Did you know that in 2017 the education industry (encapsulating K–12 and higher education institutions) had 7,837,781 records breached in 35 events? To put that into perspective, the healthcare industry had 6,058,989 records breached in 428 events, and the retail industry had 123,652,526 records beached across 33 events. (See Privacy Rights Clearinghouse Chronology of Data Breaches, 2017 data.)
More than half of the breaches in the education industry were caused by activities directly attributable to human error, including lost devices, physical loss, and unintended disclosure (see Figure 1 below). These breaches were arguably preventable through basic information security safeguards.
Figure 1. Types of security breaches among educational institutions
What can you do every day to protect data?
There are very few verticals, if any, such as higher education that transmit, process, access, and share such varying sensitive data elements. There is not a "one size fits all" blueprint for information security controls that institutions, like NEOMED, can follow. However, we all have a responsibility to be aware of information security protections to safeguard data and prevent data from being compromised, both inside and outside of NEOMED:
- Update your computing devices: Ensure updates to your operating system, web browser, and applications are being performed on all personal and University-owned devices. NEOMED facilitates regular updates to University computing devices, so if you are prompted to update your device, please do so as soon as possible.
- Enable multi-factor authentication: Whether for personal use or work, multi-factor authentication (“MFA”) can prevent unauthorized access even if your login credentials are stolen or lost. An ever-expanding list of mobile, desktop and browser-based applications offer a multi-factor authentication solution, and most can be enabled within the settings or configuration section of the application. NEOMED has implemented a multi-factor authentication solution, to safeguard against unauthorized access to University accounts, namely email. For more information regarding on NEOMED’s solution, please refer to the following NEOMED Knowledge Base article.
- Create unique passphrases: A passphrase is a sentence or series of words, numbers, or symbols used along with a username to login to a given account. Passphrases balance the trade-off between memory and security and are generally more secure than passwords because they contain more characters. The problem with passwords is that people, by their nature, pick something easy to remember – which also makes these passwords easy for attackers to determine. By creating unique passphrases for each of your personal and University accounts, if one account is compromised, the same set of credentials would not be successful in providing access to other accounts you may hold. Stay tuned for more information about how NEOMED will be revising its authentication standards, including the use of passwords and passphrases.
- Protect your devices: Using biometrics or six-digit passcodes on smartphones and other computing devices is critical to keeping curious minds from accessing personal or financial information, University email, or other applications that may contain sensitive data. This also helps protect your device if it is lost, stolen or misplaced.
- Understand where, how, and to whom you are sending data: Many security incidents occur because people accidently post sensitive information publicly or send such information to the wrong party. Taking care to know how you are transmitting or posting data is critical. For guidance on how to transmit sensitive University Data, please contact the NEOMED Information Technology (“IT”) department.
- Broaden your Information Security awareness: A wealth of resources can be found online, some of which are provided by federal agencies that help advocate for the use information security best practices in our daily lives. In addition, NEOMED offers and strongly encourages training on multiple facets of information security, which can be found on NEOMED Success Center and is available to all employees. NEOMED’s training program will continue to evolve and expand over time, so please stay tuned for more information in the coming months.
Getting ready to send data to a vendor or sign a University contract?
With more and more services moving to the cloud, NEOMED must ensure that third parties and service providers are protecting University Data. If you or your department is looking to purchase or adopt a service or technology that uses University Data, it is imperative that you include the NEOMED IT department at the beginning of your assessment or project to help ensure that University Data and Systems are properly safeguarded. To determine whether IT should be involved in the purchasing/acquisition process, you may ask yourself the following questions:
- Does the project (and in-scope technologies) involve the handling or storage of University Data (e.g., student data, employee data, donor data, research data, or financial data)?
- Does the project (and in-scope technologies) involve the handling or storage of University Data that is regulated by government entities or has special contractual obligations to a third party (e.g., contract sponsored for research)?
- Is there transfer of any University Data from a University System to an external party or system?
- Does the project involve acquiring/implementing/developing software, services, or components that NEOMED has not previously deployed?
- Does the project involve providing data feeds to an external party or system?
- Does the project involve accepting card payments in any way?
If your answer to any of the above questions is "Yes," please contact IT at the beginning of your assessment or project to ensure that University Data and Systems are properly protected.
These are just some of the information security practices you can utilize to help protect yourself from account compromises and help safeguard both yourself and the University. If you would like to learn more about what NEOMED is doing regarding information security, you are encouraged to check out our information security policies on the NEOMED Policy Portal. If you have information security questions, concerns, or if you suspect that your University account, University Data and/or Systems have been compromised, contact Information Technology by calling the NEOMED Help Desk at 330.325.6911, or emailing us at firstname.lastname@example.org or email@example.com.
-Submitted by Jonathan Wagner