Cybersecurity Compliance in the Education Industry: How to Protect Students’ Personal Data

The education industry is facing a growing threat from malicious cyberattackers, both external and internal. According to the Cyber Attack Trends report [PDF] by Check Point Research, the education and research industry suffered from 44% more cyberattacks in the first half of 2022 compared to the same period in 2021. Therefore, cybersecurity in the academic industry is of paramount importance now.

Although many countries across the globe impose strict cybersecurity rules, the vast number of these rules (and their constant updates) make it challenging for educational institutions to meet all cybersecurity requirements. In this article, we highlight the importance of having robust cybersecurity in the education industry and list major cybersecurity standards, laws, and regulations that apply to educational organizations in different countries. In addition, we offer seven best practices for a robust cybersecurity strategy.

The importance of securing students’ personal data

Enforcing resilient information security in education to ensure the safety of students’ data and privacy is extremely challenging. External attackers and internal threats can cause cybersecurity breaches involving personal data compromise.

For instance, in March 2021, malicious hackers attacked Broward County Public Schools in Florida with ransomware and demanded a ransom of $40 million. When the school district refused to pay, the perpetrators published the stolen information on the gang’s data leak website. Later in June, it turned out that the files included names and Social Security numbers of students as well as current and former employees.

4 reasons to protect students’ personal data in educational institutions

There are many reasons to implement robust information security in educational institutions. We highlight the major reasons below.

Cybersecurity threats in educational institutions can come from various sources. Here are the most common:

• Downloading free textbooks from suspicious sources, which can introduce malware to an institution’s computer networks
• Email-based threats like phishing that can introduce malware or ransomware
• Unsecured personal devices that make a facility’s wireless network vulnerable
• Targeted cyberattacks on educational institutions (like DDoS attacks) that aim to render a website or service inoperable
• Malicious and negligent insiders

The most common outcome of any attack on an educational institution is financial loss, which may include fines for non-compliance with cybersecurity requirements, ransom payments, legal settlement expenses, and costs for recovering from the attack. For example, Lincoln College in rural central Illinois paid a ransom of nearly $100,000 to recover data blocked by an attack in December 2021. However, even after recovering the data, the college could not overcome the outcomes of the ransomware attack and the 157-year-old educational institute had to close its doors.

Securing students’ personal data is vital not only because of potential financial losses but also because of reputational damage. Bad publicity may scare away potential students and hinder cooperation with businesses and government organizations on various research projects.

Before we move on to cybersecurity techniques for ensuring robust data protection, let’s take a look at the essential compliance requirements for educational institutions.

What laws, regulations, and standards should you comply with?

One of the biggest problems when it comes to meeting cybersecurity requirements is that there are so many data security standards, laws, and regulations for the education industry, it’s hard to keep up with them all.

Since schools, colleges, and universities process many types of data, they have to comply with requirements that also target healthcare, financial, and government organizations. Later in this article, we’ll look into some of the laws, regulations, and standards educational organizations in the US, the European Union, Canada, and Australia need to follow.

Acts of legislation that protect students’ personal and educational data

The most important personal data protection regulations and laws educational organizations must follow are:

• The Family Educational Rights and Privacy Act (FERPA) is a US federal law that safeguards the confidentiality of student education records and is applicable to all educational institutions receiving funds through programs of the US Department of Education. FERPA expressly forbids the disclosure of confidential personally identifiable student information without a student’s or an authorized party’s written consent.
• The Children’s Online Privacy Protection Act (COPPA) requires website operators and online service providers in the US—including education technology vendors—to (1) obtain explicit parental consent before collecting, using, or disclosing children’s personal data; (2) implement proper data protection measures; and (3) restrict sensitive data collection and usage.
• The Higher Education Opportunity Act (HEOA) is a US law that requires institutions of higher education to secure students’ sensitive data.
• The Protection of Pupil Rights Amendment (PPRA) is a law that protects sensitive personal information collected from students by educational institutions and programs that receive funds from the US Department of Education.
• The Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal privacy law in Canada that regulates the way private-sector organizations collect, use, and disclose citizens’ personal information.
• The Freedom of Information and Protection of Privacy Act (FOIP Act) is a provincial law aimed at helping public-sector bodies in Alberta, Canada maintain the balance between the public’s right to access information and an individual’s right to personal privacy.
• British Columbia’s Personal Information Protection Act (PIPA) is a provincial law that applies to any private sector organization and regulates how those organizations can collect, use, and disclose personal information.
• The Privacy Act 1988 governs privacy and data protection in Australia and outlines principles and rules of personal information collection and processing for organizations, government agencies, and other entities.
• The Australian Privacy Principles (APPs) regulate the collection, use, and disclosure of personal information, as well as organizational accountability, data integrity, and individuals’ rights to access their personal data.
• The General Data Protection Regulation (GDPR) protects the personal data of European Union (EU) residents and addresses the transfer of their personal data outside the EU area. If a US-based institution educates or employs EU citizens, it must comply with GDPR requirements.

