Student Data Breaches: The Real Costs of Poor Integration
Higher education institutions and data breaches go together like a toe and a ledge. It’s a terrible combination that causes real pain, but for some reason the problem is rarely fixed… and then the toe inevitably gets stubbed again.
You don’t have to dig far through Google search results to find countless examples of universities who have been targeted by hackers, and of systems that have been breached to make critical data accessible.
In July alone, 62 colleges and universities across the US were targeted for a security flaw. According to Inside Higher Ed, the breach gave hackers the ability to “move laterally through administrative systems and access sensitive information. Attackers could also potentially manipulate this information, perhaps changing personal information or grades, dropping students from their courses or denying them student financial aid.”
According to Joel Rosenblatt, Director of Computer and Network Security at Columbia University, higher education institutions are a promising target for hackers because of the kind of information they have to collect on students.
“We collect social security numbers, passport data, credit card numbers and a host of other personal information, all of which is just what hackers want,” he wrote in an article on The EvoLLLution.
Data breaches are no small matter and can cost colleges and universities dearly. According to IBM, the average cost of a data breach for an organization in the United States is $8.19 million. IBM’s report on data breaches also points out that only 24% of data breaches are caused by human error. A quarter of breaches are the result of system glitches, and a whopping 51% of data breaches are caused by malicious or criminal attack.
“Breaches and the sensitivity around them are increasing, both within higher ed and externally in the general population,” said Gary Langsdale, University Risk Officer at Penn State University, in an interview with The EvoLLLution. “There is an exponential increase, particularly in higher ed, in the use of systems for collaboration, which means that more personally identifiable information is out there in more places.”
Collaborative systems are the reality of a modern postsecondary institution and are essential to delivering a high-quality student and staff experience. From the student side, it allows them a single point of entry and a single account to be able to manage their experience with the entire institution from one place. From a staff perspective, this kind of unification allows for simplified access to information and the capacity to ensure only accurate and up-to-date content is being shared, while minimizing the chance for error caused by oversight.
The response to data breach incidents cannot be a fear of best-of-breed environments. Instead, the response needs to be an increased focus on security infrastructure and compliance—both internally and among the range of third-parties providers partnered with the institution.
"IT leaders should take a fresh look to make sure everyone is looking at every system they’re planning to update or put into place," Langsdale continued. "It’s up to the IT leaders and the other business leaders within the university to push the vendors very hard on the vendors’ responsibilities to make sure to safeguard the systems and to accept responsibility when breaches occur."
What’s more, IT leaders need to ensure that student and staff log-ins are both simplified and secure… which can be a difficult tightrope to walk.
“One of the first things I recommend is single sign-on with multi-factor authentication (MFA). Using passwords as the only protection against compromise is, in my mind, akin to an open-door policy for infiltration,” wrote Rosenblatt.
It’s critical for university leaders to recognize that they have to assess their partners not just for the quality of their product but for their capacity to deliver a level of security that protects the institution from a breach. After all, when a student sees that their data has been hacked, they’re not going to track down the phone number of your SIS vendor. They’re going to call their institution looking for answers.
The first place to look is at the nature and quality of the integrations between your various systems.
Last updated: February 1, 2021