While researching data breach incidences within Universities and places of higher education, I stumbled upon the Privacy Rights Clearinghouse; an organization dedicated to consumer privacy and “raising awareness of how technology affects personal privacy”. According to the Privacy Rights Clearinghouse (www.privacyrights.org/data-breach/new), over 3,500 data breaches have been made public in US universities and educational institutions alone since 2005; equating to over 600,000,000 compromised records.
But why universities? Are hackers and data thieves targeting the science department’s proprietary research? Well, maybe sometimes, but in almost all instances, they’re stealing the same type of data; Student and Faculty Social Security Numbers, Birth Dates, Addresses, Bank Account Numbers, and other personally identifiable information (PII) that cost the universities, their staff, their students, and even their student’s families monetary loss, emotional stress, and daily disruptions.
The good news is that there are solutions like enterprise Data Loss Prevention (DLP) products designed to help mitigate these types of events. That said, however, the vast majority of the currently available products designed to thwart attacks on sensitive data are incredibility expensive, costly and difficult to implement and maintain, and are rarely found inside the walls of our educational institutions as a result.
The cost prohibitive nature of enterprise class DLP solutions coupled with the historically limited IT budgets and high administrative turnover found in educational institutions have made places of higher education a target for easy access to some of the most sensitive data that exists within any organization.
So What Can Educational Institutions Do To Protect Themselves Against Data Breach Without Breaking The Bank?
Our contention is that many of the data breach events that have occurred in recent times could have been prevented through simple, proactive identification of where data exists, who has access to data, and what type of data exists within the file systems of networked computers – workstations, laptops, and servers – otherwise known as “data-at-rest”. Had the universities that have been victim to data breach events known that sensitive, private student and faculty data existed and was unprotected, it’s a pretty safe assumption to say they wouldn’t have allowed it to remain in such a state. The fact of the matter is that they simply don’t know what they don’t know.
A less costly and more pragmatic approach for universities (or any organization with limited funds and resources to prevent data breach events) is to proactively identify where their risk is, consolidate their sensitive data, and lock it down tightly.
A great place to start is to locate file shares that are open to large audiences. These data repositories are notoriously difficult to control due to the number of people performing file transactions, the lack of assigned ownership and governance over the data that exists there, and the complicated weave of access rights that are just as difficult to understand as they are to assign.
After the areas of highest risk are identified, point-and-shoot Sensitive Data Discovery solutions can begin to search for Social Security Numbers, Credit Cards, Bank Accounts, Health Records, and other sensitive and proprietary pieces of data that are buried deep within the files themselves.
As a last step, all documents containing sensitive data can be reviewed, consolidated, and locked down, limiting the number of people who have access to the most sensitive information and also who knows where that data lives.
Endpoint and Data-in-Motion DLP solutions are no doubt valuable assets for organizations that can afford them, but the true “blocking and tackling” of data loss prevention is knowing where sensitive data is and who has access to it, especially for the data that already exists within the environment.