Cybersecurity Compliance in the Higher Education Sector are you Protected?

By Renee Ford, Vice President, DJA Financial Aid Services Inc.

Have you ever opened your email to find out you have a package you weren’t expecting? Or you’ve learned you have come into some money you weren’t aware of? When this happens it almost always seems too good to be true and the reality is that it is a falsehood designed to get you to respond with action. That action may be clicking a certain link to confirm your package delivery or providing your bank account information for the prize money to be transferred. By following this action, you are opening yourself up to what is called a phishing scheme and are likely being targeted for a hacker to steal your personal and financial information. While this is of great concern from a personal standpoint, it poses a greater risk when the person opening the email operates on an educational institution’s platform and has connections to hundreds of student and employees’ personal and financial records! These phishing attacks are only part of the risks higher education institutions face in a sector that operates largely in a cyber world.

As a result, the importance of cybersecurity compliance in the higher education sector is becoming a prominent concern and a huge risk to the data that institutions are tasked to secure.

Recently, Federal Student Aid (FSA) issued an Electronic Announcement declaring a technology security alert on an active ransomware campaign targeting educational institutions. Educational institutions are specifically being targeted as most are lacking in their security policies; this along with the educational environment being rich with personal and financial information, makes settings such as these a perfect target for security breaches and the phishing schemes mentioned above.

As an FSA partner, institutions are legally obligated to implement strong security policies, controls, and monitoring as it is critical to protecting personally identifiable information (PII) and ensuring the confidentiality, security, and integrity of Title IV financial aid information. The Gramm-Leach-Bliley Act (GLBA) signed in November of 1999, applies to financial institutions and those that receive information about the customers of financial institutions. The authority over the GLBA is the Federal Trade Commission (FTC) and they recognize schools as financial institutions subject to the standards set forth in the GLBA. These safeguards require schools to secure customer data and create a written information security program. Institutions also agree to comply with the GLBA in their Program Participation Agreement (PPA) with the Department of Education and through the Student Aid Internet Gateway (SAIG) Enrollment Agreement.

To adhere to the GLBA standards, institutions must develop an Information Technology and Cyber Security Program. Last year the Department went as far to update the 2016 Audit Guide to include this standard, as well as including the following objectives that must be present in a successful security program:

• Ensure the security and confidentiality of the student and employee records
• Protect against any anticipated threats or hazards to the security of such records
• Protect against unauthorized access to or use of the student and employee information that could result in substantial harm or inconvenience to any customer.

Understanding the legal obligations and objectives is primary to breaking down how to satisfy the requirements they outline.

To ensure the security and confidentiality of the data and records institutions maintain, it is crucial to know which information is considered PII. PII refers to data that can be used to differentiate an individual’s identity, either alone or combined with other pieces of sensitive information that is linked to a specific individual. PII can further be categorized as sensitive PII, which requires more protection as its improper release could also result in harm, embarrassment, inconvenience or unfair judgment towards the individual whose name or identity is linked to the information. From a broader standpoint, PII can include, but is not limited to an individual’s Social Security Number, bank account number, driver’s license number and/or Alien Registration Number. More specifically, sensitive PII applies to account passwords, last four digits of the SSN, date of birth, mother’s maiden name, citizenship status and/or medical information to name a few.

In order to safeguard PII, institutional personnel must work to minimize the amount of data that is collected.

It is advised to only request and keep PII that has been authorized to collect and limit the number of paper copies that are made and exist.

All PII should also be stored appropriately, whether in paper or digital form, in an access-controlled environment. It is imperative to review documents prior to sharing to ensure that 1) PII has been encrypted if sharing outside the school’s network; 2) the data is only being shared to authorized personnel; and 3) any student record utilized for internal training needs to be cleaned of PII and fictional data substituted.

Safeguarding PII is one component required of the Information Security Program the Department has tasked institutions to create to meet the standards of the GLBA. The next is protecting against the cybersecurity risks that threaten the PII institutions collect and retain. In discussing who at an institution is responsible for taking ownership of cybersecurity risk, the reality is it is truly everyone, from the school administration, financial aid office and teachers to both the students and parents. Insider threats can be just as dangerous to the school as the external threat of experienced hackers. Insider threats are classified as either non-malicious actions or malicious actions. Non-malicious actions include negligence, as well as the standard errors made by personnel in the course of executing their everyday role and duties. These actions can be minimized by increasing internal training on employee responsibilities and establishing access to PII to the necessary level.

