A rash of data breaches at big names including Target and the University of Maryland highlight a need for better security of personally identifiable information.
Compared to 2012, more than triple the amount of records were exposed last year to the tune of 823 million records, according to a February 2014 report from Risk Based Security and the Open Security Foundation. While more than half of reported incidents occurred in the business sector, 8.2 percent came out of the education sector.
"The No. 1 thing that I think we need to think about in terms of universities and security is that we are living in a changing world, and the changing world is that walls are coming down, people want more access to more data, and they want to connect to these personal devices," said Jeffrey A. Ingalsbe, director of the Center for Cyber Security and Intelligence Studies. "On top of that, we want to go online so we can take a class anywhere anytime."
As more people want to connect in different ways, universities will have a harder time securing the treasure trove of personal information they collect if they don't get the basics down now, said Ingalsbe, who is also chair of the Computer Information Systems and Information Assurance Department at the University of Detroit Mercy. He and another security expert laid out 10 basic steps that universities can take to mitigate data breaches.
Below are five steps from Robert Guess, assistant professor of information systems technology at Tidewater Community College in Virginia, followed by five steps from Ingalsbe.
"The best way to protect information is to avoid collecting it as much as possible," Guess said.
Many universities have been switching from Social Security numbers to internal student IDs. But in an incident reported on Feb. 19, hackers accessed more than 309,000 Social Security numbers and university identification numbers — along with names and birth dates — from a database at the University of Maryland. If the university had redacted all the information except the internal student IDs, they could have protected it better, Guess said.
Another recent incident also involved Social Security numbers. On Tuesday, Feb. 25, Indiana University announced that a website with about 146,000 student Social Security numbers was left unlocked for 11 months following a security change.
"Colleges host a tremendous amount of non public personally identifiable information, and they must remain stewards of that information and treat it with care," Guess said, "not just because it's the right thing to do, but it's because their lawful duty."
Once universities decide what information to collect, they should classify it by sensitivity so they can focus on protecting the most important data, including Social Security numbers.
Ideally, universities would prevent unintended disclosure of information. But if they can't prevent it, they should at least detect it and be able to react, Guess said.
Tools at their disposal cover both human and technical controls including policies, firewalls, and system architecture and design.
Employees should be made aware of the risks that are out there and what they can do to protect both themselves and the university, Inglesbe said.
"If I had a buck to spend on security in any organization, it would be on awareness," Ingalsbe said.
He teaches every employee in his department about spear phishing, risky activities and safe activities.
Colleges should figure out every connecting point — whether it's an inlet or an outlet — in their network and whether those connections are necessary.
Encryption can help protect data stored in databases, but universities shouldn't just slap encryption on everything. They should do so strategically.
For example, two of the most common encryptions for public Wi-Fi are easily crackable. WPA2 is really strong, but not all laptops support it, so many people don't use it.
With a variety of virtual local area networks, universities can divide up their network to protect data. The treasure that universities value the most should have the least access and the tightest control.
Compliance does not equal security, but compliance requirements can help universities think through how to protect data. For example, universities with hospitals have to comply with HIPPA.
Over the last eight years, universities experienced the most repeat incidents with 565, followed by financial services, federal agencies, technology service providers and hospitals, according to the February report. These repeat incidents are due largely to hacking, followed by fraud/social engineering, stolen laptops and Web-based disclosure.
Indiana University has had a rough time protecting medical data in the last four years. Indiana University Health Arnett and the Indiana University School of Medicine had laptops stolen in 2011 and 2013 that included patient information such as dates of birth, medical record numbers, diagnoses and Social Security numbers. And in 2011, the School of Optometry inadvertently exposed health information of 757 patients on the Internet for nearly a month.
It's hard to stop rogue hackers who will spend six or nine months trying to crack a university system or to stop mature hacking operations from China that are working on national security or economic goals. But universities should keep financial data, health data and other sensitive information in separate virtual local area networks and use industry standard guidelines to do so.
And it's in their best interest to work together as an academic community to get data security right, Guess said.
Parents can tell kids to clean their room, and they'll technically do it, but it's often sloppy and half-finished, Ingalsbe said. Similarly, many data breaches come from sloppy security where people forget to do these basic steps 100 percent of the way.
"In my mind, what universities need to know about data protection in this era is you know what, start from ground zero, do all of the basics, and do them well," Ingalsbe said. "If you do that, you're going to eliminate 90 percent of all of the breaches that we've seen."