Higher education: You’re already a data breach target

Data breaches have hit all kinds of industries, from retail to financial services. For higher education institutions, the threat continues to rise.

Article by Daimon Geopfert (Principal), RSM US


You’ve heard the stories. Data breaches have hit all kinds of industries, from retail to financial services. They’ve got the access points, the rich client data, including credit card records and other customer information. It’s those other industries’ problem, right? Thank goodness higher education seems to be somewhat immune.

Wrong. It’s a huge problem for higher education, as well, and the threat continues to rise.


Just the facts

The sad fact is that more than 700 data breaches have been reported since 2005 within higher education. The Universities of Indiana and Maryland are two of the more well-known security breaks, with thousands and thousands of records exposed. In fact, according to recent data, the average number of records typically exposed during a single breach is nearly 29,000. Factor in the average costs per record at $188 and privacy and security becomes a huge financial concern for all colleges and universities. Add reputational damage to the mix and a single breach could paralyze an institution for years.


A ripe target

But, given the alarm of concerning examples and figures, many higher education institutions have not made data security a strategic priority. Some of this might be because colleges are a stronghold of intrinsic openness and transparency. It’s a place of free ideas and a community where convention is challenged. To consider major data-clamping initiatives is a bit counterculture to this free and inclusive environment. In addition, universities have complex structures, with multiple colleges and schools, along with a multitude of majors and related organizations. Each area frequently can have their own siloed structures operating under individual grants and leadership. This sometimes intricate and disjointed matrix can be challenged with inconsistent communication and practices, an environment ripe, unfortunately, for data security issues. Cyberhackers know this and continue to capitalize on these structural inconsistencies via malware or spyware, two of the most prevalent ways they’re infiltrating colleges and universities today.


The best defense

So, how can universities address this mounting issue? It starts with acceptance that your organization will be or is likely already a security target. These days, offense is the best defense, and being aware and putting measures in place now can help lessen your damages when, not if, a breach occurs.

Initial strategies all organizations should consider require completing a data discovery of your entire university, including its various colleges and departments. What data is sensitive in these areas, who has access to that data, who are your third-party vendors and what access level do they have are just a few questions to consider.

In addition, an incident response plan must be initiated and integrated throughout the organization. This plan should include an evaluation phase, with a comprehensive forensic investigation and legal review, crisis planning for the short- and long-term and a review of long-term consequences, such as lawsuits, income losses and reputational damage.

A full risk assessment strategy should also be implemented, including a review of current business continuity and disaster recovery plans to assure a data breach incident response plan is integrated within those plans. Periodic vulnerability scans should be conducted, as well, along with mock incident response drills to test your plan and tweak where needed.

Training of all essential college employees is also needed. This should include all levels, from vendors and service providers to leadership, faculty and staff, to assure they are all mindful of your organization’s response plan and all know their part in the overall strategy.

It’s a daunting problem, but getting on top of the issues now and making it more arduous for hackers can result in containing debilitating damages later.




shutterstock 36868633 smallEach industry is unique and the hallmark of a great business partner is the ability to understand and identify the needs and goals of each business in its own context. Our vertical industry units are designed to help companies grow through tailored services with insightful, practical and effective advice.