Higher education institutions house lots of important data that bad actors can access and sell on the dark web, like students’ social security numbers, financial aid information, and national security research. Protecting this information should be a high priority for institutions, but it’s not always easy to apply best practices and enforce compliance measures. We chat with Brandon Sherman about these issues.
Brandon Sherman: In the higher education sector, it’s estimated that a breach will cost a school $450,000. And within the last year, ransomware has doubled in the sector and education has consistently been considered one of the worst protected sectors.
Ginette: I’m Ginette,
Curtis: and I’m Curtis,
Ginette: and you are listening to Data Crunch,
Curtis: a podcast about how applied data science, machine learning, and artificial intelligence are changing the world.
Ginette: Data Crunch is produced by the Data Crunch Corporation, an analytics, training, and consulting company.
Brandon: I’m of counsel at the law firm of Mayner, Cooper & Gale in the DC office, uh, I work in their higher education practice group, and part of that practice involves cybersecurity for institutions of higher education. Previously, I was at the US Department of Education, special counsel to the deputy secretary. And in that role, I led the new approach or development of the new approach, to campus cybersecurity, and as well as advising senior staff on higher education matters. You know, schools have a lot of information, financial information, such as kind of the FASFA data, the student and parent income information, as well as student level award grant data, financial aid history, and as well as kind of this personally identifiable information, uh, the banking information, social security information, and also important note, and I’ll get into that later, that it’s considered controlled unclassified information. And for research institutions, you still have sensitive national security/Department of Defense type research, which of course is going to be attractive to the bad guys.
So you have this very valuable information, financial information, national security information, regardless of the type of school you are, and even the third party servicers are going to have some of this information that especially the ones that are assisting schools with financial aid side, and what the bad guys wanna to do with this information is they want to sell some of this PII on the dark web. They’ll encrypt the school systems for ransom, and that’s known as ransomware. Yeah, that’s certainly been on the news and, and there are also occasions where the bad guy will log in and get access to a school system. They’ll adjust a student’s files financial aid files. They’ll, they’ll add in their direct deposit information and suddenly those dispersements will be going to the bad guy’s account in the Cayman islands instead of the student. And this has happened previously, and obviously this is going to do a lot of damage and, uh, to a frightened student. And this is why schools need to take not only the compliance measures, but also those technical best practices.
And not that I need to alarm you anymore, but just to give you a little data, in the higher education sector, it’s estimated that a breach will cost a school or in $50,000. And within the last year, ransomware has doubled in the sector and education has consistently been considered one of the worst protected sectors.
There are a number of reasons for that. Uh, you know, could be budget cuts, kind of the idea that schools have academic freedom. Schools should be open. And sometimes also there’s not always a coordination between the staff that’s generally responsible for compliance requirements with the kind of the IT-side of a school.
In addition to these, the threats to your data, there’s also a compliance requirements, and schools and to participate in title four, agreed to comply with the Gramm-Leach-Bliley act and the safe cards rule and that’s, and that addresses the safeguarding of customer financial information. And that will be your title four information. And that requires that you have a written information security program that you have a kind of a security coordinator, you perform risk assessments and also that you monitor the compliance of your third party servicers. If you don’t meet those requirements, you could lose your eligibility to participate in federal aid programs. You could be fine by the Department of Ed. You could be suspended and also placed on heightened cash monitoring.
So there’s very significant requirements. There’s also an, a breach reporting requirements with both the Department of Ed and also, uh, with states, you know. In addition there’s FERPA, and if you have ties to European Union, the GDPR, but Department of Ed, you know, the focus is really on, have been on GLBA.
Now, I think it’s very important to know that in February, the Department of Ed announced that they’ll be requiring schools to meet NIST 800-171 requirements. And that’s part of the federal government-wide CUI program. And because Title IV information is considered CUI, in the national archives and records administration requires federal agencies that share this information with non-federal organizations to require them to meet these NIST 800-171 requirements. And that’s, these are very prescriptive set of requirements, security controls, and there’s about 14 families or categories. Some of these you’re already doing and others are best practices, but some are going to be when you’re going to meet the timeline will be about a year or two for full compliance are going to be certainly new and may cause a little bit of a financial burden. And this is where consultants and third party services will have a role.
And so they’re going to, there’s going to be authentication requirements, maintenance requirements, just to name a few. And also you should kind of keep in mind that Gramm-Leach-Bliley Act is undergoing rulemaking right now. And, and that’s been very controversial in the sector, and that’s going to be, uh, likely to involve some very prescriptive set of requirements.
