What higher education needs to know about data security

Matthew Boice, VP of Ellucian Middle East, explains why higher education institutions are among the most at risk of cyber attack.

How can businesses and institutions protect confidential information from prying eyes? Outside of the virtual realm, they can keep drawers locked and vaults secured. In the technological space, however, it is not that simple.

As hacking methods become more sophisticated, securing data becomes a bigger priority, which requires institutions to take more proactive measures of protection. Having a secure network is essential for an organisation to run efficiently and shield itself from malicious attacks. This means there’s no room for weak links and holes in the network.

According to the Information Systems Audit and Control Association (ISACA), 77 per cent of organisations around the globe received cyber threats in 2014. This year, 82 per cent are at high risk for attack. As these threats continue to multiply, it is crucial for organisations to stay updated on attack methods and adopt security solutions to combat them. In this region, however, there is room for improvement when it comes to building awareness for data security.

The threat of data security breaches is very real, as witnessed by major attacks that have occurred in the region over the past few years. In 2013, the infamous security breaches on RAKBANK and Oman’s Muscat Bank shook up the region’s finance and banking sector. In total, the banks involved lost $45 million after a cyber-group hacked into the databases for prepaid debit cards and used the information to make ATM withdrawals.

Another high-profile attack occurred in the region in 2012, when a computer virus hacked into Saudi Aramco’s corporate network and wiped out data—emails, documents, and spreadsheets from 30,000 workstations. To stop the spread of the virus, Saudi Aramco was forced to shut down its internal corporate network for a period of time.
No industry is immune from the threat of cybercrime. For attackers, as long as there is a weakness in the system and an opportunity to gain information or wreak havoc, the risk exists. Even the higher education sector is not exempt. In fact, in the United States, 17 per cent of all reported data breaches belong to the higher education industry.

Institutions in the Middle East have also witnessed several cyber-attacks recently. Last month, an attacker in Saudi Arabia claimed to have hacked and stolen information from a Saudi university’s network, including personal details, academic results, and schedules of 4,000 university students. In 2014, the website of the Ministry of Higher Education in Oman was hacked by an individual who used the attack as an opportunity to criticise youth unemployment in the country. The same hacker also claimed to have compromised two other websites, one of which was of the Sultan Qaboos University. That same year, anti-government “hacktivists” in Egypt altered the home page of the Minia University website, replacing the content with political messages.

Clearly, higher education institutions are on the target list. Attackers can tap into a treasure trove of information, whether it is financial, personal, or intellectual. They can access and alter records of grades, research material, salaries, tuition statements, bank accounts, and other sensitive data—not only for current students, but past students as well. For universities with a large student body, the database will be larger, making the institution more vulnerable.

Such attacks bring huge financial damage for organisations. The PwC 2014 Global Economic Crime Survey reports that cybercrime in the Middle East results in losses that vary between $1 million and $100 million annually. It’s not only the loss of data that affects the financials of a business or institution after a security breach, but the interruption to the daily running of businesses. Consequently, local and regional companies and organisations are fortifying their IT security networks.

Security breaches can take a huge toll on an institution’s finances. Depending on the scale of the attack and the number of records affected, costs can vary, but the average cost is $111 per compromised record, according to a study by the Ponemon Institute. Some institutions have suffered millions of dollars in damages. Yet the consequences of a security breach go far and beyond financial cost, as institutions have to deal with the aftermath of the attack, warn the affected parties, and possibly provide credit protection or compensation for them. The damage inflicted to an institution’s reputation and credibility can take time to repair and could result in loss of opportunities.

One way for higher education institutions to protect their data is to partner with an expert vendor who understands their system and implements comprehensive database security solutions to safeguard data and minimise the risk of attacks. Additionally, university networks must undergo regular evaluations of entry points in order to detect any weak links in the system. This is especially important for institutions that use an online payment system.

Solutions can include a range of capabilities, from encryption packages, firewalls and activity audits. Encryption, which is commonly used for emails and online transactions, protects sensitive data as it travels through the network and prevents unauthorised access to information. The database firewall is at the forefront of network defence as it blocks any suspicious activity and counters attacks.

Furthermore, the audit tool compiles database data, operating systems, directories, and file systems into one secure repository, making it easier to monitor. It allows institutions to receive alerts and reports on database changes, user activity, and server errors, so any unauthorised activity can be investigated and stopped.

Implemented solutions should strike a balance between being accessible and secure. Members of the community should be able to access information and perform tasks easily, while malicious users should not. For example, finance staff and accounting teams should be able to process payments efficiently, and students should be able to track tuition payments and purchases without being put through burdensome verification processes. At the same time, the information on the databases must be safeguarded from malware, viruses, and unauthorised access.

The harsh reality is that data breaches are part of today’s technological landscape, and they are becoming more sophisticated and frequent. By proactively implementing this type of solution, higher education institutions are in a better position to minimise the risk of attacks and counter any attempts of a security breach. In the long run, investments toward security solutions are worth it, because they not only protect institutions from financial damages, but reputational costs too.