Laws that require protection of students’ healthcare data

Major healthcare data protection laws are:

• The Health Insurance Portability and Accountability Act (HIPAA) is a law that requires schools to protect students’ health information, whether that be insurance information or information on health issues. Any medical center on a school campus must comply with HIPAA just as a doctor’s office must.
• The Health Information Technology for Economic and Clinical Health Act (HITECH) is a law created to promote and expand the adoption of health information technology: specifically, the use of electronic medical records by healthcare providers.
• The Health Records Act 2001 is a state law that regulates the collection and handling of health information by organizations in Victoria, Australia.

Directives for securing students’ financial data

Key financial data protection acts and standards include:

• The Gramm-Leach-Bliley Act (GLBA) is a US federal law that focuses on financial institutions. Higher education institutions must also comply with the GLBA’s Safeguard Rule, as these institutions deal with large inflows and outflows of money.
• The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary standard created by major credit card companies, including Visa and Mastercard, that governs the handling of credit card information. Schools and universities that receive card payments for education must meet PCI DSS requirements.

Laws and guidelines protecting the privacy of research data

The most common legislation and industry requirements that demand the protection of reseach data are:

• The Federal Information Security Modernization Act (FISMA) is a US law that applies to government agencies, contractors, and entities that collect or maintain the information of any federal agency. As some universities collaborate with federal agencies on research projects, it’s also important for them to have FISMA compliance software.
• The National Institute of Standards and Technology (NIST) Special Publication 800-171 applies to higher education institutions with whom the government shares information for research purposes. Such institutions require a NIST 800 171 compliance solution.

Securing students’ data and ensuring compliance with federal and state IT security requirements demands a complex approach. Let’s explore the most essential steps toward resilient cybersecurity in educational institutions.

Meeting IT Compliance Requirements with Ekran System

Best practices to protect students’ personal data

Educational organizations have to put lots of effort into effectively protecting students’ personal data and achieving IT compliance.

Considering the vast number of data protection laws and standards that apply to the education industry, meeting the major requirements seems challenging. However, it gets easier when you follow these seven best practices for developing a strong cybersecurity strategy and securing sensitive data.

1. Define risks

A thorough risk assessment starts with identifying all valuable data stored and processed by your institution. You should determine which information is subject to compliance requirements to know what to secure first. Next, concentrate on possible cybersecurity threats from both outside and inside your organization. Last but not least, you should assess your current protection measures, making sure there are no weak points.

2. Ensure the security of stored data

Paying attention to the security of stored data is a great way to minimize the risk of its compromise. Consider following these measures for securely storing data:

• Back up data regularly. Even if a hacker or intruder successfully retrieves data, backups will help cybersecurity teams identify which systems and applications were compromised as well as recover damaged or deleted data.
• Keep all your software updated, especially antivirus tools. Outdated software may contain vulnerabilities that are known to hackers.
• Allow only authorized staff to access students’ sensitive data. Not all of your employees need students’ personal data for their routine work. Make sure this data can be accessed by as few users as possible.
• Use data encryption techniques to safeguard your data against hackers and malicious insiders.
• Secure access to your organization’s networks with a multi-factor authentication (MFA) mechanism to enhance the authorization process and prevent unauthorized access by anyone who comes into possession of credentials.

Appointing a Chief Information Security Officer (CISO) is another common and helpful practice among higher education institutions. A CISO is responsible for implementing security requirements, assessing risks, checking for changes to compliance requirements, responding to potential security incidents, and conducting regular cybersecurity audits in your educational institution.

We offer a Practical Guide & Worksheets for Building Insider Threat Program written especially for CISOs by Jonathan Care, a recognized cybersecurity expert. This comprehensive guide equips CISOs with the knowledge and tools needed to protect sensitive data.

