Because of the amount of information that is shared on campuses every day, higher education institutions are often a target for hackers. Colleges and universities are responsible for protecting the sensitive data (e.g. social security numbers, financial records, research data, student loan information, payment card numbers, PHI, etc.) of their students, families, employees, patients, alumni, and donors. Just last month, Australian National University disclosed unauthorized access to significant amounts of personal staff, student, and visitor data extending back 19 years. In 2018, we saw almost 150 universities worldwide breached by Iranian hackers. In this targeted attack using spear phishing, hackers were able to steal almost $3.4 billion in intellectual property.
Not only can a breach be devastating to the colleges’ already limited budgets and funding, a data breach can also cause significant reputational damage. In retail, reputational damage is easy to track through stock price. In higher education, reputational damage is harder to quantify, but can still be seen through changes in enrollment numbers, decreased donor contributions, decreased spending on campus, etc.
The way a college or university manages a data breach will directly impacts its reputation after the dust settles. If your institution does fall victim to a data breach, what are some of the best practices that we have learned from the breaches that came before?
- Act quickly
Currently, the average amount of time it takes to detect a breach in education is 217 days and an additional 84 days to contain a breach. The faster a data breach is identified and contained, the lower the costs. As soon as you become aware of a breach or incident, take all necessary steps to isolate the issue and limit further data loss. Though you do need to react quickly, there are some things that you should NOT do. Don’t shut down any machines or devices until your information security/technology team has investigated so you do not cause any further problems or destroy any forensic evidence. Log all actions taken throughout your investigation.
- Implement a comprehensive Incident Response Plan
Effective handling of a data breach is best achieved with advanced planning to ensure the institution’s response is effective, efficient, and timely. Having a solid plan in place allows you to distribute information as quickly and accurately as possible, and ensures the right team is involved and can immediately carry out your response / recovery efforts. Team members should understand their individual roles and not have to waste time determining who is responsible for what and in what order steps should take place. Test your response plan at least annually to ensure there are no gaps and update whenever team member responsibilities change.
- Be the first to communicate
You want to be the first source to publicly share the news. If someone else breaks the news on Twitter, this will immediately put your institution on the defense and at a disadvantage to maintaining trust. Studies show that one-third of those who found out about a data breach directly from the organization actually ended up trusting the organization more after the event than they had before the breach. In today’s world, customers know that data breaches happen often, but by demonstrating how capable you are of identifying a potential concern and how seriously you take your responsibility, you can more quickly recover from the incident.
- Draft your notifications carefully
You will want to consult with public relations, legal, IT, etc. to make sure the information in your notification is correct and is being presented professionally. As much as possible, be open and honest with what occurred and accept responsibility if the organization was at fault. Communicate facts. Provide details and explain why and how the incident happened, but be careful not to provide too much information that could allow hackers to launch another attack before you have time to remediate any potential vulnerabilities. Describe both immediate and long term solutions that will be implemented to both fix the current problem and prevent future incidents. Keep all those affected up-to-date as the situation evolves and follow up after the incident to reassure your audience that steps have been taken.
- Know which laws and contracts apply to data types
Federal and state privacy laws may also have strict rules for notifying those affected. For example, GDPR requires organizations to report data security incidents within 72 hours. The New York cybersecurity regulations also require a 72-hour notification. Texas’s Identity Theft Enforcement and Protection Act requires notifications to be sent to affected individuals without “unreasonable delay”, but no later than 60 days after identifying a breach. Washington recently set new notification requirements, reducing the prior 45 day notification timeline to 30 days. As you can see, there is a wide variance to these laws, so understanding your requirements is critical.
- Don’t forget about service providers
Organizations, such as colleges and universities, which store high volumes of sensitive data remain prime targets for hackers. However, the vendors and third-party service providers that are used by these institutions also make good targets as they can provide a way in. Limit access for third-party vendors and ensure you are evaluating the information security posture of all third parties at least annually. Obtain compliance documentation regularly, verify appropriate data protection contract language is in place, and confirm which party is responsible for what (i.e. notifications, credit monitoring, etc.) in the event of a breach. For a checklist of what steps your organization can take if a third-party service provider is breached, click here.
Higher education continues to be an active target for hackers. Of course, your institution should be working tirelessly to implement and maintain secure environments, and prevent potential incidents from occurring, but, if and when a breach does occur, follow the steps above to try and create the best possible outcome for those impacted, as well as for the college or university.
Additional guidance from our Security Advisor team below:
[Burt]: From my experience, one of the most overlooked risks in higher education would definitely be the lack of investigation when using third party service providers. In other words, many of the institutions I/we visit have numerous third party entities that are providing services on the campus and/or have been tasked with being the outsourced online partner of choice. In either case, a common answer received from the campus when asked about third party compliance or security status is, “they are a separate entity and if a security incident or breach occurs, it won’t be our fault, we aren’t responsible, etc.”
Unfortunately, as stated in the article above, this can lead to potential issues or ramifications to an institutions’ reputation (e.g. impact donation levels). Even if the third party is not technically part of the college or university, if an incident occurs (at the very least during the initial notification process) the name of the institution will more than likely be part of the conversation. My guidance to all customers is to ensure there is a complete list of all third parties doing business on campus or performing online services on behalf of the institution. Once the list is compiled there needs to be a process in place to annually review any compliance obligations, as well as contract language within agreements. In addition, there should be a process in existence that will allow institutions to review any new partners prior to procurement. Future issues can be avoided by performing proper due diligence during the investigation process.
EDUCAUSE Sensitive Data Exposure Incident Checklist