Higher Education continues to be an attractive target for cyber criminals. In July 2020, Comparitech reported that 1,327 data breaches in the education sector had resulted in the exposure of 24.5 million records since 2005. Higher education accounted for three-quarters of those breaches. Why not, with the gold mine of data that pays the bills for cybercrime, including students, families, employees, faculty, partners and donors’ information?
Colleges and universities also have a number of challenges that create additional hurdles in protection, including open access, remote operations, proprietary research data, outdated systems, and large, untrained user networks.
Cybersecurity risks should be considered part of an overall Enterprise Risk Management program for any sizeable not-for-profit, but particularly for schools. The impacts to the institution from a cyber-attack are swift and can be devastating.
Information security is a complicated issue to manage because each organization’s vulnerabilities to cyber-attacks are different. Systems in place and control environments are highly customized, and federal and state regulatory requirements will vary based on your location and affiliations. Although there are best practice frameworks to use for managing information security, the devil’s in the details with how those frameworks are configured for your institution’s needs.
CFOs, school administrators, and critical data stakeholders can help their institutions manage the information security function by reviewing the following core areas of risk.
Policy & Governance Processes
There are several best practices for policy and governance processes. Leadership should consider whether they have a dedicated person responsible for the school’s data security who meets with leadership (and the audit committee) to discuss threats and ongoing risk mitigation efforts. By putting one person in charge of this responsibility, leadership has a resource with which to discuss concerns and address questions about how the information security effort is going as a whole. Other best practices include whether critical security related practices and policies (password changes, privileged account access, etc.) are documented and reviewed annually. It is important that there is training in place on cyber risk awareness for all employees, faculty members, and staff.
Tactical Areas of Focus
Every organization has unique risks, but there are core areas where information security breaches and cyber-attacks are common. To address these tactical areas, CFOs and administrators should consider whether their school has a vendor risk management program that routinely reviews security practices for service providers that process or store critical and sensitive information. It is also critical to make sure their institution performs social engineering and phishing simulations periodically to assess training and awareness. Security patches should also be routinely catalogued, prioritized, and scheduled for timely updates to all connected devices and software.
Information for Boards of Trustees
Boards of Trustees play a critical role in the cybersecurity risk management process so long as they are informed about the steps their school is taking to protect its information. Having a detailed conversation with members of the IT team and Administrative Leadership can help ensure that there is an institution-wide approach being taken to mitigate information security threats.
Specifically, boards may be asking the following questions, which CFOs and leadership teams should be prepared to answer:
- Do you have an IT security strategy and plan that is aligned with your highest value information?
- What makes you feel confident in your security and controls over the school's data?
- Would your school be able to detect a breach? How often does management review incidents and breaches and when was the last one?
- When was the last time the school had an IT security assessment performed against a standard security controls framework?
- When was the last time key suppliers and partners were reviewed with respect to access to data and systems?
- What investments are you making in improving your employee’s and faculty’s understanding and everyday use regarding information security?
Put Your Cyber Approach to the Test
With so much to consider, it can be difficult to get your information security evaluation started. We created an online evaluation of the checklist surrounding Policy and Governance Processes and Tactical Areas of Focus above to help shed some insight into where your organization stands with its approach. Our virtual checklist is primarily derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and our experiences with our clients. As a note, use of this checklist does not create a "safe harbor" with respect to cyber risks, or applicable federal or state regulatory requirements. To begin our Cybersecurity Posture Assessment, click here.
For More Information
For more information regarding the questions you should be asking about cybersecurity, please contact us.
Ray Gandy is a Director and Leader of the IT Risk & Assurance Practice in New England. He can be reached at email@example.com or 617.671.0722.
Copyright © 2021 CBIZ & MHM (Mayer Hoffman McCann P.C.). All rights reserved. CBIZ and MHM are separate and independent legal entities that work together to serve clients. CBIZ is a leading provider of tax and consulting services. MHM is an independent CPA firm providing audit and other attest services. This article is protected by U.S. and international copyright laws and treaties. Use of the material contained herein without the express written consent of the firms is prohibited by law. Material contained in this alert is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their business.