When we think of a data breach we think of malware infiltrating a computer network, stealing information, turning infected computers into an army of slaves. We usually think of business or home computers, but at educational institutions computers are particularly open to attack. It’s in the very nature of universities to foster international academic exchanges and encourage the free flow of information. This increased use of more collaborative social networking tools such as blogging, wiki and online learning sites that have clear educational benefits is placing schools under more and more pressure to reappraise their network security policies.
There is a realization that in order to prepare students for success in the modern world they need to grow up being conversant with the full range of technology tools available. Of course, this also means opening up Internet access further. But this makes university networks harder to administer and translates to unusual vulnerabilities. You don’t have to look far to see the results. US universities haven’t been having a particularly good year. On February 18th, the University of Maryland suffered a breach that compromised the records of 300,000 people. The records included information that any cyber thief would love: names, social security numbers, and dates of birth.
North Dakota University had its own major data breach in February, this one involving 290,000 records. The server was compromised in October of 2013, but the breach wasn’t discovered until February, and wasn’t reported until March. A 2011 report had warned about possible security flaws, though “representatives ‘couldn’t speculate’ as to whether the holes mentioned in the report were used to gain access to the server.”
Spear phishing was the likely culprit in the North Dakota attack. It’s possible that the data was particularly vulnerable because it wasn’t encrypted. Last week, three of the employees responsible for Internet security were placed on administrative leave when “a workplace investigation revealed some employees didn’t think server security was part of their job.”
These attacks don’t just compromise personal data; the cost of a breach is significant for a university. The cost of the Maryland breach is estimated to have been millions of dollars.The university had the expense of hiring forensics experts, notifying affected individuals, and providing five years of free credit-protection services. Most universities don’t budget for a possible data breach, though, as Maryland demonstrates, the expense can be formidable. There’s always the possibility of litigation, and a school may need to pay for mailings, call centers, consultants, and many other expenses.
According to a Ponemon Institute report published last year, a data breach costs a college an average $111 per record. In one particularly expensive data breach, the Maricopa County Community College District in Arizona calculates that the cost of a 2011 incident could reach $17.1 million or more. There’s a class-action lawsuit on the horizon.
The damage to a college isn’t just the immediate expense. Damage to a reputation is hard to quantify, but significant nonetheless. In fact, it’s estimated that only about half of breaches in higher education are ever made public because institutions feel they have a reputation to maintain, and they certainly don’t want to become known as “the university that was victimized by a series of data breaches.”
Protecting reputations and avoiding the costs of data breaches are going to continue to present real challenges for education. It’s difficult to maintain an open culture while ensuring security. Any educational institution, though, can eliminate what still seems to be one of the most common causes of data breaches: human error. It’s not a good idea, for instance, to ignore known flaws in your network security. Sure, it’s a hassle to ensure you have great security, but compared to the hassle of a data breach, security is simple—and cheap.
Sign-up for email updates...