Cybersecurity is key for colleges to consider, as they collect mountains of student data on campus, and before students even arrive. How can a school maintain a strong defensive posture to protect this data?
Campus Cybersecurity and Data Collection
College students have varying opinions on cybersecurity and the potential concerns of college data collection. They often wonder about schools selling their data, or sharing information with third parties. Colleges and universities gather information including demographic data, financial and economic details, extra-curricular involvement, educational support needs, and certain medical information. While that information may be helpful for school operation, it is also considered Personally Identifiable Information (PII). Since PII could be used to single out an individual and cause damage (financial, physical, or otherwise), educational institutions need to be vigilant and maintain a high level of protection. This protection must extend to cover the data while it is gathered, transported, stored, and destroyed.
Legislation in individual countries will determine what qualifies as PII, and how it must be protected. For example, in the United States of America, schools should consider FERPA, COPPA, and CIPA, as well as any state legislation. In the European Union, a good starting place is understanding GDPR.
Privacy and Protection for PII
When schools create a security structure for the information that they collect, it is important that this process takes into account Data Protection and Data Privacy. While they do go hand in hand, protection and privacy are two different concepts. The concept of privacy determines what needs to be protected, while protection refers to the tools and processes that secure the private data.
Respecting a student’s Right to Privacy (according to one definition outlined by the European Union’s GDPR) means understanding that data, such as birthday, financial information, Social Security Number, etc. is privileged information. That information should be treated like gold, and guarded accordingly. Comprehending protection best practices means that models of Least Privilege are integrated, a robust Mobile Device Management plan is enforced, and an effective Endpoint Protection solution is implemented across the educational institution.
To Ensure PII Protection:
- Verify that you have enforceable Mobile Device Management and Incident Response plans. See examples of MDM Policies
- Encrypt all sensitive data, at rest and in transit. DriveStrike will help you manage your Bitlocker Encryption.
- In your data privacy policy, outline what data you will be collecting, how it will be stored, and how and when it will be destroyed.
- Have a strong password policy, including character and length requirements.
- Create clear policies for employees and staff. Consider what Mobile Device Management policy will work best for your organization, and require Virtual Private Networks (VPNs) when accessing the network off campus.
- Implement Multi-Factor Authentication on student and staff accounts.
- Provide encrypted Wi-Fi to students and staff.
- Network Endpoints must be protected, as they serve as the mode of access to your students’ PII. Ensure there is protection for all the mobile devices that have access to data. Endpoint Protection software like DriveStrike will Remote Locate devices anywhere in the world. Such software is also capable of Remote Locking missing laptops and cell phones, and Remote Wiping the hardware to destroy all information on the machine.
- Train your employees, students, and staff to understand cybersecurity concepts like phishing and password hygiene.
- Regularly create backups, and keep them separate from other networks.
Conclusion
Your students have come to school to learn, and they are trusting you not only with their education, but with their private data. Value their trust by protecting their future. Spend time crafting policies for their protection, and investing in software and hardware for their security.