Data Security Risks in Higher Education

Posted by Mark Greisiger

A Q&A with John Sileo, Sileo Group
Data security and privacy are a growing concern among educational institutions, with some 727 breaches taking place in higher education from 2005-2014, according to the Privacy Rights Clearinghouse. I spoke with John Sileo of The Sileo Group about the reasons this space has become particularly vulnerable to data loss.

What are the greatest security threats facing higher education institutions now?
Ignorance: Many universities don’t know the threats they face. Arrogance: Even if they know, they somehow think that they are exempt or that it just won’t happen to them. Inaction: In spite of knowing [the risks] and seeing other universities targeted, they do nothing to defend their digital footprint. Having spoken on these topics at many universities, I see the same basic attitudes and behaviors over and over again.

What is it about these environments (physically, culturally, policywise) that creates risk?
They are institutions founded on the backbone of trust. We trust our children to [be safe at] universities; they trust their professors to educate them well, and on it goes. This culture of trust is fantastic, but it also leads to a certain naiveté. Universities can have both trust and security, but it’s a delicate balance. It is important to infuse the culture of trust with an attitude of caution and verify the security of data before it is shared.

What are some of the most egregious examples of data loss events in higher education?
University of Nebraska (650,000 breached records at an estimated cost of $92 million), UCLA (800,000 records), Auburn University (14,000 victims), Delaware (74,000 victims) and Texas (200,000 records). This is but the tip of the data breach iceberg when it comes to universities.

Higher education is as much in denial as in any industry I’ve worked with.

What is the climate like in terms of awareness?
Higher education is as much in denial as in any industry I’ve worked with. Because of a combination of a lack of dedicated funds and a deeply held belief by universities that data breaches are a “corporate” issue, they are ripe for the picking. Additionally, the prospect of stealing prime intellectual capital from the university is an added bonus for criminals.

What can be done to mitigate these risks?
Schools can start by educating the leaders, administration and faculty about the risks that exist. For example, two years in a row, I have worked with the University of Massachusetts to visit all five campuses and the president’s office to raise awareness about cyber security and identity theft. I’ve done the same for Wellesley, Olin, Babson, Northern State University, University of Colorado at Boulder and other forward-thinking, proactive universities. Just starting the conversation and showing faculty, administration and students why it matters from both a personal and a professional perspective is the first step.

In Summary…
We want to thank Mr. Sileo for his insight into higher education and (in)security. Universities are often entrusted to safeguard vast amounts of private information (SSN, financials, health records, etc.) on thousands of current and past students, alumni and staff. All of this sensitive data often resides in highly decentralized IT environments (and yes, amid an often open/trusting culture) which can lack uniformity and baseline infosec practices—which then leads to mishaps. I would add to his list of major data loss events the massive class action lawsuit impacting Maricopa County Community College (2.5 million victims) with costs reported to be at least $20 million. On the plus side: You don’t often see class action litigation taken against the ivory tower for its anemic safeguard practices.