Educational institutions handle tremendous amounts of data and have access to personal, financial, and healthcare information of both students and staff. However, this exposes them to cybersecurity risks. In 2019, the US was hit by multiple ransomware attacks that impacted 89 universities, colleges, and school districts — up to 1,233 institutions were potentially affected.
Although US federal laws impose strict cybersecurity rules, the vast number of these rules (and the constant updates to them) make it challenging for educational institutions to meet all cybersecurity requirements. In this article, we highlight the importance of securing student’s data, list major cybersecurity standards, laws, and regulations that apply to educational organizations, and offer seven best practices for a robust cybersecurity strategy.
The importance of securing students’ personal data
Ensuring the security of students’ data and privacy is extremely challenging for educational institutions. Cybersecurity breaches in educational organizations can be caused by external attackers or internal threats.
Establishing flawless data security is vital to avoid cybersecurity threats, meet compliance requirements, minimize the chance of data leaks, and preserve an institution’s reputation and credibility, resulting in better student enrollment and easier staff recruitment.
Cybersecurity threats in higher education can come from various sources. Here are the most common:
- Downloading free textbooks from suspicious sources, which can bring malware to an institution’s computer networks
- Email-based threats like phishing that can bring malware or ransomware
- Unsecured personal devices that may make a school’s wireless network vulnerable
- Targeted cyberattacks on educational institutions (like DDoS attacks) that aim to render a website or service inoperable
- Malicious and unintentional insiders
The most unpleasant outcome of any attack on an educational institution is financial losses, which may consist of fines for non-compliance with cybersecurity requirements and costs for recovering from the attack. For example, the Rockville Centre school district in Nassau County, New York, paid almost $100,000 to restore their communications systems and data after an incident with the Ryuk ransomware in July 2019.
Securing students’ personal data is vital not only because of potential financial losses but also because of reputational damage. Bad publicity may scare away potential students and hinder cooperation with government organizations and businesses on various research projects.
Before we proceed to cyber security techniques for ensuring robust data protection, let’s take a look at the most essential compliance requirements for educational institutions.
What laws, regulations, and standards should you comply with?
One of the biggest problems when it comes to meeting cybersecurity requirements in the education sector is that there are too many standards, laws, and regulations, so it’s hard to keep up with everything.
Since schools and universities process many types of data, they have to comply with requirements that also target healthcare, financial, and government organizations.
The most important regulations and laws for US educational organizations to follow are:
- The Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of student education records. This law applies to all schools that receive funds under an applicable program of the US Department of Education. FERPA clearly forbids the disclosure of confidential personally identifiable student information without a student’s or an authorized party’s written consent.
- The Higher Education Opportunity Act (HEOA) is a law that requires institutions of higher education to secure students’ sensitive data.
- The Protection of Pupil Rights Amendment (PPRA) is a law that protects sensitive personal information collected from students by educational institutions and programs that receive funds from the US Department of Education.
- The General Data Protection Regulation (GDPR) protects personal data of European Union (EU) residents and addresses the transfer of their personal data outside the EU area. If a US-based institution educates or employs EU citizens, it must comply with GDPR requirements.
- The Health Insurance Portability and Accountability Act (HIPAA) is a law that requires schools to protect students’ health information, whether that be insurance information or information on health issues. Any medical center on a school campus must comply with HIPAA just as a doctor’s office must.
- The Health Information Technology for Economic and Clinical Health Act (HITECH) is a law created to promote and expand the adoption of health information technology: specifically, the use of electronic health records by healthcare providers.
- The Gramm-Leach-Bliley Act (GLBA) is a US federal law that focuses on financial institutions. Higher education institutions must also comply with the GLBA’s Safeguard Rule, as these institutions deal with large inflows and outflows of money.
- The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary standard created by major credit card companies, including Visa and Mastercard, that governs the handling of credit card information. Schools and universities that receive card payments for education must meet PCI DSS requirements.
- The Federal Information Security Modernization Act (FISMA) is a US law that applies to government agencies, contractors, and entities that collect or maintain the information of any federal agency. As some universities collaborate with federal agencies on research projects, it’s also important for them to have FISMA compliance software.
- The National Institute of Standards and Technology (NIST) Special Publication 800-171 applies to higher education institutions with whom the government shares information for research purposes. That's why such institutions require a NIST 800 171 compliance solution.
Securing students’ data and ensuring compliance with federal and state cybersecurity requirements demands a complex approach. Let’s explore the most essential steps toward a risk-based security strategy in the next section.
How to protect students’ personal data
Educational organizations have to put lots of effort into effectively protecting students’ personal data and achieving IT compliance.
Considering the vast number of US laws and standards that apply to the educational sector, meeting the major requirements seems challenging. However, it gets easier when you follow seven best practices that help you build a strong cybersecurity strategy and secure sensitive data.
1. Define risks
A thorough risk assessment starts with determining all valuable data stored and processed by your institution. You should identify information that’s subject to compliance requirements to know what to secure first.
Then pay attention to possible cybersecurity threats both outside and inside your organization. Last but not least, you should assess your current protection measures, making sure there are no weak points.
