Organization-wide university data protection initiatives can be daunting. With interconnected departments and partnerships, extensive compliance requirements and a wealth of sensitive data, many schools don’t even know where to begin. The good news is, security isn’t an all or nothing game.
By identifying the biggest security challenges and taking an incremental approach, you can reduce risk and build a lasting culture of security, piece by piece.
Universities are complex organizations divided into multiple corporations, each with its own legal requirements and security challenges. The university as a whole is governed by the Family Educational Rights and Privacy Act — i.e. FERPA compliance rules. Under FERPA, schools that receive federal funding are obligated to protect data such as grades, test scores, and health information. Fail to protect this data, and students may file a report with the Family Policy Compliance Office (FPCO), potentially threatening funding.
The student health center (along with any other university run healthcare or medical research centers) is governed by HIPAA and HITECH. HIPAA Protected Health Information such as student diagnoses and appointment dates, is subject to rigorous controls, governing technology, procedures, administration, and even partners. Fail an inspection or suffer a breach, and you could suffer expensive penalties and remediation plans.
There are also multiple financial compliance regimes to worry about. Any part of the organization that takes credit cards has to be PCI compliant. This entails strict controls governing how credit card information can be stored, handled, and transmitted. Encryption is a must. In addition, certain parts of the organization, such as those handling financial aid, will be subject to CFPB compliance standards.
And that doesn’t even count campus police (CJIS compliance), state and local standards, and various other compliance standards for manufacturing, human testing, and other activities. All-in-all, it’s very difficult to prioritize these security challenges and come up with a comprehensive secure data strategy.
One of the paradoxes of cyber security awareness is that knowledge doesn’t necessarily translate into action. Many universities are aware of the security challenges they face and the consequences of breaches, but put it off, because the problems seem insurmountable. Overhauling cyber security isn’t a quick or inexpensive process, and with all the challenges of running a university, schools can easily give in to inertia.
The tragedy of this is that most schools could easily make improvements to cyber security with an incremental approach. Low-investment changes, like adopting a secure email solution let universities reduce risk almost instantly, with very minor changes and little training. Those basic changes are very easy to scale as well. Just by adopting email encryption in a high-risk area such as health care, your university can start tackling the security challenges of the organization as a whole.
A major breach can result in costly fines, remediation plans, and lawsuits, but the PR consequences can be even worse. With a major breach, a school may have to endure months or even years of bad press. There may be stories when the breach is discovered, more press about the investigation, the penalties, the remediation plan, and ensuing lawsuits.
Universities are often tempted to sweep their security challenges under the rug, as if not talking about them will make them go away. However, this actually makes breaches more damaging to your reputation. If you can show that your university is doing everything it can do to protect students, faculty and staff, the public will blame the actors that caused the breach. If you’ve just been ignoring serious security issues, however, they’ll blame you.
As universities become more and more like businesses, they face more and more of the security challenges that plague businesses. Organizations tend to ignore or underfund IT security initiatives because it’s historically been hard to show concrete, measurable ROI. You never know if and when a malicious hacker or an insider threat will compromise your data, or how much damage they will cause, and no security initiative can make your organization 100% safe.
Fortunately, there’s a growing body of research showing the ROI of tackling your university’s security challenges. According to the 2016 Ponemon Cost of Data Breach Study, for example, the average breach costs $4 million — $158 for every record breached. The study makes it clear that even basic changes can pay big dividends. For example, just appointing a Chief Information Security Officer (CISO) saves an average of $7.00 per record breached, and using encryption saves $13.00 per record.
CISOs and departmental IT security leaders need to become advocates for cyber security in their organizations. By working with partners who understand their security challenges and arming themselves with data on security ROI, they can lead their organizations to a safer future.
In a university, everyone has an opinion. Like in any organization, management has its own take on things, which might not line up with IT security. They may choose secure email solutions that don’t meet the usability needs of end users, or on the other end, pick user-friendly apps with security gaps they don’t understand. Different departments also may have different priorities, and push hard for their choice in secure communication solutions.
The problem is, it’s much harder to face your security challenges without a coherent organization-wide strategy — particularly for communication solutions like secure email and portals. Departments need to be able to communicate with each other securely, and with other stakeholders — such as students, parents, and contractors — which they can’t do if everyone has a different secure email tool.
Additionally, many security solutions aren’t convenient enough for day-to-day communication. If a financial services clerk has to contact a student, are they going to go through all the work to load a portal, email the student with a request to join, wait for a response, and then send the message? Probably not. They’re much more likely to send an unencrypted email, risking security.
To face their security challenges, universities need secure communication solutions that are secure, easy, convenient, and able to communicate with all stakeholders — even those who might not be willing to install the application.
Virtru email encryption satisfies these requirements, installs in minutes, works with the user’s existing email accounts, and encrypts with a click. Users can use do everything they’d do with unencrypted email, including sending messages to multiple users and encrypting any type of file or document, just as they normally would. And because Virtru lets non-users receive and respond to encrypted email, low adoption is virtually a non-issue.
Colleges and universities are incredibly complex organizations, sharing sensitive data with huge networks of public and private partners. To tackle the security challenge of protecting all that data, universities need security tools that are powerful enough to meet strict compliance standards, but easy enough to empower their least tech-savvy users.
Contact us to learn what Virtru can do for you.
As Virtru's SVP of Strategy and Field CPO, Rob advocates safeguarding data across emerging applications and sharing workflows. With deep expertise as a healthcare CIO and security consultant, he helps organizations mitigate technical and human risk. Rob has a Computer Science degree and is a lifelong technology and security student.
View more posts by Rob McDonaldSee Virtru In Action
Sign Up for the Virtru Newsletter
Contact us to learn more about our partnership opportunities.