A more complicated beast is malicious behavior, which includes the intentional decision to misuse access in a manner that negatively affects the confidentiality and integrity of the institution’s PII records, as well as the Department’s information and programs. Common actions to watch for that are indicative of malicious intent by an inside source include working at odd hours or on weekends when illegal activity could be conducted or without authorization, as well as taking home sensitive information via paper documents, thumb drives or computer disks. Additional actions to monitor that are red flags are employees that disregard organization policies on installing personal software or hardware, accessing restricted websites, conducting unauthorized searches or downloading/emailing out confidential records. Educating management, as well as fellow team members of these trends of illicit behavior can help curtail the fruition of a malicious threat into actual danger.

As mentioned, human behavior already poses a risk from an insider standpoint; however, human weakness poses an even greater threat as individuals rarely understand they have opened the institution up to an outside attack.

Social engineering, the term used to describe the act of manipulating a person into divulging sensitive information, is a common practice of hackers as technical controls may not catch these since they exploit human weakness instead of technical weakness. Phishing, a common social engineering practice, is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by spoofing oneself as an authentic source through electronic communication.

As mentioned in the opening paragraph, these phishing schemes are often sent via email or instant messaging and sometimes even telephone. Communications often direct the receiver to click on a link and upon entering the new website they are asked to enter personal information into what looks and feels like a legitimate site. The top five phishing attacks to look for are classified as:

• Smishing – target the user utilizing SMS text messages;
• Spy-Phishing – phishing using key loggers (a computer program that records every keystroke made by a computer user);
• Vishing – phishing using phone calls. This tactic is often targeted at the elderly population;
• Pharming – a tactic that redirects users to fake websites; and
• Watering hole attacks – phishing using typical websites commonly used by targets. This method pertains largely to the higher education sector as students, administrators and academic staff regularly utilize a website platform to share knowledge and maintain data.

In addition to breaking down the way in which a phishing attack is carried out, phishing can also be categorized into who the hacker targets. Spear phishing describes communications sent to an individual or a smaller, more select group within an organization. As with all phishing schemes, the source of the message appears to be from a reliable contact or a known individual and it may be personalized using information gathered from social media or the Internet. The goal of these attacks is to obtain specific information or infect the target’s computer system with malware. Another variation of phishing is defined as whaling or harpoon phishing and is sent to senior or high-level officials. These types of communication are often masqueraded as a significant business concern and the goal is to access highly official information and agency systems.

Being aware of the variety of phishing approaches and targets is helpful in identifying how to avoid being a target of such a ruse. It is critical to slow down and analyze each email message for one of the above mentioned indicators prior to responding or opening an included link. While time always seems to be of the essence, it is easy to quickly skim through emails and reply half-heartedly; however, this is exactly what hackers are hoping will occur. Watch that you know the sender and that the sender’s email address matches the name that is attached. For example, an email message from the school president may state their name, but the email address attached is different than the address routinely associated with their account. If the communication differs from emails received from that sender in the past or demands immediate attention, it may be a cause for a red flag and require a secondary glance. Phishing messages often utilize poor grammar, misspellings and punctuation errors and may include a link or an attachment that is unexpected from the sender.

The third objective of the GLBA is to protect against unauthorized access to or use of the student and employee information that could result in substantial harm or inconvenience to any customer. This objective is best achieved by creating a cybersecurity hygiene routine comprised of internal training, effective anti-virus programs and strong password protections. Institutions need to establish a training program educating their team members on both the phishing tactics and targets outlined above.

A comprehensive training program will arm all company personnel with the skills needed to avoid falling victim to phishing schemes.

Training should instruct all users to refrain from opening any attachments or click on links received in unsolicited email messages. If a communication is asking you to click a link routing outside the network or submit personal information, always double check the sender’s name, email address and the included hyperlink. It is important to remember that the sender’s name, email address or hyperlink can be spoofed as anyone’s name, including internal personnel. Make it company policy not to disclose information about the school organization or personal and financial information through email, regardless of the sender. Additionally, to reduce the risk profile, it is recommended institutions utilize anti-virus and malware scanning programs for email attachments to protect against outside spam. Having the organization use remote data backups allows for data to be stored off site and off the network, should a phishing attack take down the current system.

