In an era where higher education is experiencing increased cyberattacks and smarter cyberthreats, colleges and universities must do all that they can to safeguard sensitive data and ensure the privacy of their constituents. While the evolving cybersecurity landscape may seem daunting, adopting fundamental strategies can significantly bolster your school’s resilience against cyberattacks. As a bonus, schools may experience lower insurance premiums by showing commitment to cybersecurity, implementing comprehensive measures, and complying with relevant regulations.

Here are three basic higher education cybersecurity strategies every institution should prioritize:

Stopping threats before they occur is the best-case scenario. Threat-detection tools, such as data loss–prevention software, can analyze the security ecosystem and quickly identify malicious activity and enact mitigation efforts. These tools allow institutions to detect threats in real-time and stop breaches before they occur.

Education is a powerful and essential to counteract cyberthreats. Enable students and staff to recognize, avoid and report an attack by offering regular awareness training that promotes cybersecurity best practices for schools. They should be made aware of common cyberattacks, such as:

• Ransomware Attack: Paralyzing a victim’s systems or threatening to steal, block or publish a victim’s data unless a ransom is paid.
• Business Email Compromise (BEC): Emails that impersonate senior leadership and ask for tasks to be carried out that would reveal sensitive information or transfer funds.
• Phishing: Using electronic communications to deceive and take advantage of users, often beginning with an email attempting to obtain sensitive information by persuading a user to click on a malicious link or download an infected attachment.
• Spear Phishing: Infiltrating an organization to steal sensitive information through a targeted type of phishing. Attackers will often gather personal information about their victims via social media profiles to write emails with more authentic context.
• Spoofing: Committing malicious acts by disguising oneself as a person, business or entity the victim is familiar with to get them to freely provide information.

Students and staff should also be educated in proper data-handling practices and physical security measures for various technologies. By creating a culture that values cybersecurity, schools can empower active contributions to defend against cyberthreats.

“The most significant new risk in higher ed is the bad guys’ use of AI to develop and launch more targeted and believable phishing campaigns. Phishing is still a top method of compromising users, but with the added power of AI, it can be easier, quicker, and more effective than ever. User training has to shift to meet the challenge,” said Nairn.

The recent changes to the Gramm-Leach-Bliley Act’s safeguard rules require universities and colleges to take a proactive approach to student financial record-keeping and cybersecurity. Remaining compliant with these regulations and reporting requirements is essential to securing funding. That begins with a well-documented IT security policy that sets standards of behavior for the digital activities of faculty, staff, and students.

Your policy should define common cyberattacks, outline systems to guard data, assign roles and responsibilities, and be regularly updated as new regulations and threats emerge. Artificial intelligence (AI), though somewhat underdeveloped, should have a place in your IT security policy that outlines how to reduce the cybersecurity risks of AI, such as avoiding sharing sensitive data with AI and building a strong AI incident-response procedure.

Collegis can also help with a cybersecurity risk assessment. Contact us to learn more.

With cyberattacks on the rise, higher education institutions must move beyond reactive security measures and foster a cybersecure culture that protects students, faculty, and institutional data. A strong cybersecurity strategy isn’t just about technology — it’s about people, processes, and awareness.

Our latest infographic outlines key actions colleges and universities can take to build a proactive security mindset across their campuses.

The Gramm-Leach-Bliley Act (GLBA), established in 1999 under the purview of the Federal Trade Commission (FTC), has long governed the safeguarding of sensitive information within financial institutions. Although not initially focused on educational contexts, the GLBA has more recently shifted into the spotlight of higher education governance.

Here we’ll dissect and analyze the critical elements of the GLBA and its Safeguards Rule, focusing on how they impact the collection, storage and use of student financial records in colleges and universities.

Within the last four years, the impact of the GLBA has been increasingly felt in higher education institutions. The Office of Management and Budget (OMB) ratcheted up this focus when it released its Compliance Supplement in July 2019, incorporating a new audit objective to assess institutional compliance with the Safeguards Rule.

The average cost of a single cybersecurity breach in higher education now $3.65 million.

Given recent high-profile examples, like the potentially disastrous MOVEit attacks in which Colorado State was among 600 organizations affected by a widespread and well-coordinated ransomware campaign, this added focus on safeguarding student financial records isn’t surprising. With the average cost of a single cybersecurity breach in higher education now at $3.65 million (as of March 2023), your responsibilities to protect student data and your institution’s financial future are greater than ever.

In December 2021, the FTC enacted a revision of its Safeguards Rule, with some provisions effective on June 9, 2023. The education sector should note that the Department of Education’s Office of Inspector General has indicated that these revisions may be included in future OMB Compliance Supplements and would be subject to the single audit/federal awards program audit. With federal funding on the line, remaining compliant with these regulations and reporting requirements is essential.

The revisions in the Safeguards Rule cover a myriad of points ranging from risk assessments to personnel responsibilities. Here is a breakdown:

Old Rule: Designate employee(s) for information security coordination.

New Rule: A qualified individual must be designated to manage and enforce the information security program. Even if a service provider or affiliate meets this requirement, the institution itself retains responsibility for compliance and oversight.

Old Rule: A risk assessment addressing three required areas was mandatory.

New Rule: Institutions must now conduct a written, periodically updated risk assessment that considers both internal and external threats, incorporating a more robust set of evaluation criteria.

Old Rule: Identify safeguards for each risk.

New Rule: Besides identifying safeguards, institutions now have to embrace a more complex set of data protection measures, such as multifactor authentication, secure disposal, and annual penetration testing.