2. Ensure the security of stored data
Paying attention to the security of stored data is a great way to minimize the risk of its compromise. Follow these measures for securely storing data:
- Back up data regularly. Even if a hacker or intruder successfully retrieves data, backups will help cybersecurity teams confirm which systems and applications were compromised as well as recover damaged or deleted data.
- Keep all your software updated, especially antivirus tools. Outdated software may contain vulnerabilities that are known to hackers.
- Allow only authorized staff to access students’ sensitive data. Not all of your employees need students’ personal data for their routine work. Make sure this data can be accessed by as few users as possible.
- Use data encryption techniques to safeguard your data against hackers and malicious insiders.
- Secure access to your organization’s networks with a multi-factor authentication (MFA) mechanism to enhance the authorization process and prevent unauthorized access by someone who has somehow come into possession of credentials.
Appointing a Chief Information Security Officer (CISO) is another common and helpful practice among higher education institutions. A CISO is responsible for implementing security requirements, assessing risks, conducting regular security audits, checking for changes to compliance requirements, and responding to potential security incidents.
3. Manage access rights thoughtfully
Make sure your employees can access only the data they need for their jobs. Elevated access rights are always a risk, since a user can steal or compromise sensitive data on purpose or can accidentally delete or expose it.
To ensure robust access management, apply a zero trust model that allows you to grant access to critical applications and data only to those users that have already been authenticated and verified by your system.
Also, consider implementing a just-in-time privileged access management model to grant access permissions only when users need to perform specific tasks and for no longer than the time required to fulfill those tasks.
4. Monitor user activity
Various users may put students’ personal data at risk and cause cybersecurity incidents either unintentionally or on purpose. These can be both malicious and inadvertent insiders or third parties that have access to your network.
Establishing robust user monitoring will help you know all actions users have performed on corporate devices and within educational networks.
Moreover, tracking and monitoring all access to network resources is required by PCI DSS, and maintaining records of all activities related to data processing is required by the GDPR. Records of user activity monitoring can also be used as evidence when investigating a cybersecurity incident.
5. Create a cybersecurity policy
A written cybersecurity policy is a must for every organization, since a cybersecurity policy provides a full picture of how the institution ensures data protection, applies security procedures, mitigates threats, and recovers from incidents.
All employees and students should be familiar with the cybersecurity policy to know how their data is held, learn the primary cybersecurity rules, and understand the severe consequences of violating the policy’s recommendations.
6. Educate students and staff
Unfortunately, cybersecurity policies are not enough to educate students, teachers, professors, and staff about the safe use of organizational systems and data.
For instance, an inadvertent mistake such as opening a suspicious email may lead to a ransomware attack and its unpleasant consequences. Phishing is still a significant issue and accounted for 13% of all cybersecurity incidents in educational organizations in 2019.
The best way to avoid such incidents is to create training programs for both staff and students that:
- raise awareness of potential dangers of data breaches and threats your organization faces
- teach best practices and measures that should be taken in order to protect sensitive data
- educate about simple security mistakes like not logging out of an account when leaving a computer and downloading suspicious files
- explain the consequences of cybersecurity incidents
- go hand in hand with the formal written security policy
7. Deploy dedicated software
Since compliance requirements often dictate that all user actions with sensitive data should be monitored and recorded, you have to deploy a reliable monitoring solution.
Modern user activity monitoring tools will help you:
- watch user sessions both in real time and in records to make sure employees securely handle critical data
- get a full picture of user actions with both video and audio monitoring
- detect suspicious activity and instantly notify your security officers or admins
With dozens of user activity monitoring solutions on the market, every organization can choose what best suits their specific needs. Ekran System contains a variety of useful features and helps businesses protect their networks and data and comply with cybersecurity regulations.
Ekran System ensures data protection in educational organizations
Ekran System is a full-cycle insider threat management platform that effectively monitors and records user activity as well as deters, detects, and disrupts insider threats.
Our solution can help your organization secure your sensitive data by:
- assisting you in meeting IT compliance requirements such as those imposed by the GDPR, PCI DSS, and HIPAA
- monitoring and recording user activity and allowing you to search through records for a launched application, opened URL, typed keystroke, and more
- enhancing access protections with MFA and one-time passwords
- managing privileged access by monitoring and auditing the activity of privileged users
- detecting suspicious activity with real-time alerts and addressing potential dangers instantly
- gathering evidence for cybersecurity incident investigations
Ekran System’s insider threat management solution will help your educational organization closely monitor user activity and respond to emerging threats so you can prevent incidents rather than mitigate their consequences.
Meeting all the necessary compliance requirements and ensuring information security in higher education organizations is a challenging and continuous process. Standards for educational institutions are constantly updated, and both hackers and malicious insiders may come up with new tricks to compromise and steal your critical information.
We hope the practices offered above will help you build a solid cybersecurity strategy and meet industry requirements. With Ekran System, you can significantly enhance your insider threat protection, secure students’ data, and get a few steps closer to full compliance.