In this episode of Hash It Out, Virtru's Tony Rosales sits down with Brian Bolt, VP and Deputy CIO, and Brandon Bowlin, CISO, from Boise State University, to discuss the rising threat of financial aid fraud targeting college students. They explore how cybercriminals are exploiting vulnerabilities in the student application process, leading to significant financial losses.
The conversation underscores the importance of advanced identity verification and secure data transfer, with insights into how Boise State is proactively protecting their students and their sensitive information.
Transcript
[ROSALES] Perfect. Alright. Good afternoon, gentlemen. Thank you for taking the time out of your busy schedule to join me today.
[BOWLIN] Yeah. Hi, Tony. You bet.
[ROSALES] So, my name is Tony Rosales. I am a solutions engineer here at Virtru.
Today being joined by Brian Bolt, the VP and deputy CIO over at Boise State University, as well as Brandon Bowlin, the Chief Information Security Officer, also at Boise State University. Thanks again, guys. Appreciate your time.
[BOLT] Thanks for having me.
[ROSALES] Awesome. Awesome. So, I just wanna kinda jump into what we're gonna talk about today. I found it really interesting when we were talking offline about kind of the types of attacks that have evolved, especially when it's something as, as benevolent is actually trying to help students get into school and and do a, you know, kinda your level best in in making sure everyone has that ability to access to have access to the financial aid and things like that.
Can you tell me a little bit about what we were discussing?
[BOWLIN] Sure. So as I'm sure, any parents with college age children know that schools can be extremely expensive. And as a part of that the vast majority of students use some sort of financial aid which means 1,000,000 and 1,000,000 dollars be potentially used for tuition and various fees every year, every semester. So something we've seen every spat of is that depending upon the institution, it's very easy to apply to a university, to a college, and then apply for financial aid.
[BOWLIN] So, a lot of those steps, go home again, in terms of college applying for financial aid. So what we found is a lot of fraud, when this happens, because there aren't a lot of checks and balances necessarily. The student can apply. So what we found is that we had a lot of non-students, obtaining the personal identifiable information for these 18 year olds. Social Security numbers are kind of all the things that you would need to effectively steal their information. So we have a lot of them. They applied for school. They applied for financial aid, and then depending upon how it works out, depending upon some of the FAFSA, you actually get a refund, if the amount of financial aid exceeds the cost of that tuition. So we found a big instance of this occurring where these bad actors were applying for financial aid.
It cut the difference, and they ended up actually getting those checks in the mail.
[ROSALES] Wow. I did not know that. Interesting.
[BOWLIN] So, we've been kind of trying to tackle this problem of how do we identify this, how do we combat it because this is huge losses, for both the university and the federal government in this instance. And then for those students who now are straddled with a 20, 30, $40,000 limit depending upon what that tuition is. So, we've been trying to figure out ways to combat this, and a lot of times it ends up being interstate actors. The FBI has been involved. It's been quite interesting to Wow. Try to figure this out. So, we've been utilizing a lot of different tools in our tool belt, to try and combat this Virtru being just one piece of that.
[ROSALES] Sure. So, tell me a little bit just because I mean, this is what I've heard of it.
You know, obviously, we've talked about it before. But, as a parent of a college going student, it was kinda shocking to me that filling the FAFSA every year is just kinda something that's now par for the course.
Right? You're just doing it. You don't really think about it.
It was really interesting to me that this was kinda one of those things that developed into something this big. As you said, the FBI is now involved because it is at the federal level.
What are some of the tools you tried to use? Obviously, you said Virtru, but tell me a little bit about the kind of alternate solutions that you tried, you know, before that.
[BOWLIN] So, depending upon, kind of acceptance procedures for the various universities, depending upon, kinda what documentation is needed, It can involve several different layers. So needy in Idaho, in particular, is really trying to incentivize getting students to join universities.
So a lot of times accounts are created in the university system even before the student ever officially becomes a student. So there's already an account there. So one of the things we've done as part of this multilayered approach, some of the things we're currently implementing, doing additional identity verification, through using other third party tools, to validate that, hey. This is a third party system. You have to validate using your ID and other physical components as well as knowledge based aspects. So it's a little bit harder to steal if you don't have someone's identity. So doing the identity validation and then using additional document transfer procedures rather than emailing across documents. So you think in terms of college applications, you're identifying you've got transcripts, you've got essays, all kinds of other stuff, some of it which can be personally identifiable. So being able to better secure that information as well also then plays into the larger schema trying to tackle both the data aspect and the identity piece. Yeah. And making it, it's a little bit more cumbersome for the applicants. Yeah.
But it goes a long way to prevent some of that fraud. Granted the bad guys are always coming up with new ways, but we're trying to stay ahead of it as much as we can.
[ROSALES] Yeah. No. It's interesting because as that that evolving threat, you know, is really ever present, you guys, you know, kinda looking at it and applying the, you know, the zero trust, methodology to things, making sure that we're validating, but, you know, in and out, we're never trusting, you know, people just doing what they're saying they're gonna do. And there's there's less and less of the ability to kinda jump in and and just steal information because you're starting to treat this information as if it was, you know, higher level as it is. Right? These are people's personal lives. This is not just, you know, applying to school, which obviously is important, but this is actual, you know, information that pertains to an individual.
