Five Data Security Tips for Colleges and Universities
Last month, the BDO team attended the SACUBO Annual Meeting in San Antonio. The event was filled with compelling presentations on a variety of issues impacting the higher education industry, from the FASB’s Not-for-Profit Financial Reporting-Financial Statements
project to new developments in Big Data. The conference also addressed the rapidly evolving issue of cybersecurity for higher education institutions.
With cybersecurity growing as a concern across all industries in the U.S., colleges and universities need to stay ahead of the curve and explore new ways to lock down student, staff and faculty data. The costs of a data breach can be high; according to the Chronicle of Higher Education, the February 2014 hacking of the University of Maryland’s IT systems could cost the university millions of dollars
. On top of that, the university must also combat the reputational harm that could come from the leak of their staff and students’ personal information.
Why are data intrusions at higher education institutions on the rise? In addition to the risk that students, staff and faculty incur in their personal use of university information systems, the sheer amount of personal data stored on university servers makes them attractive to hackers looking to steal and sell identifying information, such as social security numbers. Some intruders may also simply be looking to cause some havoc.
Still, one of the more problematic causes behind the growth in cybersecurity breaches at universities is simply that many institutions do not prepare for them. In order to combat this complacency, here are a few steps colleges and universities can take to get ahead of the threat:
1.Understand the various types of cyber attacks.
Knowing the variety of intrusion methods used can help you plan your defense strategy. A substantial number of intrusions occur through phishing, in which a user unwittingly shares his or her password with a hacker. Other methods include the stealth installation of malware on computers, “brute force” attacks where hackers simply guess at passwords, and exploitation of known system vulnerabilities. Sometimes, an intrusion can even be facilitated by careless data protection on the university’s part, such as a failure to use adequate encryption for personal information stored on its servers.
2. Invest in up-to-date software solutions to protect your systems.
While there’s no silver bullet, a robust package of anti-virus, anti-malware and firewall software installed throughout the system can erect hurdles to unscrupulous hackers looking for chinks in your armor.
3. Implement multi-level credentialing processes for IT users throughout the institution.
A strong password alone may not be sufficient to protect user accounts from intrusions. During one presentation, Brian Rivers and Holley Schramski of the University of Georgia discussed their institution’s new ArchPass system
, which involves using a small device to generate a one-time numeric code that users must enter in addition to their passwords to access university systems. This added layer can help halt attacks, even when a hacker has access to a password.
4. Improve awareness cross-campus.
Take the time to educate stakeholders across your organization about best practices for protecting their data. Many attacks can be thwarted with common sense, such as not opening questionable emails and double-checking site URLS before entering user credentials.
5. Act quickly to close vulnerabilities as soon as they appear.
With technology changing every day, standards for security protocols can quickly become obscure, and savvy hackers can find new loopholes to exploit. Universities and colleges should monitor for potential vulnerabilities on an ongoing basis, and upon finding them, should quickly remedy them, either by patching them or implementing new systems as needed.
Data security will continue to be a problem in the coming years for all organizations, but ongoing vigilance can go a long way toward helping your institution both anticipate and quickly respond to potential breaches.