Download our FREE whitepaper on data loss prevention best practices. Download Now

Educational Institutions: How to Ensure Data Compliance and Security

From student PII and research IP, to sensitive donor information and confidential grant applications; the education sector has quickly found itself at the forefront of a data protection challenge. In fact, the latest IBM Cost of a Data Breach report places education in the Top 10 most costly sectors for a data breach, with the average cost quickly approaching $4m.

While regulations such as FERPA are helping to protect student PII, many universities and colleges are finding that wider industry regulations such as HIPAA are impacting how they manage their security posture in the context of wider research work.  In fact, it’s here where many of the challenges exist; and balancing the necessity for collaboration (often with external research or funding partners), with the need to protect sensitive IP, has become a daily battle for security administrators.

There are also international regulations to meet. For example, any educational institution with international students from the EU will need to ensure they abide by the strict requirements of the EU General Data Protection Regulation (GDPR), which has a global reach and notoriously high fines for noncompliance.

How then, should educational institutions react to meet the rapidly changing landscape for data protection?

Where is the risk coming from?

Data leaks, for the most part, aren’t actually nefarious in nature. In fact, human error is responsible for more than a quarter of all data breaches in education, one of the highest rates across all sectors. For example, an email containing personal student information accidentally sent to the wrong person, represents a FERPA violation.

What type of data should be protected?

The types of data that should be considered in scope for any data protection strategy can broadly be defined as:

  1. PII – Protecting student and faculty records and PII from unauthorized transfers.
  2. Research Data – Protection of highly restricted data and IP, including PHI subject to HIPAA.
  3. Grants, budgeting, and payment data – Protection of financial records and sensitive grant documentation.

To ensure data protection compliance and security against these data types, educational institutions need to look at Data Loss Prevention (DLP) solutions.

The Role of DLP in Education

DLP solutions have become a critical component of educational institutions’ data protection efforts. They allow institutions to monitor and control the sensitive data they collect through predefined policies for personal information and compliance with regulations like GDPR, FERPA, HIPAA, etc., as well as helping them to protect IP and sensitive financial records.

Using contextual scanning and content inspection, DLP solutions such as Endpoint Protector by CoSoSys can identify sensitive data in hundreds of file types, blocking its transfer through insecure channels such as popular messaging apps, file sharing services, or emails. DLP tools can also prevent sensitive data from being printed or copied and pasted. Any attempts to violate DLP policies are logged and reported, helping educational institutions identify common data exit channels or potential threats of data exfiltration.

Control Removable Devices

The use of removable media remains commonplace in education; typically to aid the movement of data between locations and devices. It is, however, one of the biggest risks for any organization – presenting an opportunity for loss or theft.

DLP solutions come with device control policies that help educational institutions limit or block the use of portable devices. The use of USBs can then be controlled; either by restricting use entirely, or limiting it to trusted devices such as school-issued USBs only. Any sensitive data transfers onto removable devices can be flagged, giving educational institutions a clear insight into who has attempted to transfer sensitive data, when, and with which device. Alternatively, tools like Endpoint Protector can allow security admins to automatically ensure data being transferred to removable storage is encrypted with 256-bit AES encryption and remote wipe capabilities.

Protect Sensitive Data on all Operating Systems

The use of Apple computers is increasing in many sectors, not least of which is education. It means security admins must now ensure that data protection policies are able to span Windows, macOS, and, even, Linux machines. Unfortunately, not all DLP solutions offer feature parity across multiple operating systems. Some may not even support macOS and Linux at all.

Such centrally administered, multi-OS solutions, like Endpoint Protector, offer two major advantages. They reduce costs as a single solution replaces several specialized tools for different operating systems. They also simplify data protection management when IT resources are limited.

Next Steps

Universities, colleges, and any other type of educational institution must be constantly vigilant. The risk of a data breach spans not only PII, but also sensitive financial, donor, and research data. Managing this risk, while also fostering a culture of collaboration remains one of the most important challenges for security administrators.

To learn more about Endpoint Protector and how we’re helping universities, colleges, and educational institutions to meet their cybersecurity goals and data compliance requirements, book a demo with one of our Data Loss Prevention solution experts.

Request a demo today.

Frequently Asked Questions

Does GDPR apply to educational institutions?
Educational institutions collect vast amounts of personal information such as names, email addresses, and physical addresses, but also special categories of data such as health information, disciplinary records, or ethnicity from a large number of students, employees, and alumni. As such, all educational institutions offering EU data subjects access to educational programs and services must comply with GDPR.

Read more about GDPR.

How does DLP help with GDPR compliance?
One of GDPR’s main stipulations requires data controllers and processors to know where personal information is stored and how it is being processed. Most DLP solutions include data discovery features that allow admins to scan a company’s entire computer and device fleet in search of sensitive information as defined through specialized compliance profiles for laws such as GDPR, HIPAA or CCPA, international standards such as PCI DSS, personally identifiable information (PII), file extensions, file names and more. This way, companies can find out how sensitive data is being used and stored by employees. DLP tools can also log its movements and generate reports that can then be provided to DPAs upon request or to support auditing.

Find out more.

What is personal data under GDPR?
According to article 4 (1) of GDPR, personal data refers to any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Read the full text of the GDPR.


Download our free ebook on
Data Loss Prevention Best Practices

Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.

In this article:

    Request Demo
    * Your privacy is important to us. Check out our Privacy Policy for more information.