Understanding and implementing these changes is crucial for educational institutions to not only ensure compliance but also safeguard student data. These new changes necessitate a reevaluation of existing information security programs and may require the allocation of additional resources, including expert personnel and advanced cybersecurity tools.

The Gramm-Leach-Bliley Act’s evolving role in higher education, particularly with the recent changes to the Safeguards Rule, calls for universities and colleges to be proactive rather than reactive in the domain of student financial record-keeping and cybersecurity.

Collegis Education can help your institution achieve and maintain GLBA compliance with comprehensive solutions tailored to your unique needs. Our team of experts is well-versed in the latest best practices and can guide you through the intricacies of the Safeguards Rule and other compliance requirements. Reach out to us today to discuss your needs and take the first step toward safeguarding your institution’s future.

Most higher education leaders share a common understanding that the system as a whole is heavily regulated. Meeting legal requirements related to athletics, diversity, safety and more is simply expected. Yet there’s one area in which many institutions could stand to improve: information security.

There are numerous examples of costly breaches that schools have experienced over the years. In fact, cybersecurity in higher education is becoming increasingly important as more attackers target these institutions. Just one breach could expose sensitive data, but institutions can better protect themselves and their students by adhering to the Gramm-Leach-Bliley Act (GLBA).

While the GLBA – which requires institutions to explain how they share and protect nonpublic personal information – is geared toward financial services organizations, it also applies to colleges and universities. This has become even more important in recent years, so it’s wise to familiarize yourself with this law and how to comply.

It’s no secret that higher education is plagued by cyberattacks. One of the most recent incidents occurred in April 2021 when data files were stolen from multiple schools due to a software security flaw.

But issues such as these have been taking place for years, particularly in the last decade. Recurring breaches in the 2010s are likely what prompted the U.S. Department of Education to send an initial letter in 2015 as well as a follow-up letter in 2016 reminding colleges and universities about the legal obligation to comply with the GLBA. Rather than scolding any institutions for wrongdoing, these letters were presented as resources to support schools’ efforts to bolster their cybersecurity protections.

Another important shift took place a few years later. While GLBA compliance was initially self-regulated, an amendment required that it be incorporated into schools’ annual federal compliance audits. Higher education institutions started submitting GLBA-related information to the Department of Education back in 2019.

As part of the evaluation procedure, auditors must:

• Ensure the school has a designated person to coordinate the information security program
• Confirm the institution has performed a risk assessment that addresses employee training and management, information systems, and protocols for attack detection, prevention and response
• Validate that the school has a documented safeguard for each of the above risks

Satisfying the GLBA audit standards isn’t just beneficial for protecting students and your institution as a whole. It’s also a legal requirement, and there are penalties for non-compliance (more on this in a later section).

The audit process provides a glimpse into what colleges and universities must do to comply with the GLBA, but it’s important to have a clearer understanding of the requirements. 

For starters, institutions are required to develop a written information security plan that describes the program they have in place to protect student information. These documents may vary from one school to another, but they must include the following elements:

• A designated employee (or employees) who coordinates the information security program
• A means of identifying and assessing risks to student information in each relevant area of operation, as well as a method for evaluating the safeguards that are currently in place
• An implemented safeguards program that’s regularly monitored and tested
• Service providers with the expertise and obligation to maintain appropriate safeguards who receive oversight in how to handle sensitive information
• A process for evaluating and adjusting the information security program to account for relevant changes

While GLBA compliance requirements are intentionally flexible to meet the needs of different institutions, the FTC provides further guidance on what should be included in an effective information security plan. Recommendations focus heavily on employee training and management. Some suggested practices include:

• Conducting background checks prior to hiring employees
• Limiting who has access to sensitive information
• Providing security maintenance training
• Implementing disciplinary action for violations

If a school is found to be non-compliant as a result of the annual audit, the Federal Student Aid’s Postsecondary Institution Cybersecurity Team could disable the institution’s access to the Department of Education information systems. Serious or repeat cases may be subject to fines or other administrative actions.

There are also a number of criminal penalties mentioned within the body of the GLBA under section 523. The institution and the violators may be subject to fines of up to $100,000. Individuals may also face up to five years of prison time – or 10 years for repeat offenses. Violations are clearly taken very seriously.

But arguably the most detrimental outcome associated with GLBA noncompliance is a security breach. If this happens, important student data could be leaked or stolen by an attacker. Institutions that don’t take the appropriate measures to protect students’ financial information could ultimately end up having to pay hefty ransoms to recover that data. Even then, there’s no guarantee an attacker will actually follow through on returning information after they receive the funds. It’s also incredibly damaging to the university’s reputation. From a prospective student’s point of view, why entrust such an institution with your personal information?

It’s apparent that GLBA compliance needs to be top of mind for colleges and universities. Exposing students’ personal information doesn’t just risk an institution’s reputation; it can also lead to expensive ransoms and halt day-to-day operations.

Keep in mind that complying with the GLBA, while important, is really only focused on security. There are so many other priorities that information technology (IT) departments need to focus on, such as upgrading systems, integrating software and implementing innovative student-facing tools. This can be a lot for a college IT team to manage, but there are other options for seeking external support.

As colleges and universities become increasingly digitally connected, the risk of cyber threats continues to rise. Higher education institutions store vast amounts of sensitive data, from student records and financial information to research and faculty communications. Unfortunately, this makes them a prime target for cyberattacks.

Our latest infographic highlights the top cybersecurity risks institutions face and provides key strategies to protect against them.