So I really like that approach and kind of meeting that evolving threat with an evolving, cybersecurity standpoint. So that's awesome. Tell me a little bit more about, if you don't mind, the identity verification, and security data transfer stuff that you were kinda hinting at. What specifically are you seeing as the kind of things that are successful? What, you kinda hit on a major point for me at least, which is ease of use. That is one of those things where if it's not easy for the customers, in your case, your potential students to use it, it's never gonna get used. Right? It's one thing to mandate your employees and teachers and faculty members to use something, because you can, but it's really hard to make that recipient be able to respond in kind.
[BOWLIN] So it's a little bit multifaceted. It would say one thing, we tried to really address it from the aspect of the cultural kind of component. Mhmm. People want to be secure, but there's also this mentality of making things overly difficult. Like, if I had my way, everybody would bring in the piece of paper directly to the admissions office or HR or whatever the case is and show their IDs. But, in the war in the digital world, that's just not necessarily feasible to do, especially for students who may not even live in the country, when they're applying to go to school.
[ROSALES] Very good point. Absolutely.
[BOWLIN] So, part of some of the identity aspects so it's working with a I don't know if I wanna say their name, but another 3rd party provider who works with various governmental agencies like the DMV. They work with the IRS. They have interactions such that it doesn't ever require a student or faculty member, anyone providing their driver's license, their passport information, or their Social Security number directly to us. This is being used by a third party service, which takes us out of the mix a bit because now we're using a service that is known for being able to provide these mechanisms. That is a bit of a trusted partner by various government agencies. And then they just feed us the information such that, yeah, we know this was this person.
We validated it in these 5 different ways. On the document side of that, even something, most students are probably not gonna think that their transcripts are necessarily that sensitive. But in the larger scheme of things, a transcript getting out into the public being leaked could be detrimental to that person's future Absolutely. Future applications. So what we are trying to do is implement various ways such that, even though we're in the digital world and there's all these portals and various ways to do things, email is still king. Of course. And especially in a lot of instances going back and forth, we wanna provide mechanisms to get documents, screenshots, transcripts from one place to another securely. So it's getting both sides of it, being able to do that person, be an identity, wrapping the applications, kind of that zero trust aspect that you kind of spoke of. So what we're seeing is that even though it ties into a few other facets with research, the academic side, admissions, Virtru is really kind of taken off for the school because it's easy to use. It doesn't require some massive kind of configuration, and doesn't require a whole lot of knowledge. It's effectively I know it's not this simple, but you check the box, send it where you need to. You can send documents, you can send the email, and both are actually secured in that fashion. So, we're working on really kind of promoting these ways of making things easy. They're less intrusive. They're not cumbersome so that people are more likely to actually adopt it because security can be the death of any project, any toolset if Yeah. That security trumps the efficiency and productivity aspect of it.
[ROSALES] Exactly. Exactly. Kind of what I was thinking when I initially asked the question. That is what we see time and time again. If it's not easy to use, people aren't gonna use it. Plain and simple. What I really liked and kind of the bits and pieces I heard from what you were saying is, ultimately, we are no longer thinking of it in terms of, okay, we have to make this easy for someone to use, and I know it's complex. So we've got to dumb it down to the point where information is gonna be protected. Rather, we are now thinking about it just like we're thinking about the identification piece and validation piece of 0 trust. We're thinking of data centricity.
Right? We're actually thinking of protecting the information we're sending and making sure that that information is protected from the inside out. And that's ultimately what is happening, without you having to necessarily create an entire workflow for it. Right? It's, as you said, it's as easy as clicking a button. Now all of those things exist without you having to necessarily design any of that. Can you tell me a little bit more about how the adoption of something like end to end encryption, and advanced security has kind of transformed the way Boise State is starting to do things in terms of, just the way they're approaching data security in general.
[BOWLIN] Sure. You wanna hit on that one a little bit, Brian?
Kind of the adoption aspect.
[BOLT] Yeah. Sure. So when we were looking at this about a year and a half ago, we recognized that there is a need that was unfulfilled from a central perspective. We have lots of colleges on campus that can operate somewhat independently and that, also, is reflected in software purchases. So when it comes to what a tool, what an individual on campus might think would be a valid tool for sending data securely, Sure. That they might vet the tool themselves, but it's not centrally vetted all the time. We do our best to route all software requests through a centralized, intake process. But, things get purchased and that often is an indication that we don't have a central tool available that is adaptable. And so that's really where we were. We were in a highly decentralized environment when it came to file sharing and secure email.
So when we were looking at what would check the box for ease of use and security, Virtru is the logical choice because it fits right into the Google, for workspaces ecosystem. Now Google also has their own tool for a secure email. It's something that can be enabled in the admin panel.