Right now, the role is kind of very flexible. So that’s something that’s certainly keep your eye.
Curtis: And what does that rule exactly? Just for those that aren’t familiar.
Brandon: So that’s the Federal Trade Commission’s Gramm-Leach-Bliley act safeguards role, and that requires financial institutions to safeguard and that customer financial information. The federal trade commission consider schools that participate in Title IV, and perhaps also schools that do not, consider them financial institutions.
And that kind of kicks in these, these requirements. So within the last two years, the Department of Ed has required, as part of your compliance audits, that GLBA is audited. And you, based on the findings for these two years, there’s been a couple of common, common, um, findings of that schools have to, we’re going to have, we’re going to have to remedy. And that includes, I think this is very important to know. Some schools don’t even know that GLBA is required for Department of Ed purposes and also Federal Trade Commission purposes as well. And that extends also to the third-party servicers that are involved in the process. The most common finding is a failure to perform a risk assessment. There are schools that haven’t identified a kind of a point of contact.
And that’s a way for the department to reach out to someone when they find out that a brute, when the department finds out that a breach has occurred. The other big finding is the failure to have a written information security program.
Now, prior to these audit findings, there kind of been a couple of notable examples of non-compliance. And that includes a school that was sharing passwords of the, uh, kind of the financial aid system with students and staff. Um, you know, there, there was a school that was using a program that captured keystrokes on a keyboard, uh, kind of known as a key logger, and the department became aware of it and the school was no longer able to participate in Title IV until that was corrected. Um, there’s been a school that was scanning and storing PII to a network that could be easily accessed.
So these, these are some of the more egregious examples of noncompliance, and, um, and just really practices that, um, any school or any institution, um, and sectors really should not um, be doing.
Curtis: K, so there are their auditors that will come in and try to find these errors or how . . .
Brandon: So that that’s a great question. So the school’s independent auditor will among other procedures or compliance requirements now audit for GLBA compliance. So your accounting, your auditing firm will look to see if you meet these basic basic areas of GLBA.
Curtis: And if not, you said there’s fines involved and those kinds of things. And also just the example you gave of student information being available on this network, you know, who knows what people are doing with that, right?
Brandon: Right. So what will happen is if the auditor reports a noncompliance finding is that will go to the Department of Ed’s the technology office, and they’re going to assess the level of risk they may ask for more information. And their goal is really to ensure that this information is secure, and those are also referred to the Federal Trade Commission for enforcement, so, you know, once all that happens, it’s a really serious matter. The matter could refer to, um, the enforcement on our, or the Department of Ed.
Curtis: What are some of the best ways schools can, can comply with this or protect their data, and like you said, there’s a lot of data systems the schools are dealing with. Sometimes IT and the compliance departments, like, don’t talk to each other as much. Right? So how, if you’re in charge of the school, how do you, how do you handle this?
Brandon: You know, this is, this is where school leadership can have a role ensure that the IT staff and really all staff, are kind of are trained and not only on kind of the best practices, but also aware of roles in the, in the event of a breach, uh, you know who’s going to be the lead contact and, and certainly leadership should be informed of a breach and really there’s that oversight responsibility. And the end of the day, they’re held, held accountable.
Curtis: And I imagine you probably know some best practices or common pitfalls that people fall into where, “oh, I didn’t think about this and I should have,” and so forth. What advice would you give to people to be able to secure their data and make sure it’s all compliant?
Brandon: Sure. So, you know, there’s, there’s a couple of, uh, really best practices and implementation strategies that everyone should be doing, and they are really very simple, and they will prevent a, the vast majority of attacks. This is just based on the Department of Ed analysis. And the first one is kind of that multifactor authentication. So in addition to having a, kind of a username and password. You have some other authentication requirement, it could be kind of a token, uh, you know, an ID card.
I get, uh, alerts on my phone and a kind of a push notification, and I hit accept. And that’s a very good way .Of securing your systems, your emails. Training is, is very important. You know, ensuring that firewalls firewalls are updated. You’d be very surprised how many schools do not update their firewalls and, or they’re not properly configured.
And one other way, I’ll say is restrict access really to those that need that information. Professor or faculty member doesn’t need a student’s financial information. And that’s just more, the more goes around the, the, the higher, the risk.