If a phishing attack is successful, there are several key responses to look for. If malware has been installed, the PC may start to behave strangely by exhibiting a sluggish response, unexpected system crash, reoccurring pop-up advertisements or error messages, changes in browser settings or toolbars, an inability to run routine programs or open files and/or onscreen threats or demands for payment. The latter tends to be more associated with the installation of ransomware. Ransomware is a class of malicious software designed to extort money from the user by disabling computer system function or by encrypting files on the PC, as well as on shared network drives. While anti-virus programs may protect against known malware, ransomware seems to always be evolving and a step ahead of the current offerings of protection.

If hackers are unable to phish a user, the next approach is to guess the password that secures their PC or connection to various school systems. Since most passwords are generated by human users, there exists a vulnerability just waiting to be exploited. It is recommended users utilize a computer-generated password and avoid using common phrases. Additionally, organizations should use two-factor authentication for all users in their school PC and network programs or computer systems. Two-factor authentication is not only required by the Department, it is recommended as it is an electronic authentication method in which the user is only granted access to the system after successfully entering in two (or more) pieces of login credentials.

While this article outlines how to properly satisfy the GLBA standards and Department audit requirements, it is critical and mandatory to compile this information into a comprehensive Information Security Program that is unique to the school’s individual procedures and policies and assign a school official to monitor and ensure the program is executed properly school wide.

When writing any new program or policy, it is important to begin by identifying the program’s objective. Since the Department outlines the objective clearly in the audit requirements, this opening paragraph would be the ideal place to list out the legal obligations schools are subject to, including the three GLBA objectives covered earlier. As each industry has its own unique language, a successful program defines the industry-specific vernacular so that any company personnel can understand the referenced wording.

Secondly, a school must complete a risk assessment across the institution that analyzes the areas that need attention. The risk identification process should cover three areas: 1) Information Systems and Information Processing and Disposal; 2) Detecting, Preventing and Responding to Attacks; and 3) Employee Training and Management. After examining these areas at the unique institutional level, the next step of the program will include the response component towards the defined risk. Risk mitigation protocol summarizes the elected safeguards and the process of how those selections will be implemented across the three areas defined in the identification section.

Lastly, the security program should include a section on breach responsibility. The institution should have an internal breach reporting process that all team members are made aware of who to contact immediately if a breach is suspected. Additionally, the external breach reporting expectations to Federal Student Aid (FSA) and CPS (Central Processing System) should be incorporated. In addition to defining the response plan, it is equally important to include a business continuity plan on how the institution moves forward from a breach. The next process included in this section should include a post incident analysis following each and every breach. During this review, it is important to discuss what lessons have been learned and how processes can be improved in the future to protect the institution from a similar cyber-attack.

Cybersecurity compliance in the higher education sector is not only a legal requirement, but a critical business decision in protecting the assets and future of the institution. Falling victim to a phishing scheme or a data breach can not only be an expensive endeavor to remedy, but it can also affect the reputation of the school for years to follow. Data protection and breach prevention must be a collaborative effort from all personnel in order to be truly successful. The process of assessing the risk must also be continuous. Writing an Information Security Program is only step one and cannot exist in a vacuum. The school official tasked with implementing the program must employ the entire team in making sure the written commitments outlined in that program are followed and executed on a daily basis. Additionally, as breaches occur and processes change, the program must be updated and fine-tuned. With this joint approach to data protection, our schools and institutions can minimize their risk profile, while also securing the personal information it has been tasked to collect and maintain.

RENEE FORD serves as the Vice President of DJA Financial Aid Services, Inc., a third-party financial aid servicer that has served the post-secondary education industry for over thirty years. Renee has been with DJA as an official employee for the past fifteen years, but swears it feels like she has worked there for as long as she can remember. As the daughter of the founding partners, DJA had always been a second home and it only seemed natural that after she graduated from college, she would make it her permanent career home. Renee has held previous roles within the company as management and the Human Resources Director, before becoming the Vice President. She is responsible for overseeing organizational development, employee outreach and relations, financial administration and policy procedures.

Renee is passionate about the education industry and helping her clients navigate the dynamic changes policy shifts often generate. She enjoys the opportunity to work with clients on evaluating current organizational procedures and implement new processes to match regulation expectations. With a dual bachelor’s degree in Business Management and Marketing from Newman University, she knew early on she wanted to pursue a career in financial aid due to her personal connection to the industry, as well as her natural interest in overall business administration.

Outside of her time here at DJA, Renee can be found spending time with her three boys, Tatum, Trey and Gage and her husband, Brandon. The five of them love to travel to the lake and enjoy participating and watching each other play a variety of sports. When not with her family, Renee enjoys her daily gym workouts, taking trips with her husband and making the most of the life God has blessed her with.