Registrars need outside help in protecting student data from cyberthreats, report says

Higher education registrars and enrollment managers should work more closely with IT managers and financial aid offices to ensure that student data is well protected from breaches, according to recommendations released in a white paper this week by EDUCAUSE and other groups.

The cybersecurity report — intended to improve the dialogue between the keepers of student data and the teams that protect university networks — comes as educational institutions mark national Cybersecurity Awareness Month. Joining EDUCAUSE on the white paper are the nonprofit National Student Clearinghouse , in partnership with the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) .

“It is imperative that both the registrar’s office and enrollment management office are
in lockstep with the IT department with respect to the institution’s cybersecurity efforts,” the report says. They also should have a “strong working relationship” with financial aid administrators on campus to ensure that student data is held in compliance with federal rules, the report says.

Higher education institutions are prime targets for hackers, and they were victimized by ransomware outbreaks such as WannaCry last summer. The report cites investigations from cybersecurity company FireEye , Verizon and Deloitte that label universities as particularly vulnerable because of the sensitive student information these institutions keep and the culture of open access they frequently adopt.

“The most important cost to keep in mind is the
long-term cost that students face after they have
had their personal information stolen. Students
trust their institutions to be diligent stewards of
their data,” the report says. “Once the organization has been
breached, however, there is no real way to make
amends.”

Administrators should meet with their CIO and CISO regularly to develop incident response plans, according to the report, as well as inventory the places and organizations that store sensitive student data — Social Security numbers, birth dates, financial information, and contact information.

The 11-page report touches on a number of common-sense observations and practices, such as monitoring endpoints well, patching software regularly, creating an incident response plan, and implementing multi-factor authentication.

The report says that the relationships that enrollment managers develop with vendors and third-party service providers, like transcript ordering services, can’t be overlooked — they have a direct impact on student data security.

“If registrars and enrollment managers do not know [where their data is being held], it’s time to find out,” the National Student Clearinghouse said in a statement. “The most important cost to keep in mind is the long-term cost that students face after they have had their personal information stolen, which can translate into lifelong negative effects if their data is used.”

The report also illuminates the simplicity behind most cyberthreats, citing a 2016 Cofense report statistic that 91 percent of cyberattacks began with a phishing email.

The threat surface for universities extends to third parties as well, the report says, and administrators should ensure they understand not just their own security practices, but those of their contractors, as well.