Data Loss Prevention for Higher Education

Hardly a day goes by without a media report about a data breach that exposes the personally identifiable information (PII) of individuals. While much of the news regarding data breaches focuses on high profile public companies such as Sony, Target and Home Depot.  There is one sector in particular that may not get all the media attention, but sure gets their share of data breaches.  Higher Education was a big target of data breaches in 2014 with five high-profile universities getting hit with the loss or theft of information on nearly 900,000 people.  The breach at the University of Maryland compromised 287,580 records of faculty, staff, students and affiliated personnel.  A breach at North Dakota University compromised a similar amount of private records with 290,000 past and current students and 780 faculty and university staff.  Indiana University, Iowa State, and the University of Pittsburg Medical Center rounded out the top breaches.

The big question is could these breaches have been prevented?  Before answering that question, let’s take a look at 4 related questions related to the state of data breaches and Higher Ed.

• What was the real impact of the data breaches?  The number of lost records is staggering, but how do you measure impact?

The Ponemon Institute actually did a study last year “2014 Cost of a Data Breach” and found that the per capita cost of data breaches involving 1,000 to 100,000 records in higher education is $294.  Given the outrageous numbers with our top 5 universities, the Ponemon numbers are very conservative, but if we do the math, 900,000 x $294 = $264.6M.  Ouch!

• What was the source of the breaches

The source of the breach varies from university to university, but the common theme is that data was accidentally placed in a location (e.g. server that connects to the internet) that was not locked down and secure.  It was not always the case of stolen credentials or a well thought out hack.  Sometimes it was just users being users and doing what they do as part of their daily routine at a university campus.

• How do recent technology trends affect the opportunity for data breaches in the future?

Let’s face it.  Two IT mega trends, cloud and mobile, conspire together to make it simpler for data breaches to occur.  The use of cloud apps is exploding.  They are not only easy to download and use, they often help us be more productive.  I imagine this is the case for university students, staff, and personnel as well.  Combine cloud apps with the revolution we are seeing with mobile phones and you have a recipe for data breach disaster.  Uploading, downloading, and sharing data has never been easier.  Everyone is doing it and for security practitioners at university campuses around the globe, this increases the risk of sensitive and confidential data leakage.

• How do you reduce the risk of data loss for Higher Ed?

Now that I have painted a nasty picture, I don’t want to leave you hanging with no recourse.  There is plenty of information out there that provides solid tips and best practices for reducing the risk of a data breach.  Much of this is info is slanted towards “inside the network perimeter” where you want to ensure data is encrypted, perhaps employing DLP (Data Loss Prevention) technologies, implementing 2-factor authentication, and making sure systems are patched with the latest exploit fixes.  What about dealing with this new world of cloud apps as well as mobility?  I have 3 tips for you:

1. Deploy a cloud-based DLP solution that can scan cloud app activities in real-time as well as content that is already stored in cloud apps and look for DLP policy violations including PII, PHI, PCI, and more.
2. Enforce policies in real-time and in context, making sure that you take in account the who, what, why, and when.
3. Make sure mobile and remote users are part of your Cloud DLP strategy. Don’t be blind.

I would love to hear from you [email protected] if you have a question about DLP for Higher Education or Safe Cloud Enablement in general.