As more colleges and universities transition to the cloud, higher education cloud security can no longer be treated as an elective
As they say, “the writing is on the wall” for the eventual transition to cloud computing in higher education. Like many organizations, colleges and universities are moving to the cloud to reduce the costs of storing data, improve productivity, and enable collaboration. Approximately 70% of higher education institutions have transitioned to cloud-based email systems, while 50% are adopting cloud collaboration systems. But leadership and IT security in academia have many barriers in front of them to make this transition, not the least of which is the cost of changing, as well as the on-going management of a new cloud infrastructure. But the big topic on everyone’s mind is security. Higher education cloud security is much more complicated than other industries that have already embraced the transition. IT leaders have to deal with a large amount of protected data being stored and accessed by a broad range of stakeholder groups, paired with a high level of government regulation, on relatively low budgets.
Data security makes transitioning to the cloud is particularly risky for higher education institutions. Colleges and universities collect a massive amount of personal information from students and parents. Higher education institutions also need to protect the information infrastructure, intellectual property, and personal information of staff, security information, and more. This information quickly becomes targeted by cyber criminals looking to profit from sales of stolen information on the dark web.
Cyber Criminals Targeting Higher Education Data
“We need not to think, ‘Will a data breach happen at my institution?’ but ‘When will it happen and how will I be prepared?’”
Vice President for Communities & Research
Colleges and universities are tempting targets of cyber attacks due to the amount of data that can be obtained and the relative lack of cybersecurity. With relatively new cybersecurity infrastructures that lack the sophistication of private organizations of similar sizes, for cyber criminals the risk is low and the rewards are high.
EDUCAUSE research reports that information security is increasingly a top issue for IT departments in higher education. As school demographics have shifted to tech-native students and faculty, expectations for easy accessibility exacerbates data security.
The proof is in the data. Lost, stolen, or compromised data records increased in higher education by 103% in the first six months of 2017 compared to the last half of 2016. There were a reported 118 successful cyber attacks on higher education institutions, representing 13% of all breaches that took place in the first half of 2017.
The Rising Cost of Data Breaches for Higher Education
The financial impact of security breaches on higher education institutions, students, and faculty is measured in the millions of dollars. Ponemon Institute reports that the average total cost of a data breach increased by 6.4% in 2018, and that the average number of records stolen increased by 2.2%. In 2018, the average total cost of a single data breach for an organization across all industry sectors topped $7 million.
For higher education institutions, these costs also need to take into consideration the costs and long-term damage that student identity theft due to data breaches inflict. Students, in particular, are usually just beginning to build their financial futures. An identity theft due to a data breach at school has lasting impacts, which can include the delay or cancellation of student loans, credit score downgrade, time invested in identity theft remediation rather than studies, psychological and emotional stress.
Government Regulations Impacting Higher Education Data Security
There are several laws governing student privacy and information security that higher education institutions must comply with. Until recently, state laws either relied on or mostly mirrored federal regulations. This is beginning to change as information security and privacy are becoming more important issues in the digital age.
Federal regulations such as FERPA, HIPAA, HITECH, COPPA, and more require high standards of security for student data storage. Information collection and retained by higher education institutions that fall under these requirements include personally identifiable information (such as social security numbers), personal health and medical information, and personal financial and credit information.
With many high-profile data breaches and other information collection issues deepening public concerns, states are also getting into information privacy and security regulation. According to FERPA Sherpa, the number of state laws regulating student privacy has dramatically increased since 2014. Two main regulations that have been adopted in whole or in part by many states include SOPIPA and SUPER. Both laws prohibit companies from sharing student data and using it for targeted advertising for non-educational purposes.
Finally, the much-hyped European Union General Data Protection Regulation (GDPR) has the potential to have an impact on higher education institutions in ways that many are unaware of.
Higher education institutions that accept student applications, collect alumni donations, or communicate with faculty on sabbatical in the EU are subject to GDPR. Despite the hype, colleges and universities are unlikely targets for GDPR regulators—at least in the near term. Most agree that EU regulators will focus on cracking down on very large, global organizations and bad actors. Nevertheless, administration leaders should be aware that their institutions are, technically, required to comply with data management regulations outlined in GDPR and could face hefty fines to the tune of millions of dollars.
Higher Education Cloud Application Security
Many colleges and universities across North America are more than aware of the need to invest in their cybersecurity infrastructure. But there is a lot of misperception and confusion around how and with what. There are several all-in-one, enterprise-level solutions available. But few do everything well.
Cloud application security (also sometimes referred to as cloud access security broker [CASB]) is relatively new to the cybersecurity space. As more organizations move away from installed software to cloud applications for communication, collaboration, and storage, the need for an additional layer of security was created. IT administrators managing such transitions also find that they lose visibility and control of the users and information within their institutions cloud environment.
Higher education institutions working with applications such as Google G Suite and Microsoft Office 365 may think their communications and files stored in the cloud are protected. Further, many rely on cybersecurity giants such as Cisco and McAfee to provide a layer of protection to their information infrastructure. Unfortunately, many are finding that they are losing critical visibility and control of account activity in the cloud. And vendors that claim to “do it all” tend to over-complicate and, surprisingly, hinder IT’s ability to administer effective controls. As in other areas of security, redundancy and a multi-layered approach is most commonly recommended by cybersecurity consultants for an effective higher education cloud security infrastructure.