Why Higher Ed Data Security Depends on People

The threat-intelligence firm Recorded Future report in February 2017 that "Rasputin, a Russian-speaking and notorious, financially motivated cyber criminal, continues to locate and exploit vulnerable web applications via a proprietary SQL injection (SQLi) tool." His latest attack? More than 60 prominent universities and government agencies in the United States and United Kingdom.

So, is your institution secure?

Mark Relf, senior security analyst with Collegis Education, shared that he is often asked about data security. He noted that while colleges and universities are clearly concerned about the rise in higher ed data breaches, he worries that there is a misperception that an organization needs only software to protect its data.

“Data security is everyone’s job and the most protected companies meet security goals through fostering good employee habits system-wide,” Relf said.

Relf further explained why higher education has become a target of hackers. Beginning with reports of data security breaches among health care companies, Relf pointed out that while medical records are in demand on the black market, they become much more valuable when combined with student records.

Hackers are looking for so-called personal identifiers, which are the most sensitive pieces of personal information (such as dates of birth, addresses and more) and can be used for identity theft and fraud. Such records may be sold on the black market for a few dollars each. But hackers know that if that information is combined with a Social Security number and driver’s license number, the price of an individual record can increase to $100–$150 per record.

Student records from higher ed institutions attract attention among hackers who are looking to combine those records with personal records stolen from other organizations. Buyers of stolen records then exploit the information to profit in a number of ways. They may use the victim’s identity to commit insurance fraud, apply for loans, or make other purchases.  

“Data security depends on three points,” Relf said. “People, process and technology. Like a three-legged table, if you take one out, it will fall over.”

Relf underscored that an organization’s first line of defense is its employees. Following is a short list of basic actions any company can require of its employees in order to prevent breaches.

Preventive Actions

  1. Change passwords at least every six months.
  2. Don’t use the same password for multiple accounts.
  3. Never open attachments or click on links from unknown senders.
  4. Teach employees to verify all requests for sensitive information or funds.

The last action in the list, verification, is important because hackers often attempt to impersonate a high-level employee in order to gain access to sensitive information. Taking a moment to confirm the request with the apparent sender by phone or through an alternative communication method is in everyone’s best interest. When you consider that the cost of a security breach can easily run into six figures or more, no properly authorized information requestor should object to a safety check. Another good safety measure is to implement a multi-step verification processes in which final authorization of a request must come from a variety of independent sources.

Good Habits Go A Long Way

No matter how much money is invested in technology, an organization may still not be protected. Employee habits and processes are critical to preventing a data breach. Teach your employees how to be vigilant. Teach them good habits, and encourage them to report unusual requests immediately. As with organizational cultures that support an environment of physical security, employees who have been taught how to recognize and respond to warning signs can be a powerful force for preventing a crisis.