How universities do not protect student data

If there's a college enthusiasm among high school students today, it's not hard to discover why: community colleges are cramped, universities are expensive and studying Born paralyzed by the loan. And while those factors are enough to drive high school graduates out of college, there's another cost that's almost never been included in the price of higher education data.

Universities have access to their students, very sensitive information, from the amount of money their parents have saved to the extent to which they often experience depression. For example, think about the content of student records: contact information, high school records, test scores, grades, parent names, emergency contacts, social security numbers, financial information. Major details, scholarships, and more. Then there's a health record, including the dates of vaccinations, health data and extremely sensitive health information. And because 68 percent of universities have full law enforcement agencies, most universities also have student police records.

We hold banking institutions at a high level of responsibility regarding the protection of our personal information, but when it comes to higher academic institutions, our standards cannot be explained. OK. How exactly? We decided to find out.

Put data risk in context
RiskRecon has benchmarked the software vulnerability management activities of a series of universities against a range of banking institutions. In doing so, we risk contextualizing any detected software vulnerabilities based on an exclusive blend of the severity of the problem and the sensitivity of the system where the problem exists.

Systems that require user authentication or sensitive data collection, such as email addresses or credit card numbers, are considered highly sensitive systems. The severity of the incident is based on the Common Vulnerability Scoring System or CVSS.

Using this method, we not only identify which industries have a higher problem rate, but also measure how each industry performs in protecting the most sensitive systems from the most serious vulnerabilities.

If you bet that universities perform worse than bank institutions in data protection, clap yourself to the bank: you win.

The alarming part of our research is that universities are worse at patching software, that is, they discover their poor level. Analyzing data without regard to serious problems or system sensitivity, the rate of software vulnerabilities in internet-facing systems at universities is 10.6 times higher than banks.

The rate of arising software vulnerabilities

Universities are even worse at protecting highly sensitive systems that handle regulated data such as personal health information, credit card numbers, email addresses and credentials. For highly sensitive systems, universities have 13.5 times higher issuance rates than banks.

Outdated software means data is vulnerable
In case you think it will get worse ... it will happen. In addition to having significantly higher vulnerabilities in sensitive data processing systems, universities also have some extremely serious problems that have been present in systems for a very long time. .

For example, 24% of universities with one or more Internet-facing systems are running OpenSSL 0.9.7, unsupported since February 2007, and have had serious vulnerabilities since 2010. In 11 years, universities have not yet removed OpenSSL 0.9.7 from their systems.

The table below shows the percentage of organizations with one or more selected serious problems present in their internet facing systems.

It is not fair to reassure students who owe astronomy before they even graduate, but it does criminal offenses to expose their sensitive information. The most disappointing factor in all this is that universities can only care. After all, they have enough resources to do a good job of information risk management. Many offer cybersecurity courses and degrees, with expert teams in the field and students eager to study this field. Why not use the research being preached in classes and published in academic papers and apply it to protect their organizations?

Universities are also very good at setting and complying with performance standards. They do it in academic, admissions and athletics fields, so why not manage information risk?

It's time for universities to work together as an industry to regulate their information risk management activities themselves. In doing so, universities can achieve good information risk management while providing the world with some practical research needed to manage the information risks that universities have. eligible to provide.

If they do not self-regulate, government regulators will eventually step in and impose rules with real consequences. It is most likely a federal legal framework that will qualify for certification for regulatory requirements.

Now is the time to take action. Sensitive data held by universities is at significant risk of compromise; It makes it clear that they are not doing a good job of managing that risk. Moreover, public disclosure of a major violation of a university is inevitable. When that happens, the regulators will begin to move to Washington, D.C. Universities and their stakeholders would be much better if they acted as an individual organization and an industry to manage information risk well.

We owe our students money to take better care of their information, otherwise we will fail them and bring them into a world unrelated to their sensitive data or success.

Site aggregating news, knowledge, information about education, schools, feng shui, pictures, beautiful pictures, forms, product photos and product reviews on the market today.
All information is for reference only. We are not responsible for any results.
Email: [email protected]
Tell: 0903030935
117-119 Ly Chinh Thang, Ward 7, District 3, City. Ho Chi Minh
The articles on are collected by us on the internet. If you find any infringing articles, please contact us and we will delete them immediately. Thank you!
Copyright 2004-2020 , all rights reserved.