Universities/Colleges Get a Failing Grade on Data Security

Universities/ Colleges get a Failing Grade on Data Security

The University of Maryland, Indiana University, Butler University all now have something in common and it is not pretty, a data breach. Millions of dollars will be spent and culpability assigned to the lax security methods. Each breach has a common theme of  “Oops” we let the wrong person or department handle the data and they never thought that someone would attack decades of sensitive information. Well, guess what? They did and these attacks will continue.

The University of Indiana left students vulnerable for 11 months, due to a staff error. A staff error? The University of Maryland says 309,079 student and personal records have been compromised since 1998. Folks, 16 years of vulnerabilities and cyber attacks is absolutely unacceptable. What are the solutions?

Security Solutions

·      Get rid of the toxic data by cloud tokenization and reduce your overall PCI compliance/scope.

·      Hire competent Security firms who have your best interests in mind.

·      Work under the assumption that a data breach will happen and you must have security software in place to        combat the cyber thieves.

·      All “Risk Points” must be assessed and addressed – this includes any area that processes, stores or houses      sensitive data.

What are the most common types of breaches?

Phishing attacks - Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

Web Crawlers - A Web crawler is an Internet bot that systematically browses the World Wide Web, typically for the purpose of Web indexing and gathering sensitive information in a network.

Inside Jobs- An employee of the university/college mishandles the information not understanding compliance standards.

DDoS- Distributed Denial of Service attack is when a cyber thief renders a network unavailable to its users. This is typically done when an ordinant amount of external communication requests are sent in hopes of bogging the network down in a way where the network cannot respond to legitimate traffic. These attacks are increasing in bandwidth and sduration.

Why are Univerisites vulnerable?

Universities and Colleges have hundreds of departments, retail stores, hospitals/infirmeries, etc… that use Point of Sale Systems (PCI compliance with Payment Information), House HIPPA data, House social security numbers, as well all sorts of other PII (Personally Identifiable Inofrmation). All of these departments are disjointed and use different pieces of security software, hoping that they have done enough to stay out of harm's way.  Unfortunately, PII, HIPPA and PCI bring compliance standards, as well as storage standards that universities must maintain for the lifetime of the sensitive information. University employees need training to understand the massive risks that mishandling data can arouse.

Lack of data security budgets are the main culprit for higher education. Over 718 data breaches have occurred since 2005 and these numbers will continue to climb as long as Universities/ Colleges store millions of documents that contain sensitive data. Few institutions budget in advance for data breaches. "There are probably a lot of data breaches in higher education that go undetected, probably more so than in other industries," says Larry Ponemon, founder and chairman of the institute. "The universities are not aware of data leakage and the harm that can result. It can cost universities a lot of money." The average cost for recovering those breached records averages around $111 per record. 

How to Deal with a Data Breach

     Conduct Risk Assessment

     Categorize the Data

     Determine who has access

     Track all Portable Devices and POS

     Determine the cause of the breach with a forensics team

Most states have enacted laws on data breaches that mandate the university or college that was breached inform the individuals of that their “sensitive information” has been compromised. The National Council of State Legislatures houses a centralized list informing you of the laws and statutes for each state. Generally, these reporting laws are enforceable when collections(hundreds) of records are compromised.

Forward Thinking Data Security

Universities/colleges are hurting their long-term reputations by their inaction against cyber attacks. Whether they have too many departments, too many secuirty devices and software that must all communicate with each other, it is time for a new line of thinking. Cloud tokenization can remove this data from their environment and lower compliance and scope. Most TokenEx customers are able to pay for the cloud service (aPaaS) solution by the reduction of compliance and scope. Learn more about how you can tokenize your data environment and not be another casualty. Let the universities/colleges who have been breached teach you a lesson that it is time for a new way to handle data security.

Please visit www.tokenex.com for more inofrmation about tokenizing your data environment. 

Topic(s): data security , HIPAA , PCI DSS , PII , tokenization

Keep Up With Our PCI & Privacy Blog