Nowadays, education institutions have a lot on their plates when it comes to students’ personal data security. Not only data breaches in general are more frequent now than ever before, higher education institutions comprise one of the prime targets. According to the ECAR report, higher education institutions reported more cases of data breaches than both businesses and government institutions, being second only to healthcare organizations. Moreover, only a third of these breaches are caused by malicious hackers, with mistakes, phishing, lost devices, and malicious insiders are among causes comprising other 64%.
What makes higher education institutions such attractive targets is the fact that they often possess a very high amount of sensitive private information while at the same time lacking for proper defenses. Social security numbers, financial information, healthcare information, intellectual property and many other valuable data regarding both students and staff can easily be obtained via phishing, malware, or actions of malicious and inadvertent insiders, and there is very little that most higher education institutions can do to prevent this.
While government provides a number of laws and regulations enforcing security standards aimed at helping organizations protect sensitive data, there is so many of them and they change so rapidly, that they often serve only to confuse things. Instead of becoming an effective tool in helping colleges and universities to establish efficient security, compliance often simply becomes a list of boxes to be checked out without any considerations for actual needs of a particular organization and actual risks that it is facing. This coupled with shortage of experienced specialists and high prices of security solutions, most of which are aimed at large enterprises, makes protecting students’ personal data not an easy endeavor.
However, it does not mean that the task is impossible. By arming yourself with best security practices and turning compliance regulations into a tool to be used to strengthen your security posture, you can keep your university or college protected and achieve some parity in an endless arms race with hackers and insiders.
Compliance regulations for higher education institutions
One of the biggest problems when it comes to education industry cybersecurity compliance, it is the fact that there are just too many regulations and it is very hard to keep up with everything. Each type of data, such as healthcare or financial info is regulated by a particular law, usually designed with other industries in mind. It is a task of college or a university to bring all of these requirements together and mold them into a single cohesive security posture allowing to withstand all attacks.
Such regulations include:
- HIPAA – Health Insurance Portability and Accountability Act of 1996 regulates handling of healthcare data. Created in order to establish national-wide standard on protecting personal healthcare information, HIPAA task every college and university with protecting privacy of students healthcare information in their possession, establishing limits on disclosure without authorization.
- HITECH – Health Information Technology for Economic and Clinical Health Act in many ways covers the same ground as HIPAA, yet expanding on it by also covering business associates. It dictates that necessary safeguards should be put in place in order to limit access to protected health information (PHI). In case when such data is breaches, act requires an institution to notify all involved parties.
- FISMA – Federal Information Security Management Act of 2002 is designed first and foremost to create an information security standards for federal agencies. However, it also covers higher education institutions when they act as contractors for federal agencies when they use federal data in their researches. Handling of such data at this point is regulated by FISMA, which dictates that security programs and policies should be implemented and necessitates risk assessment.
- GLBA – Gramm-Leach-Bliley Act governs handling of any personal or personally identifiable information by financial institutions, putting limits on collecting and disclosing such data, as well as necessitating the adequate protection. Thus, any financial information in possession of colleges and universities is covered by GLBA regulations.
- Red Flags Rule – based on section 114 and 315 of the Fair and Accurate Credit Transactions Act, red flags rule governs handling of personal financial information, including limiting the ways it can be shared.
- PCI DSS – proprietary standard created by major credit card companies, including Visa and MasterCard, that governs handling of credit card information. While compliance with the standard is not required by federal law, it is still required in some states.
As clearly seen from the list, there are a number of compliance regulations covering every type of data that higher education institutions can poses, including financial data, healthcare information, personal data, social security number, etc. And while many of these regulations have fairly similar requirements, there are a lot of nuances to keep track of. Moreover, each of these regulations is constantly changing and updating, making it very hard to keep track of them all. In this situation the right approach to compliance becomes a key factor in achieving it and keeping your data protected. You need to establish a risk-based security strategy, educate your students and staff, and employ solutions to secure data access and monitor user activity in order to protect student information from both insider and outsider threats.
Formulate effective security strategy
First step to achieve higher education IT compliance and effectively protect students’ personal data is to formulate an efficient security strategy that will allow for quick incident detection and timely response. This security strategy should govern implementation of all new security measures and should include all the necessary steps to achieve compliance. Security strategy serves to determine the plan of actions for the next period and thus determine priority of implementing particular security measures. To this end, a risk-based approach is a best way to formulate effective security strategy.
Thorough risk assessment starts with determining all valuable data. Then you need to establish potential threats and vectors of attack. This will allow you to review security measures currently in place, determine security gaps and ways to cover them. As a result, you will be able to prioritize security measures and create a plan of actions that will allow you to both achieve compliance and provide a reliable way to protect students’ confidentiality data.
Create security policies
One of the results of formulating a valid security strategy is a creation of a written security policy. Such a policy serves to detail and formalize all the necessary security procedures, which will make enforcing them much easier. All employees and students should be made familiar with the policy and should be aware that breaching it will lead to serious consequences.
Appoint CISO that will be responsible for contingency plan
Security assessments in many institutions show that often no single person is responsible for implementing security and issuing response in case of an incident. Moreover, many institutions either don’t have a response plan at all or have a set of very complex and convoluted plans that cannot be executed when needed. Many compliance requirements dictate that higher education institutions should appoint a dedicated Chief Information Security Officer who will be responsible for all security processes within an organization. Appointing CISO provides you with the person, responsible for tackling incidents and overseeing efforts on securing students’ personal information.
