From student PII and research IP, to sensitive donor information and confidential grant applications; the education sector has quickly found itself at the forefront of a data protection challenge. In fact, the latest IBM Cost of a Data Breach report places education in the Top 10 most costly sectors for a data breach, with the average cost quickly approaching $4m.
While regulations such as FERPA are helping to protect student PII, many universities and colleges are finding that wider industry regulations such as HIPAA are impacting how they manage their security posture in the context of wider research work. In fact, it’s here where many of the challenges exist; and balancing the necessity for collaboration (often with external research or funding partners), with the need to protect sensitive IP, has become a daily battle for security administrators.
There are also international regulations to meet. For example, any educational institution with international students from the EU will need to ensure they abide by the strict requirements of the EU General Data Protection Regulation (GDPR), which has a global reach and notoriously high fines for noncompliance.
How then, should educational institutions react to meet the rapidly changing landscape for data protection?
Where is the risk coming from?
Data leaks, for the most part, aren’t actually nefarious in nature. In fact, human error is responsible for more than a quarter of all data breaches in education, one of the highest rates across all sectors. For example, an email containing personal student information accidentally sent to the wrong person, represents a FERPA violation.
What type of data should be protected?
The types of data that should be considered in scope for any data protection strategy can broadly be defined as:
- PII – Protecting student and faculty records and PII from unauthorized transfers.
- Research Data – Protection of highly restricted data and IP, including PHI subject to HIPAA.
- Grants, budgeting, and payment data – Protection of financial records and sensitive grant documentation.
To ensure data protection compliance and security against these data types, educational institutions need to look at Data Loss Prevention (DLP) solutions.
The Role of DLP in Education
DLP solutions have become a critical component of educational institutions’ data protection efforts. They allow institutions to monitor and control the sensitive data they collect through predefined policies for personal information and compliance with regulations like GDPR, FERPA, HIPAA, etc., as well as helping them to protect IP and sensitive financial records.
Using contextual scanning and content inspection, DLP solutions such as Endpoint Protector by CoSoSys can identify sensitive data in hundreds of file types, blocking its transfer through insecure channels such as popular messaging apps, file sharing services, or emails. DLP tools can also prevent sensitive data from being printed or copied and pasted. Any attempts to violate DLP policies are logged and reported, helping educational institutions identify common data exit channels or potential threats of data exfiltration.
Control Removable Devices
The use of removable media remains commonplace in education; typically to aid the movement of data between locations and devices. It is, however, one of the biggest risks for any organization – presenting an opportunity for loss or theft.
DLP solutions come with device control policies that help educational institutions limit or block the use of portable devices. The use of USBs can then be controlled; either by restricting use entirely, or limiting it to trusted devices such as school-issued USBs only. Any sensitive data transfers onto removable devices can be flagged, giving educational institutions a clear insight into who has attempted to transfer sensitive data, when, and with which device. Alternatively, tools like Endpoint Protector can allow security admins to automatically ensure data being transferred to removable storage is encrypted with 256-bit AES encryption and remote wipe capabilities.
Protect Sensitive Data on all Operating Systems
The use of Apple computers is increasing in many sectors, not least of which is education. It means security admins must now ensure that data protection policies are able to span Windows, macOS, and, even, Linux machines. Unfortunately, not all DLP solutions offer feature parity across multiple operating systems. Some may not even support macOS and Linux at all.
Such centrally administered, multi-OS solutions, like Endpoint Protector, offer two major advantages. They reduce costs as a single solution replaces several specialized tools for different operating systems. They also simplify data protection management when IT resources are limited.
Next Steps
Universities, colleges, and any other type of educational institution must be constantly vigilant. The risk of a data breach spans not only PII, but also sensitive financial, donor, and research data. Managing this risk, while also fostering a culture of collaboration remains one of the most important challenges for security administrators.
To learn more about Endpoint Protector and how we’re helping universities, colleges, and educational institutions to meet their cybersecurity goals and data compliance requirements, book a demo with one of our Data Loss Prevention solution experts.
Frequently Asked Questions
Read more about GDPR.
Read the full text of the GDPR.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.
