls, security patch management, and anti-malware/anti-ransomware software need to be unified across the institution.

How ZenGRC Enables Higher Education

To help organize their risk management and information security programs, institutions need an automated process for tracking and documenting your security reviews. ZenGRC allows organizations to prioritize tasks so that everyone knows what to do and when to do it so that stakeholders can more rapidly review the “to do” lists and “completed tasks” lists. With our workflow tagging, CISOs can assign tasks to the individuals responsible for the activities involved in risk assessment, risk analysis, and risk mitigation. Finally, with our audit trail capabilities, institutions can document remediation activities to prove that they maintained data confidentiality, integrity, and availability to protect student privacy. For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.