But, when we advertise that as an option, there wasn't a lot of uptake. And, we were left speculating as to why that was because Virtru has the secure email portion, but it also has secure file uploads. One of the things I think we've recognized is that, over time, we've often told people that email is an insecure form of communication. So don't rely on email for secure files or secure transmissions. And people seem to have gravitated to the, well, if I need to share a file with an external entity, yes, I could use Google confidential mode. There are some hurdles to that, but the secure file transfer, I think, has been a large reason for the uptake in our different areas, for Virtru on campus. That and an internal campaign by OIT to say that this is, you know, the, endorsed and recommended tool by the university, and, we're covering the cost of that because we believe in the fact that this is the right tool for secure transmission of files. So those combinations of factors, I think, have led to a higher adoption that we thought was that we saw with Google confidential mode.
[ROSALES] Yeah. And, you know, it's kinda funny putting on my Google hat here that does seem counterintuitive. Right? This is a Google product that is part of Google that is right there for you to use. And I am curious about the the kind of the day to day operations and a little bit about the limitations that kinda manifested themselves when when using that tool as opposed to, you know, something like virtual, which is a third party, piece of software.
[BOLT] So I think Virtru also, was capable of a feature that people thought that they might need but may never actually use, and that was the ability to download a file. So we heard that from constituents about if something is going to be shared, their instinct is to archive it perpetually. And that's another campaign that we're trying to, to, help reshape in our culture, which is not everything needs to be kept, for long durations of time. So, that was one of the reasons where, you know, Google confidential mode when people were looking at the list of features between confidential mode and Virtru, well, they liked the Virtru option because it, had all the features that they could possibly use.
[ROSALES] Right. Right. It fits into that culture. Yeah. That actually makes a lot of sense.
[BOWLIN] And I think it kinda helps that it's more of a consolidated solution. It can do multiple things instead of just this one kinda form different purpose. So it kinda helps with adoption because, hey. It can do this and this and this, and I don't have to use 3 different tools to be able to do these one set of activities.
[ROSALES] You know, that actually makes perfect sense. Right? Because what you're doing is you're creating that kind of subconscious thought of if I have something that needs to be secure, I know what tool to use. I don't necessarily have to think, okay, in this workflow, it has to be like this or in this workflow or given these constraints, it has to be different. So that actually, that actually resonates with me. I really like that, you know, being able to just kind of associate that in the back of your mind somewhere. That's awesome.
[ROSALES] Great. Well, let's you know, it's kind of a final, you know, where we wanna leave this off. Let's talk a little bit about the future of cybersecurity as it pertains to Boise State. Obviously, you guys have taken a lot of time in looking at these evolved threats that have kinda come your way, these these potential, you know, exploits of of things that you might potentially be trying to do to make things, easier and and more simple for people trying to enter the university in, you know, in the case we were talking about earlier. But what I'd like to know is, has this opened your mind to kind of something, outside of the box or really the way of, of kind of moving forward with different cybersecurity challenges with all of the things that you have learned thus far?
[BOWLIN] I think it has. So, so with me personally, I don't come from a higher education background. They come from a more corporate environment, that, depending upon circumstances, a lot of corporations are able to throw 1,000,000 of dollars at best in class solutions. Maybe they're using a centralized provider or maybe they go with, you know, whatever the Gartner says is the top tool in any particular area. Right. One of the things that's really kind of jumped out at me since I've moved into higher education is that it's not like an industry specific type of approach. You're dealing with medical data, with research data, government data, FERPA data
[ROSALES] Very good point.
[BOWLIN] Everything under the sun. Working at a university is kind of like working in a city government. I've heard that analogy. You've got a little bit of everything. So at least for me it's taking a little bit of a mindset is how do I adapt to these different types of industries effectively and consolidate them together And it's something that I've kind of seen and something like Virtru has jumped out is that, hey, we got to look at an email solution, a document storage solution, a DLP solution, an encryption solution is that instead of trying to focus on all of these different components, all of which come with their own cost, their own management, their own upkeep, their own knowledge sets, as much as we can kind of find these various tool sets that can accomplish multiple things in kind of one bucket, I think that goes a long way to actually helping us consolidate, various tool sets, which helps my team in particular, have less of a footprint and makes management and monitoring much, much easier. So, it would say, if nothing else, this is kind of one step that I would love to repeat, in kind of other other facets rather than having, you know, 30 different tools.
Maybe I can get it down to 10, using various tool sets to cover the entire landscape.
[ROSALES] Absolutely. Yeah. Brian, anything to add there?
[BOLT] No. Just to build on what Brandon was saying, we're taking our successes as we get them and continuing to apply what we've learned to the next one, the next project.
[ROSALES] Awesome. Awesome. Well, honestly, guys, that really sounds like the proper mindset to me at least. It's gotta be one of those things where we know what we're doing well.
We know what we're, what kinda worked, and now how we iterate. Right?
So that's really huge. Thank you very much for your time. I really appreciate it. I know you guys are busy, and so I do thank you for being able to kinda take some time to discuss a few of these topics with me. And, have a great rest of your day. Thank you.
[BOWLIN] Thank you very much for having us.
Fill the form below to claim your gift.
Get expert insights on how to address your data protection challenges
Contact us to learn more about our partnership opportunities.