CDE Blog

Data Security at Universities

Written by Lori London | May 9, 2017 4:00:00 AM

Colleges and universities remain one of the prime targets for hackers and identity thieves.  However, stopping the criminals from accessing the sensitive data has been no easy feat for educational institutions.  The large quantities and variety of data in the broad networks of universities makes protecting the organization from cyber-attacks very difficult.  What’s more, the values and primary concerns of universities often leave them unaware of the true threat to valuable data.  In 2015, nearly 25 percent of the 557 state universities in the United States were vulnerable to a data breach, many of them in the dark about their vulnerability.  As technology continues to evolve, so does the battle between the educational sector and cyber criminals.

A Complex Threat

There are many difficulties involved with protecting colleges and universities from data breaches.  The networks at educational institutions could be considered treasure troves for greedy thieves who could be looking for data including any of the following:

  • Credit cards and banking information
  • Social security numbers and other personal identity details
  • Intellectual property
  • Private research
  • Medical records

With stored records in the tens of thousands each year, gaining access to the infrastructure of a university is a major gain for hackers involved in selling information on the black market.  Much like securing a large corporate or healthcare network, securing a university record becomes more and more complex as the size of the organization grows and individuals come in and out of the network.  However, what makes the threat of data breaches at universities unique is their encouragement of an interactive open culture.

Universities often operate with what most in the data security industry would call a loose security policy and rarely have very strong and secure central policies.  Students, professors, and other individuals come from all over with their own devices and expect to be able to access a university’s network to exchange information.  Without much control over who is accessing the school’s network, when they’re accessing it, or with what devices, universities have a hard time pin pointing malicious activity before it’s too late.

Challenging Solutions

While the most obvious answer to better data security is often more stringent policies and tighter reigns on network access, this solution doesn’t quite work for colleges and universities.  With so many different departments involved, maintaining and enforcing almost any security policy becomes much more difficult.  The resistance to restrictions from faculty and students is often an even larger obstacle to establishing better data security at universities. The need for access to online resources across educational institutions often leads to the lack of security procedures and causes gaps in data protection across the organization.

When it comes to payment processing and data security, card companies, banks, and the PCI council are pressuring educational institutions to strengthen their security on payment data.  Some universities, like James Madison in Virginia, have organized a PCI committee that works to oversee and centralize the efforts of the school to maintain compliance across all departments and offices that accept card payments.  Still, the difficulty involved with maintaining PCI compliance across campuses proves to be immense due to the sheer number of payment transactions and the total amounts.

Developments Continue

There’s no doubting that cyber security at colleges and universities should be an area of major concern.  However, many educational institutions are still unsure about how to protect their data in an ever-changing technological landscape.  Even large universities like Penn State, which was hacked in 2015, are often left exposed to data security threats for years without even knowing.  Now, solutions like P2PE are offering universities the opportunity to minimize their risk by protecting credit card information by encrypting it at the POS and preventing it from being exposed as clear-text data in the university network.  Developments, like P2PE, that shrink the scope of the university’s data responsibility are invaluable tools in protecting the institutions from potentially devastating attacks.

By prioritizing the protection of what is potentially the most sensitive personal information, financial data, universities are taking a great first step in improving campus cyber security.  While the options for limiting the hardware and software of students and faculty are slim to none, universities should continue to take advantage of the most secure technology for their infrastructure.  Over time, making data security a constant effort and valued practice will prove to be the universities’ best move.