Are students the biggest data security risk for universities?
In 2003 Mark Zuckerberg got into his university’s private data network. Doing so was effectively against the rules. As was using the images and information he found to create a website that, in time, would become one of the world’s largest companies. However, for everyone involved, the conception and creation of Facebook was a success story. Not least for Harvard, who could add him to their list of celebrated alumni, joining US Presidents, business leaders and innovators.
But what might have happened had a less well-intentioned student managed the same hack? Gained access to the same wealth of student data and, instead of using it to revolutionise the way people connect online, what if they had sold it, stolen identities or even used it to change grades?
The chances are the university would have hit the headlines for all the wrong reasons. It would have become a case study highlighting the need for better data protection, exposing how vulnerable universities were to internal data breaches.
The fact is that students are a university’s lifeblood. Yet they are also steadily becoming their biggest data threat. Now, with one in three universities suffering a cyber attack every hour, and a steady rise in stories about students hacking their own institutions, the student risk must be taken seriously. And universities must realise that the worst data hack attempts they face may not necessarily emanate from the world beyond the campus.
The inside job
Thousands of new students enter universities across Europe every year. When they do so, they voluntarily provide data that includes financial information, medical records, housing details and educational histories – at the very least. And while most institutions use it only for payment, due process and background checks, it can provide a highly detailed picture of the student when combined. Which of course makes the data hugely valuable. Especially to hackers.
Most universities understand this, and so have fairly robust defences in place to keep their student data from being accessed by globally active cyber criminals. That’s why, despite one in three universities being attacked every hour, major data breach stories are comparatively rare. However, the issue today is not the outside getting in. Instead, it’s that almost two-thirds of universities are of the opinion that students are a threat to their data safety – and with good reason. In 2015 the University of Birmingham was hacked by a student wanting to change exam results, and in the summer of 2016 a recent, former student of the University of Greenwich stole the details of thousands of students, posting a link to download them on the ‘dark web’.
The root cause of the security threats that universities face is the same as that encountered by businesses: they have data and other people want it for a variety of reasons. However, unlike businesses, universities experience an incredibly high turnover of young people, many of whom are up on the latest spying and hacking technologies. Because of that, the systems that keep the outside threat at bay must be replicated inside – and they must be constantly, comprehensively updated to counter emerging hacking trends.
Reputation and risk
The value of a protocol that goes beyond the firewall to keep student data safe is clear from a financial point of view, and from a security one. However, the benefit of improved university security will also be an enhanced reputation for the faculty concerned.
Educational tech leaders and vice chancellors need only look to the business and banking worlds to see how a data hack can affect the long-term prospects of an organisation. Companies like TalkTalk continue to suffer from negative PR, long after they were attacked. And, with universities operating in an increasingly competitive market (especially where lucrative foreign students are concerned), withstanding the ramifications of a breach will become harder and harder to achieve.
Of course, while universities improving their internal security is a positive step, there is the risk that the student body will perceive heightened measures as a lack of trust. Countering that will, in part, be a matter of communicating how important security is to everyone on campus. When doing so, universities should be sure to make it clear that they have their students’ best interests at heart by highlighting that it’s not just the safety of data that is of concern here.
Students’ grades are also at risk of manipulation, posing a very real threat to the value of their education. They also have their financial data and future credit ratings to protect.
Universities that are relying solely on a firewall and password encryption to keep their students’ data safe are playing a risky game. With every passing year hackers are becoming more sophisticated in their methods and rudimentary security tools are unlikely to pose much of a challenge to them. And, while it’s tempting to think that those hackers will be external agencies, the reality is that many of them will actually be in-house.
Recognising the internal threat is essential for institutions that are serious about keeping their students’ data safe, as well as their grades. And in the coming months, every university will need to make an honest assessment of the systems that protect their data, and whether they are up to keeping every potential threat away.