Create security awareness program for employees and students
As already mentioned above, the ECAR report shows that a third of all data breaches in higher education are caused by unintended disclosure, i.e., inadvertent mistakes and things like phishing attacks. In other, when your employees are violating security policies and best practices without realizing the full extend of their actions and harm it can potentially bring. The best way to avoid this is to create training programs and raise awareness among both staff and students on potential dangers of data breaches, threats that your college or university is facing, as well as best practices and measures that should be taken in order to protect sensitive data. Obviously, such awareness program should go hand in hand with formal written security policy. But even apart from that, simply making your employees familiar with the concept and making them aware of their own actions and their potential consequences will help to greatly reduce breaches via unintended disclosure.
Use two-factor authentication for securing key assets
One of the key compliance requirement for many regulations is to safeguard and limit access to sensitive data. To this extend, user privileges need to be managed via the principle of least privilege, where access to sensitive data is prohibited by default and granted only when necessary. At the same time, additional authentication measures should be used in order to confirm identity of a person accessing sensitive data. Additional authentication not only makes it much harder to steal account, but also solves the problem of shared account usage, allowing to reliably identify each individual user.
In most cases access management software is used to restrict access to data and control who and when accessed particular information. Such software allows to efficiently manage user accounts and often even provides some basic user action monitoring capabilities, although the main disadvantage is that it mostly aimed at large enterprises and often proves very expensive for your average college or university.
Handle passwords in a secure manner
User passwords is one of your main lines of defense and it needs to be handled with particular care. While two-factor authentication acts as a safety net in case main account password is compromised, it does not mean that you can afford to handle passwords in an unsecure manner. Each password not only needs to be complex, but also unique and it needs to be stored securely. Always remember to change default passwords for every software and hardware in use and make sure to prohibit password sharing.
Use monitoring software to monitor access to secure data
While controlling data access is very important, it is not deemed enough by most regulators. Compliance requirements often dictate that all user actions regarding sensitive data should be monitored and recorded. Such monitoring gives clear insight into how sensitive data is used and allows to determine whether an incident had taken place.
User action monitoring is invaluable tool for detecting insider attacks and privilege abuse. While insider threats in cyber security pose a grave danger due to the fact that malicious actions are often indistinguishable from their regular daily routine, not to mention that the level of access they have often allows them to effectively cover their tracks, monitoring solutions provides the level of insight necessary to detect any malicious action. Moreover, it is very useful in detecting inadvertent mistakes and even detecting certain hacks or compromised accounts.
As already mentioned above, many access management solutions contain some basic user action monitoring capabilities, however, such capabilities are often limited in the types and amounts of information they can gather, and not allow to effectively protect from all types of insider threats. In order to fully comply with all requirements and actually effectively protect students’ data, colleges and universities should employ dedicated user action monitoring solution. Such solutions allow to monitor users regardless of the level of privilege they have and provide all the necessary data to effectively detect any incident. However, the big thing against using such a solution is the fact that they are often aimed at large enterprises, which makes them very expensive.
Although, there are certain software on the market that provides both reach functionality and affordable price. An example of such software is Ekran System.
Ekran System – monitoring software for higher education institutions
Ekran System is an employee computer monitoring and insider threat detection solution designed specifically with both large and small organizations in mind. It is used by hundreds companies worldwide across different industries, including higher education institutions. One example is the Seoul National University that uses Ekran System for both protection and compliance purposes.
Ekran System agents can be deployed on Windows desktops and servers, Linux / Unix servers, and virtual endpoints like Citrix servers. They monitor everything that happens on user screen including mouse movement, recording full user sessions into indexed video format, coupled with additional relevant metadata. This metadata includes keystrokes, visited URLs, opened applications and active windows, entered commands in Linux, etc. All recordings can be replayed and can be easily searched, allowing to quickly find and investigate suspicious incidents.
Ekran System allows to detect unauthorized access and copying of personal data either via external storage device (that it can detect), or by uploading it to the internet, as well as allowing for unauthorized system change and server backdoor detection. Ekran System can monitor every user regardless of the level of privilege they have, and can clearly identify users of shared accounts via built-in additional authentication feature. It contains a set of pre-defined alerts, designed to effectively catch various suspicious activities, as well as a powerful tool for creating your own alerts. Robust reporting tool allows to review various types of data over time, generating report of user activity that can be useful when it comes to compliance audit.
Ekran System features two licensing schemes – regular one, where charged amount is based only on the number of monitored endpoints, as well as an enterprise scheme, that adds additional flat fee for Management Tool license, but also includes additional features, oriented on large companies, such as high availability and one-time passwords. Deployment of Ekran System is easily scalable, which makes it ideal fit for higher education institutions.
By establishing robust risk-based security strategy, hiring the right person as your CISO and arming yourself with effective and affordable data protection solutions for educational industry you will be able to both achieve compliance and learn how to protect students’ personal data in a reliable way. Maintaining a reliable security is a continuous process that involves a gruesome and very expensive arms race with hackers and malicious insiders, and the only way to win such a race is systematic risk based approach and complex, layered defenses.
Read also about how to protect your business following these cybersecurity practices.