Data Privacy for Institutes of Higher Education (IHE)
Published by: Lindsey Rae Downs | 4/5/2017
Data privacy and protection is becoming an increasingly important topic on a personal and professional level and in all fields -not just higher education. Lately stories about hackers gaining access to important data has filled my news feed. We need to focus on ways to decrease higher education institution’s vulnerabilities and safeguard our information. To that end, this week we welcome Stephen Orr, Adjunct Assistant Professor with the Computer Networks and Security (CMIT) department at the University of Maryland University College. Stephen is here to discuss recent data breaches in higher education and includes some suggested solutions. Thank you Stephen for beginning this important discussion for us and our members!
Enjoy the read,
We recently celebrated the eleventh Data Privacy Day in the United States. According to Wikipedia, the purpose is to raise awareness and promote privacy and data protection best practices. We are also honoring the first legally binding international treaty dealing with privacy and data protection. This treaty was signed January 28th 1981 at the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
Thinking back to January 28, 2017, how did you celebrate? Odds are you didn’t. In fact, you probably have never heard about Data Privacy Day. The day passed with no party, no thought of data privacy, and sadly, no cake.
While we are a few months removed from January, it is never a bad time to celebrate, and at the very least reflect on what Data Privacy Day means for institutes of higher education (IHE).
In 2016 there was a 40% increase in data breaches from the previous year. Perhaps one of the most infamous examples was the OPM data breach, where personally-identifiable information – such as names, dates and place of birth, addresses, medical history, even Social Security numbers and fingerprints – of more than 20 million US citizens was stolen. The cybersecurity threats faced by institutes of higher education (IHE) are no different than the threats faced by any other industry. In fact, it is well documented that attackers specifically target IHE for exploitation. A targeted exploit can be through the use of a phishing email whereby the user is tricked into clicking on a malicious link, which in turn exploits and provides the attacker access to the computer. After exploitation, the attackers can find the data of interest, and steal it. Per the National Strategy to Secure Cyberspace, IHE are subject to exploitation for two reasons: (1) they possess vast amounts of computing power; and (2) they allow relatively open access to those resources. Although IHE have traditionally been considered more ‘academically open‘ by nature, there needs to be a balance with cybersecurity.
In July of 2013 it was reported that 72,000 student’s identities were stolen from the University of Delaware. This was estimated to cost about $19 million. In 2014, it was reported that 300,000 records at the University of Maryland College Park were copied. The information taken included names, social security numbers, dates of birth, and university identification numbers. Also in 2014, North Dakota University system reportedly had their computer systems exploited, providing access to 290,000 past and present student records.
There are many other IHE breaches that could be listed, but you get the point. Between 2005 and 2014 there were 727 reported IHE breaches with 27,509 being the average number of records exposed. If interested, you can visually interact with the biggest IHE data breaches from 2005 to 2014 by visiting the following webpage.
So what happens after these breaches? Usually a public apology followed by a promise to focus on the organization’s cybersecurity posture, and the promise of credit monitoring for all of those affected. All of which comes at a significant financial and reputational cost.
Perhaps we should be more proactive and not wait for the data breach?
So what is an IHE to do? There are many details that are beyond the scope of a single blog post. That being said, let’s explore what these are at a high level.
Second, focus on cybersecurity fundamentals. Don’t focus on the Advanced Persistent Threat (APT) or zero-days. Advanced persistent threat attacks can be traced as far back at the 1980s, with notable examples including The Cuckoo’s Egg, which documents the discovery and hunt for a hacker who had broken into Lawrence Berkeley National Laboratory. It’s hard, if not impossible to stop a well resourced APT with a zero day. According to Gartner’s Top Security Predictions, 99% percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year. It stands to reason that focusing on the 99% (fundamentals) should be the focus.
The fundamentals include a comprehensive cybersecurity system, which must have locks (perimeter defenses), waiting rooms (for behavioral analysis), ears (for listening for abnormalities in huge streams of data from many sources), eyes (for scanning for abnormalities), a brain to make sense of all of this information, and arms and hands to take action to remediate the threats. There are many public and private organizations that offer advice on how to accomplish this goal. For example, NIST and the NSA Information Assurance Directorate (IAD) offer freely available resources for any organization to use.
Third, protect the data stored at rest and in transit across the ‘secure systems’. Strategy (how), policies (course of action), technical solutions (encryption, hashing, salting), and skilled human capital (implementation) are all needed to be successful. To be clear, this is not a one and done proposition. Data privacy requires vigilance and constant monitoring. It may even be prudent to establish a Chief Privacy Officer (CPO) to centralize and streamline the privacy and protection of the IHE data.
In summary, know what data you have, know where it is, know who is in control of it, know the policies and procedures the dictate how and by whom it can be used, know the technical safeguards, and know what the plan is when all of the best attempts to protect the data fails.
Stephen R. Orr IV, Ph.D.
Adjunct Assistant Professor
Computer Networks and Security (CMIT)
University of Maryland University College