By Marcia Daniel, Chief Client Officer, Ferrilli
When I meet with institutional leaders across the higher education landscape, I am continually astounded at just how tech-savvy they have become. Provosts are asking about about degree audit software. Registrars want to discuss how best to deploy chatbots. Vice Presidents of Student Life are exploring the benefits of digital nudges. Just about everyone in higher education is a technology expert these days – except in the area that matters most.
Because when I ask them about what they’re doing to ensure data security, there’s a familiar refrain I hear all too often: “Oh, our CIO handles that.”
Given the nature of the threat and how it has evolved in recent years, this is a recipe for disaster. Cyber-attacks on the education sector are up 30 percent year-over-year. Higher education is now the most targeted industry in ransomware attacks – and the average demand has reached more than $300,000. Seventy-five percent of all data breaches in the education sector target colleges and universities. All of this has led institutions to rank data security as their second largest liability in a recent survey.
If ever a situation called for an all-hands-on-deck approach, this is it – and, as such, all campus leaders have a role to play in ensuring the institution is adequately defended. From the trustees on down, everyone must burnish their tech chops even further than they already have – and, depending on their responsibilities, there are very different sets of skills and knowledge that they must master.
Presidents and Board Members
At the top of the org chart, presidents and boards must develop the fluency necessary to engage in effective oversight. They don’t need to know how the most vital defensive mechanisms work, but they do need to know what they are – and the right questions to ask the CIO to ensure they are in place. Are our data back-ups offsite and off-domain? Are those backups being monitored regularly? Are they secured by multi-factor authentication? Are we testing those backups, so we know they’ll be there if needed?
At a minimum, these are the key areas that the CIO must have covered – and that makes them essential elements of the president and board’s management responsibilities.
Chief Financial Officers
At the top of the list for CFOs is putting the right level of cyber liability insurance in place – and right next to that is investing in security measures that make the institution coverable in the first place. To justify those investments, CFOs need to articulate just what’s at stake. Imagine if the institution lost all proof of transactions and registration for the last 18 months. Worse yet, what if financial aid records are lost as well. Not only is the institution unable to collect what is owed, it risks the ire of the Department of Education and the inability to participate in financial aid moving forward.
Simply put, the stakes couldn’t be any higher – and that makes it incumbent on the CFO to ensure protection against the worst-case scenario.
Vice Presidents of Communications
For university communications leaders, the most important priority is understanding how best to interact with stakeholders in the event of a breach. Conventional wisdom dictates that you over-communicate in a crisis; but a cyber attack is not a typical crisis. Here, the goal is to publicly share only the most pertinent information with end users: “Our systems are down, we are working on getting them back up as soon as possible.”
At first glance, it may seem a paltry response – but it’s not just your stakeholders who are listening in the midst of a breach. The hackers are listening as well, and they will be poised to act on any information you provide. (For instance, if you communicate that a certain system is still up and running, you find that’s no longer the case in very short order.)
It may seem counterintuitive given the concerns of students, parents, and staff – but those audiences are quite tech-savvy themselves and are likely to understand that your limited communications are part of a coordinated strategy to limit the damage to the fullest extent possible.
Understand the Urgency
There’s not enough space here to detail the data security responsibilities of every leader on campus, but let it suffice to say in closing that everyone must appreciate just how urgent the need is – and that such urgency may require sacrifices from time to time.
Just one example is the debate taking place on a number of campuses on the implementation of multi-factor-authentication. Some leaders are pushing back against this extra layer of protection, arguing that it creates an inconvenient and undue burden on students and staff, and that it diminishes the seamless digital experience end users have come to expect.
For these leaders, Job One is accepting data security for the priority that it is – and understanding that everyone must be on board in order to build the leadership culture that all institutions need in this day and age.
Data security really does take a village if we’re going to get it right – and getting it right is only option we have.
Receive 100 Hours of Complimentary Security Services!
We’re excited to announce that Ferrilli has joined Pledge 1% as a proud corporate partner.
This is big news for higher education! As part of our Pledge 1% commitment, we are donating 100 hours of security services to institutions that have fallen victim to a cyber attack.
Please click here to learn more.