Curtis: So making sure those user roles are really, really tight. And is that also part of these regulations and compliance rules that, that going around those best practices, are those woven into these things?
Brandon: Um, currently, no, the compliance requirements under GLBA, don’t tell you how to secure your systems. It just tells you, you need a plan. Now this, you heard 171 when that’s rolled out, it does have a, a set of security controls that are very prescriptive, like multi-factor authentication.
Curtis: Got it. Okay. And when does that, when is that rolling out? Do you know or just estimate a time.
Brandon: We’re looking at about a year or two from now, but schools are certainly encouraged and have been encouraged in the past to assess your level of cyber maturity. You know, I encourage you to do that now, and there’ll be a number of kind of administrative and technical changes that, uh, many, many schools will likely need to make. And it’s a good idea to kind of get that started now.
Curtis: You mentioned this at the beginning, but we’re hearing more and more about cyber attacks and the risk level is increasing. Um, higher education seems to be a fairly large target. Are you seeing a higher incidence of, of schools sort of being attacked and, and data breaches happening in, uh, in, in the U S today?
Brandon: Yes. So from 2019 to 2020, there’s been a a hundred percent increase in the number of ransomware attacks. And I think that’s, uh, is not, is no surprise. And in ransomware, certainly the kind of a leading cause of a cyber incident.
Curtis: Are these attacks becoming more sophisticated to where maybe schools need even additional controls or additional security than, than maybe they typically would have?
Brandon: Yes. Um, you know, some of these bad actors have these have new ransomware codes that are, um, you know, making it difficult to even under the best controls to completely protect against randsonware.
Curtis: Got it. Okay. It would be, uh, a matter of trying to stay on top of this, right? Maybe you have some people at your school assigned to this to stay up on what new technologies do we need to be able to handle these new threats coming out?
Brandon: Absolutely. And that discussion should include school leadership to ensure that the proper financial resources are being dedicated to cybersecurity.
Curtis: Is there data that, you know, that tells us what the typical on what’s the most typical way that the cyber cybercriminals get into to schools. Is that they send a phishing email, right, and then someone clicks on it and someone gets in, is there, is there, uh, one or two most common ways that schools get hacked that can defend against?
Brandon: Yes. And, you know, th the ransomware through, you know, the fishing that is the number one way of hacking into, or gaining access to a school system, by far.
Curtis: Got it. Okay. And is that mainly just training for a training for people so that they don’t click on those links or are there some other measures you think . . .
Brandon: Training is, is a big way. The Department of Ed is also big on testing. So it’s a school perhaps sending around a, you know, an email that looks like it’s safe, and it’s a good way to evaluate the school’s awareness, a staff’s awareness of a potential ransomware attack.
I’d also would say, insider, there is a number of insider threats as well. Maybe a disgruntled employee is preventing or creating a situation that makes data increasingly vulnerable.
Curtis: I mean, that’s an interesting, well, how do you, how do you guard against that?
Brandon: This is where the restricting access to those that really need to know or have access to those policies are very important in ensuring that, um, this information is sometimes is encrypted if it’s sent out, uh, not necessarily the receiver will be able to, um, you know, you read that material. So, and then also screening personnel, and that will be required under NIST, but you know, conducting background checks on your staff and monitoring. I was the last thing I would say, also monitoring the use of a school systems.
Curtis: Got it. Gotta see who’s doing what and tracking all those, all those movements. Okay. Are there any last words or pieces of advice that you would give leaders of higher education institutions?
Brandon: The Department of Ed puts together some very good resources. There’s the FSA handbook puts into non-technical terms the department requirements us certain, which is part of DHS also has some best practices. So those are the kind of resources I would certainly look into. It’s all, this is free. And, you know, I think if you take the, you know, the, you know, the basic measures and have a, at least what I would call a moderate level of cyber maturity.
You know, you’d be able to prevent, but, um, the majority of attacks, but, uh, no school’s ever going to be 100% here.
Curtis: Great, but what do you know, do all you can write to, to try to avoid this stuff?
Brandon: So, yes, and certainly notify the department of a breach. Don’t try to hide. The faster you, you know, notify department, they’re going to work with you to hopefully prevent further damage and, and to minimize the, the amount of information that’s released and in kind of get you back on track.
Ginette: A big thank you to Brandon for being on the show. As always, go to our website, datacrunchcorp.com/podcast for the transcript and attributions.
Attributions
Music
“Loopster” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/