What Is FERPA and What Are the Necessary Security Controls?
Cyberattacks versus colleges and universities are undeniably lucrative for attackers.
These institutions store volumes of data on both students and parents – including things like personally-identifying information (PII), payment records, and medical history. What’s more, colleges are not historically great at keeping this information protected.
As a result, attacks against higher education are multiplying in both frequency and severity. Out of 382 confirmed attacks against higher ed described in the 2019 Data Breach Investigations Report, over 25 percent resulted in lost or stolen information.
If you’re an administrator for a college or a university, you probably feel the need to step up. Here are some of the best ways that you can protect your students, faculty, and staff.
1. Secure Your Lines of Communication
The first thing we’d like to talk about represents an entirely new tier of your threat pyramid – Zoom. Right now and until the COVID-19 crisis departs, students are taking classes and talking to school officials using every collaboration tool under the sun, but Zoom is chief among them with over 200 million active users. This poses some problems.
First of all, Zoom has some usage issues, which means that if it’s not configured correctly, unauthorized participants can join a call in a phenomenon known as Zoombombing. Although this may seem like an ugly nuisance, it’s actually a crime, and at worst, it can result in attackers being able to eavesdrop on confidential information. In other words, if you want to improve security and maintain compliance, you need to investigate how your staff is using collaboration tools and standardized security measures.
2. Prevent Social Engineering
Phishing attacks commonly target educational institutions – it’s easy to target staff who may receive volumes of emails from relatively unfamiliar student addresses, and students themselves might not be aware of security best practices. In 2019, Trojan malware delivered via spam represented 71 percent of all opportunistic attacks, with education representing the most targeted sector.
Cyber Security Insurance and Minimizing Risk in the Cloud
Protecting students and faculty against phishing attacks requires two approaches. The first is security awareness training, which generally takes the form of a short class followed by regular tests that ask users to identify phishing emails. While this is effective, it’s not perfect – it can reduce the likelihood of a successful attack by up to 15 percent. It’s much more important to create strong email filters and secure file transfer methods. If you always transfer files via methods other than email, phishing scams become much easier to identify.
3. Analyze Potential Risks
The security risks that you faced last year may no longer apply – especially right now. The challenge of creating a secure network with everyone working and learning from home is different and arguably greater than that of protecting a consolidated campus. Attackers are busy finding exploits for outdated VPN systems, taking over insecure home routers, or using information about COVID-19 as a channel to spread malware.
Your job as a security administrator is to create a new threat posture that accounts for these new attack vectors based on their severity and their likelihood, and then promote a security solution that protects everyone no matter where they happen to be working.
4. Understand Compliance Exposure
In addition to cyberattacks themselves, the fallout from a cyberattack might expose colleges to penalties. FERPA, the Family Educational Rights and Privacy Act requires educational institutions to adopt reasonable methods when it comes to keeping student records safe. Penalties for FERPA violation might include the loss of federal funding. In addition, colleges that perform research via government contracts must secure themselves under NIST Special Publication 800-171.
Just like cybersecurity, governance and compliance are also changing due to the current environment. A recent Department of Education webinar laid out how educational institutions can remain FERPA-compliant under social distancing. Notably, preventing FERPA breaches means discouraging non-students from observing lessons, which circles us back to our first point about securing lines of communication.
5. Get Ready to Protect Yourself with Progress
One certainty about this new era is that institutions of higher education are going to have a much tougher time going it alone. Protecting students and faculty information was hard enough to begin with, and the task of social distancing makes everything that much harder.
With services like Progress’ MOVEit managed file transfer, you’ll be able to create a secure communications infrastructure that resists phishing, malware, and privacy breaches.
Podcast: Cybersecurity in the Automotive Industry