Every day your organization creates or obtains information from your staff and students. All of this information which is created and collated has value; some more obviously valuable than others. This data often sits in your file servers unprotected, placing your organization at unnecessary risk. In Ryan Francis’ article on CIO.com he explains 5 ways to prevent an educational data breach with data classification. Here is the article below:
5 ways data classification can prevent an education data breach
Class is in session
The explosion of data in the education sector can help institutions streamline and improve access to student and user records, as well as creating new efficiencies that reduce administrative tasks, while reaching more students with better and more targeted curriculum. But despite the multitude of benefits, this groundswell of information can also have negative impact if mismanaged.
As with other verticals, any kind of security threat or data breach can result in steep compliance fines and penalties, increased scrutiny from auditors and unwanted publicity that result in loss of reputation and student attrition. Ultimately, you can’t manage what you can’t see. And for the often cash strapped education sector, it’s imperative that they find ways to clearly identify, classify and prioritize this sensitive data according to its criticality. Spirion CEO Jo Webber, PhD offers examples of how the education vertical can leverage data classification to reduce the risk of data theft and costly compliance violations.
1. Detect security holes/encryption gaps in older student records
It’s no secret that education databases housing sensitive information such as student Social Security numbers, dates of birth, addresses, income and financial aid information are prime targets for cyber thieves. So, taking a hard look at all of your data and then being able to identify that which is particularly attractive for hackers is critical. The ability to classify and prioritize sensitive information allows universities and other educational institutions to locate old, outdated logs of student applications with student Social Security numbers on them, which were often used to track students prior to compliance regulations and before other methods of student identification were employed. It can also spot credit card information used for student payments but stored in unencrypted databases, which also might be a target for hackers and violate PCI regulations. Once identified as such, the university is then able to determine if they need the data, whether to archive it, where to house the most alluring data for cyber criminals and how to implement measures to protect and manage it.
2. Satisfy education compliance auditors
With a surplus of student Social Security numbers, financial records and other personally identifiable information close at hand, schools and universities also have to adhere to numerous education-specific compliance regulations, in addition to Sarbanes Oxley, PCI and a host of federal and state data breach laws. All too often, critical information such as income and Social Security numbers on financial aid applications, health and medical data related to student athletes, and mental health records from student counseling department are disorganized, misplaced, improperly secured or easily allow unauthorized access. Unfortunately, most educational institutions aren’t even aware that this data exists – making it impossible to manage. Eventually, they pay the price when that data is discovered too late by auditors or falls into the wrong hands.
With data classification, enterprises are able to increase transparency to regulatory agencies by shining a light on what they’re doing to secure sensitive data. This includes showing the number of sensitive records identified, how they’re prioritized, where the regulated data lives and how it’s being protected, while also providing the ability to generate customized reports at the drop of a hat. Data classification technology also enables the university to demonstrate a security approach aimed at reducing exposure to risk – which also goes a long way with evaluators and assessors when audit time rolls around.
3. Rapidly locate student records and information
Spikes in unsecured data happen most frequently during admissions – a very cyclical and predictable occurrence. With automated classification in place ahead of admission time, this increased risk can be mitigated by the immediate and efficient clean-up of sensitive data as it is created. For instance, during online enrollment periods for college, data is constantly being received and created, necessitating a data protection strategy that continuously monitors the data stored for new instances of sensitive data. When admission files are created, copied, edited, detached from an email, extracted from an archive, retrieved from cloud storage, or otherwise modified, ideally a data classification tool instantly searches, automatically classifies, and reports on the action.
4. Prioritize and determine role-based administrative access to student data
It’s well established that universities are known for their collaborative environment and open access policies – a hallmark that ensures students have any kind of information immediately available at their fingertips at any given time for research and other academic pursuits. It’s also no secret that universities are fraught with a myriad of disparate personnel, many of whom have access to the same sensitive information in order to fulfill their various roles. The broad range of personnel and open access policies often come into direct conflict with compliance regulations and the mandatory security of student data. With critical student data such as Social Security numbers, health and medical records, income and financial aid information, it’s imperative that educational institutions create stringent and enforceable data access policies based on an individual’s role in the institution (e.g. a university nurse may have access to student medical info, but not necessarily financial aid records). What’s more, these policies need to be regularly updated in light of frequently occurring role changes and employee departures.
5. Determine appropriate security measures for disparate student data
Not all student data is created equal. However, for universities, sensitive information is in overwhelming abundance. The reason? University data incorporates all aspects of an individual – from credit card info, to academic records to health and medical to income and financial information, as well as employee and contractor data. In short, it’s a lot. With a constant barrage of student information, it’s incumbent upon universities to determine what data would put the institution at the greatest risk if compromised – and prioritize securing that above all else. For many universities, this requires a significant mindshift — protecting academic records are undoubtedly important, for example, but applications that contain student mental health records or Social Security numbers should be first in line for robust security and compliance protections. While the task of ranking and appropriately securing data might seem daunting, a little effort up front will be appreciated down the road if – or when – university databases are targeted in a cyberattack.
Financial bottom-line
Financially, education institutions generally cannot withstand a breach. For example, the average education institution estimates the cost for one year of credit protection per person after a breach (this is what Anthem had to do), and assumes that they only have to pay for 5 percent of that credit protection cost – which is extremely conservative. The bottom line – post-breach, in a 20,000-person university the cost of credit protection for only 10 percent of the exposed consumers and employees would be over $10 million.
The ability to put data in its appropriate buckets in turn will allow institutions to accurately assess and protect the most critical information before cyber criminals get to it first and costs accrue.
This article was originally featured on the CIO website.