There is a good reason why the Department of Education recently reminded higher education institutions of their continuing obligation to protect data and student information.
While department officials focused their recent update on the security of financial aid information, their message is clear: Institutions need to develop and implement comprehensive cybersecurity practices now.
Unfortunately, no single policy or program works for all universities. Simply having policies and procedures and investing in sophisticated technical solutions are not enough. Implementation of those policies along with smoothly running processes and operations are the true test of whether an institution is prepared for a cybersecurity attack — and whether the institution meets the department’s security expectations. Here are some key components necessary for an effective cybersecurity program.
The core of any cybersecurity strategy begins with identifying the most sensitive data. For universities, that could include intellectual property, proprietary research, student information (such as Social Security numbers or health records) and employee data. Without an inventory of data and how it is used, shared and stored, risk mitigation and security will suffer.
Develop a central position to lead the university cybersecurity program and be responsible for the creation of policy, implementation, monitoring, auditing and response. This crucial position should have the authority to manage and delegate operations as well as develop a cross-functional team to support the program.
Institutions are responsible for data breaches caused by third-party vendors. It’s critical to ensure that vendors meet a university’s security standards and communicate and handle data incidents and breaches quickly and efficiently.
Data security is the responsibility of all staff and therefore must be a collaborative effort. It’s imperative to periodically train staff (even those outside the internal response team) on security protocols and steps they must take to keep university and student data secure. Employee mistakes and purposeful misuse cause the majority of data incidents.
Include a press release, notification to students and families, and a website to detail the scope, date, time and victims of the breach. Having templates of a press release, notification and website prepared saves time during an emergency. Templates can also include FAQs on identity theft protection vendors.
Accept that a data incident or breach will happen. It can be stressful and chaotic — from determining the cause of the breach, engaging third-party vendors and working to contain the damage. It is important that the systems and protocols run seamlessly when the inevitable happens.