United States

Higher education: You’re already a data breach target


You’ve heard the stories. Data breaches have hit all kinds of industries, from retail to financial services. They’ve got the access points, the rich client data, including credit card records and other customer information. It’s those other industries’ problem, right? Thank goodness higher education seems to be somewhat immune.

Wrong. It’s a huge problem for higher education, as well, and the threat continues to rise.

Just the facts

The sad fact is that more than 700 data breaches have been reported since 2005 within higher education. The Universities of Indiana and Maryland are two of the more well-known security breaks, with thousands and thousands of records exposed. In fact, according to recent data, the average number of records typically exposed during a single breach is nearly 29,000. Factor in the average costs per record at $188 and privacy and security becomes a huge financial concern for all colleges and universities. Add reputational damage to the mix and a single breach could paralyze an institution for years.

A ripe target

But, given the alarm of concerning examples and figures, many higher education institutions have not made data security a strategic priority. Some of this might be because colleges are a stronghold of intrinsic openness and transparency. It’s a place of free ideas and a community where convention is challenged. To consider major data-clamping initiatives is a bit counterculture to this free and inclusive environment. In addition, universities have complex structures, with multiple colleges and schools, along with a multitude of majors and related organizations. Each area frequently can have their own siloed structures operating under individual grants and leadership. This sometimes intricate and disjointed matrix can be challenged with inconsistent communication and practices, an environment ripe, unfortunately, for data security issues. Cyberhackers know this and continue to capitalize on these structural inconsistencies via malware or spyware, two of the most prevalent ways they’re infiltrating colleges and universities today.

The best defense

So, how can universities address this mounting issue? It starts with acceptance that your organization will be or is likely already a security target. These days, offense is the best defense, and being aware and putting measures in place now can help lessen your damages when, not if, a breach occurs.

Initial strategies all organizations should consider require completing a data discovery of your entire university, including its various colleges and departments. What data is sensitive in these areas, who has access to that data, who are your third-party vendors and what access level do they have are just a few questions to consider.

In addition, an incident response plan must be initiated and integrated throughout the organization. This plan should include an evaluation phase, with a comprehensive forensic investigation and legal review, crisis planning for the short- and long-term and a review of long-term consequences, such as lawsuits, income losses and reputational damage.

A full risk assessment strategy should also be implemented, including a review of current business continuity and disaster recovery plans to assure a data breach incident response plan is integrated within those plans. Periodic vulnerability scans should be conducted, as well, along with mock incident response drills to test your plan and tweak where needed.

Training of all essential college employees is also needed. This should include all levels, from vendors and service providers to leadership, faculty and staff, to assure they are all mindful of your organization’s response plan and all know their part in the overall strategy.

It’s a daunting problem, but getting on top of the issues now and making it more arduous for hackers can result in containing debilitating damages later. For more information about this topic, contact your local RSM consultant.


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.