Higher education institutions and universities house a significant amount of sensitive personal data like billing details, medical records, and academic transcripts, which is why having the right cybersecurity protocols in place is critical. A common misconception is that schools aren’t targeted by cyber criminals – the facts tell a different story. 32 million records have been leaked in school data breaches since 2005. High-profile college data breaches typically reach mainstream media, creating negative financial and reputational consequences. Stanford University just recently disclosed a data breach affecting Ph.D. applications, and McGraw-Hill had a similar attack that exposed 117 million student files.
As regulations tighten around cybersecurity, universities are currently tasked with meeting the FTC Safeguards Rule requirements and maintaining their compliance every year. These sets of rules require all organizations to “develop, implement, and maintain an information security program.” Universities should proactively work to bolster their cybersecurity posture in order to meet requirements while also avoiding any hefty regulatory fines.
What Universities Should Include in Their Information Security Programs
The FTC Safeguards Rule establishes specific guidelines for administrative, technical, and physical safeguards to protect confidential information.
Implementing Technical and Physical Access to Data Only to Authorized Users
For universities, this could look like user-access permissions that limit each individual’s access to only what is necessary to perform their job duties. For example, admissions workers could only access high school transcripts, applications, and other files relevant to the admissions process. Also, universities should have systems to monitor both authorized and unauthorized user access.
Inventorying and Managing Data, Personnel, Devices, Systems, and Facilities
Universities should have a clear view of what devices are being used, by whom, and what is accessed by them.
Encrypting Customer Information While at Rest and in Storage
Universities should encrypt data while transferring internal or external networks. This keeps it protected at all times from hackers.
Proactively Identifying a Change Management System
Regulations change, and software applications quickly become outdated. An outlined process is needed for making continuous updates.
Secure Development Practices for Owned Software Applications
Universities use thousands of different software applications for admissions, student communications, billing, classroom management, and more that they’ve either developed themselves or purchased. Maintaining the security of these applications is critical, and any new platform should be thoroughly tested for stringent quality standards before being introduced.
Reduce the Unnecessary Retention of Data
According to the FTC Safeguards Rule, customer data must be securely disposed of two years after it was last used unless it’s absolutely necessary to keep it. This helps prevent backlogs of confidential information from being stored indefinitely.
Universities Should Work with a Managed Services Provider
Cybersecurity is never “one and done” or “set it and forget it.” Universities need constant monitoring and maintenance of their cybersecurity program, ensuring software and applications are up-to-date, vulnerabilities are patched, and regular network scans test for new issues.
Cybersecurity is not often the expertise of universities, so outsourcing to a managed services provider reduces in-house costs while also maximizing the performance of your security program. TPx’s managed security helps your school benefit from secure technology and the combined knowledge and experience of cybersecurity experts. Download TPx’s free guide to understanding the FTC Safeguards Rule as well.