Information security breaches are constantly in the news. ID theft experts Sontiq, who maintain a list of the most severe incidents, identified 84 major breaches in 2020 at organizations ranging from Microsoft to Marriott International hotels. While no higher education institutions made the 2020 list, you don’t have to look back too far to come across major data breaches in the industry.
Hackers Have Hit Education Industry Hard
Hackers from China infiltrated computer systems at Pennsylvania State University’s College of Engineering in a sophisticated cyberattack that lasted more than two years and targeted the university’s intellectual property. A second group of attackers reportedly gained access to personal information, including Social Security numbers, for 18,000 people. To help mitigate the damage to its reputation, the university offered those individuals free credit monitoring. It was also forced to notify more than 500 public and private research partners of the breach.
Rutgers University in New Jersey fell victim to perhaps the worst attack in higher ed history in 2015 when a Distributed Denial of Service (DDoS) attack took down the school’s networks and forced Rutgers to postpone exams and class registration. The attacker, a Rutgers student, pleaded guilty to violating the US Computer Fraud and Abuse Act in 2018 and was ordered to pay $8.6 million in restitution to the school, the amount Rutgers estimated it cost them to respond to the attack.
Education Lags in Security Performance
With massive volumes of personal information1 and intellectual property under their responsibility, higher ed institutions are obvious targets for cybercrime. Beyond that, Institutions face some unique vulnerabilities, with widely distributed networks and large and constantly shifting user bases.
Add it all up and you’ve got a recipe for trouble. Cybersecurity ratings company BitSight analyzed six major industries and found that education had the highest incidence of ransomware, a type of malicious software that blocks access to the victim’s data unless they pay the hackers a large sum of money.
13% of education institutions BitSight evaluated had experienced ransomware on their network, more than double the rate in government, the next most victimized industry analyzed (5.9%). Separate research by Coalfire Systems found that 17% of all data breaches occur in higher ed.Security ratings are an objective, quantifiable measurement of an organization’s overall cybersecurity performance, scaled to resemble a credit rating. BitSight compared average security ratings across the same six industries and found that security ratings in education lagged behind the other industries by 100 to 150 points. And while the other industries all saw their averages improve over the course of a year, education’s actually dropped.
How Higher Ed Institutions Can Improve Their Information Security
In this challenging risk landscape, it’s essential for institutions to make information security a top priority. With this in mind, I sat down with ApplyBoard’s Chief Information Security Officer, Paul Mason, to get his thoughts on how schools can protect themselves and their students.
Meti Basiri: Why is information security so important in higher ed?
Paul Mason: Over the past few years, we’ve seen a growing understanding among users in all industries of how much of their personal data is out there and how vulnerable it is to theft. In higher ed, students expect the institutions they attend to do everything they can to protect their privacy.
Governments have responded to this urgency by enacting legislation that protects data subjects—the people whose data is being collected—and institutions need to comply or face steep fines and potentially legal exposure if a breach occurs.
Meti Basiri: Tell us about some of this legislation.
Paul Mason: The EU’s General Data Protection Regulation (GDPR), which came into force in 2018, was a big leap forward in data protection and compliance. The GDPR laid out a series of legal bases that allow companies to collect personal data, established a set of rights for data subjects, greatly increased transparency between data collectors and subjects, and put in place significant penalties for noncompliance.
All of ApplyBoard’s partner universities in the UK abide by the GDPR, as well as its post-Brexit UK equivalent. The GDPR actually applies to organizations located outside the EU, as well. If a company collects or processes personal data for individuals located inside the EU, it needs to abide by the regulation. This means any institution outside the EU that enrolls EU students.
The GDPR has become a model for many jurisdictions outside the EU. In Brazil, a similar piece of legislation, the Lei Geral de Proteção de Dados (LGPD), came into effect in February 2020. Like the EU GDPR, it applies to organizations outside Brazil who collect data on Brazilian residents. The Indian government tabled its own Personal Data Protection Bill in December 2019, but implementation has been delayed due to the pandemic.
In Canada, the federal government has introduced a bill to replace the 20-year-old Personal Information Protection and Electronic Documents Act (PIPEDA) with a new Consumer Privacy Protection Act (CPPA). It’s expected to become law within the next six months. The CPPA is even tougher than the GDPR in terms of requirements it places on organizations and the penalties it imposes if they fail to meet them. For certain offences, fines can reach up to C$25 million or 5% of the organization’s gross global revenue in the previous year, whichever is larger. The CPPA also gives individuals the right to sue organizations that fail to manage their data in accordance with the legislation.
In the US, the California Privacy Rights Act (CPRA) was approved by voters in California during last year’s election and will take effect on January 1, 2023.
Meti Basiri: What can institutions do to ensure they’re compliant with this legislation?
Paul Mason: Most large, research-focused institutions have a Chief Information Security Officer (CISO), which is a management-level position that monitors systems for breaches and continually reevaluates compliance with legislation. These schools should ensure they’re giving their CISO the resources that person needs to work efficiently and effectively. And they should ensure the CISO has a seat at the table with senior leadership, reflecting the importance of info security today.
Smaller institutions, such as community colleges, can be in a bit of a bind. They may be wary about the costs of bringing in an experienced security leader to fulfil the CISO role. But with the sophistication and variety of threats out there today, security is just not a function that can be filled at a lower level.
ApplyBoard supports our partner schools big and small with their information security. We deal with the exact same personal data for our students, so we’re intimately familiar with the risks and the challenges institutions face. Before we begin working with a partner school, we test that school’s ability to send proper encrypted communications via email, which is essential when dealing with personal data. If a partner is deficient, we help them meet those security requirements.
We also leverage our BitSight licence. BitSight provides comprehensive, up-to-the-minute analysis of an organization’s security on a number of fronts: botnet infections, spam propagation, insecure systems, user file sharing, patching cadence, and many more. It allows organizations to see how their security rating compares to the industry average and to specific competitors.
Like a credit rating, BitSight information is visible to anyone with a BitSight licence. Prospective partners can check each other’s security rating before agreeing to work together. Or, a potential client could check a vendor’s security rating before subscribing to their service.
ApplyBoard has reached out to a number of organizations whose security ratings have taken a hit, from partner schools to companies involved in our international financial transfers, and given them access to their BitSight profile through our licence. We’ve then advised them on corrections and enhancements to make to address deficiencies and improve their rating. Once they’re where they need to be, we monitor them to help ensure they maintain their rating and alert them to any concerns we see.
Meti Basiri: What’s your biggest concern for institutions around information security right now?
Paul Mason: It’s the degree of change. For schools with little to no data governance infrastructure, meeting the requirements of GDPR, LGPD, CPPA, and similar laws means going from 0 to 100 in a really short period of time. That’s why it’s critical to stay on top of things. ApplyBoard currently has more than 20 internal projects on the go to proactively enhance our security. It’s a big investment, but it’s what’s necessary to stay ahead of both the evolving legal situation and ever-more-sophisticated cybercriminals.
As ApplyBoard’s Chief Information Security Officer, Paul Mason leads our internal security functions and advises our partner schools on their information security challenges.
Co-Founder and Chief Marketing Officer (CMO)
Meti is driven by the belief that education is a right, not a privilege. He leads the International Recruitment, Partner Relations, and Marketing teams at ApplyBoard, working to make education accessible to people around the world. Meti has been instrumental in building partnerships with 1,500+ educational institutions across Canada, the United, the United Kingdom, and Australia. Working with over 5,000 international recruitment partners, ApplyBoard has assisted over 150,000 students in their study abroad journey. Follow Meti on LinkedIn for more access to ApplyInsights and key industry trends.