3. Manage access rights thoughtfully

Make sure your employees can access only the data they need for their jobs. Elevated access rights are always a risk, since a user can steal or compromise sensitive data on purpose or can accidentally delete or expose it.

To ensure robust access management, apply a zero-trust model that allows you to grant access to critical applications and data only to those users that have already been authenticated and verified by your system.

Also, consider implementing a just-in-time privileged access management model to grant access permissions only when users need to perform specific tasks and for no longer than the time required to fulfill those tasks.

4. Monitor user activity

Various users may put students’ personal data at risk and cause cybersecurity incidents either unintentionally or on purpose. These can be both malicious and negligent insiders or third parties that have access to your network.

Establishing robust user monitoring will help you track all actions users have performed on corporate devices and within educational networks.

Moreover, tracking and monitoring all access to network resources is required by PCI DSS, and maintaining records of all activities related to data processing is required by the GDPR. Records of user activity monitoring can also be used as evidence when investigating a cybersecurity incident.

User Activity Monitoring with Ekran System

5. Create a cybersecurity policy

A written cybersecurity policy is a must for every organization, since a cybersecurity policy provides a full picture of how the institution ensures data protection, applies security procedures, mitigates threats, and recovers from incidents.

All employees and students should be familiar with the cybersecurity policy so they know how their data is held, learn the primary cybersecurity rules, and understand the severe consequences of violating the policy’s recommendations.

6. Educate students and staff

More than cybersecurity policies, your institution needs education for students, teachers, professors, and staff about using organizational systems and data safely.

For instance, an inadvertent mistake such as opening a suspicious email may lead to a ransomware attack and its unpleasant consequences. Thus, the Verizon 2023 Data Breach Investigations Report states that social engineering is among the top three causes of data breaches in the education industry.

The best way to avoid social engineering and other attacks is to create training programs for both staff and students that:

• Raise awareness of potential dangers that data breaches and threats can bring to your organization
• Teach best practices and measures that should be taken to protect sensitive data
• Educate about simple security mistakes like not logging out of an account when leaving a computer and downloading suspicious files
• Explain the consequences of cybersecurity incidents
• Go hand in hand with the formal written educational institution security policy

7. Deploy dedicated software

Since compliance requirements often dictate that all user actions with sensitive data should be monitored and recorded, you have to deploy a reliable monitoring solution, such as GDPR or PCI DSS compliance software.

User activity monitoring tools help you to:

• Watch user sessions both in real time and in records to make sure employees securely handle critical data
• Get a full picture of user actions with both video and audio monitoring
• Detect suspicious activity and instantly get notifications

With dozens of user activity monitoring solutions on the market, every organization should choose what best suits their specific needs. Ekran System contains various useful features, such as continuous monitoring, user session recording, user and entity behavior analytics (UEBA), and automated incident response to help businesses protect their networks and data and comply with cybersecurity regulations.

Ekran System ensures data protection in educational organizations

Ekran System is a full-cycle insider threat management platform that effectively monitors and records user activity, as well as deters, detects, and disrupts insider threats.

Our solution can help your organization secure sensitive data by:

• Assisting you in meeting IT compliance requirements such as those imposed by the GDPR, PCI DSS, HIPAA, and more
• Monitoring and recording user activity which allows you to search through records for launched applications, opened URLs, typed keystrokes, and more
• Enhancing the security of access to your sensitive resources and systems with MFA and one-time passwords
• Managing privileged access and monitoring the activity of privileged users
• Sending real-time alerts on suspicious activity and addressing potential dangers automatically
• Gathering evidence for cybersecurity incident investigations
• Anonymizing monitored data to protect employees’ and vendors’ privacy

Ekran System insider threat management platform enables your educational organization to closely monitor user activity and immediately respond to emerging threats so you can prevent incidents rather than mitigate their consequences.

Privileged Access Management with Ekran System

Conclusion

Meeting all the necessary compliance requirements and ensuring information security for educational institutions is a challenging and continuous process. Standards for educational institutions are constantly updated while hackers and malicious insiders devise new tricks to compromise and steal your critical information.

The practices we offer above can help you develop a solid cybersecurity strategy and meet industry requirements. With Ekran System, you can significantly enhance your insider threat protection strategy, secure student data, and get closer to full compliance.