Higher Education continues to be an attractive target for cyber criminals. In July 2020, Comparitech reported that 1,327 data breaches in the education sector had resulted in the exposure of 24.5 million records since 2005. Higher education accounted for three-quarters of those breaches. Why not, with the gold mine of data that pays the bills for cybercrime, including students, families, employees, faculty, partners and donors’ information?
Colleges and universities also have a number of challenges that create additional hurdles in protection, including open access, remote operations, proprietary research data, outdated systems, and large, untrained user networks.
Cybersecurity risks should be considered part of an overall Enterprise Risk Management program for any sizeable not-for-profit, but particularly for schools. The impacts to the institution from a cyber-attack are swift and can be devastating.
Information security is a complicated issue to manage because each organization’s vulnerabilities to cyber-attacks are different. Systems in place and control environments are highly customized, and federal and state regulatory requirements will vary based on your location and affiliations. Although there are best practice frameworks to use for managing information security, the devil’s in the details with how those frameworks are configured for your institution’s needs.
CFOs, school administrators, and critical data stakeholders can help their institutions manage the information security function by reviewing the following core areas of risk.
Policy & Governance Processes
There are several best practices for policy and governance processes. Leadership should consider whether they have a dedicated person responsible for the school’s data security who meets with leadership (and the audit committee) to discuss threats and ongoing risk mitigation efforts. By putting one person in charge of this responsibility, leadership has a resource with which to discuss concerns and address questions about how the information security effort is going as a whole. Other best practices include whether critical security related practices and policies (password changes, privileged account access, etc.) are documented and reviewed annually. It is important that there is training in place on cyber risk awareness for all employees, faculty members, and staff.
Tactical Areas of Focus
Every organization has unique risks, but there are core areas where information security breaches and cyber-attacks are common. To address these tactical areas, CFOs and administrators should consider whether their school has a vendor risk management program that routinely reviews security practices for service providers that process or store critical and sensitive information. It is also critical to make sure their institution performs social engineering and phishing simulations periodically to assess training and awareness. Security patches should also be routinely catalogued, prioritized, and scheduled for timely updates to all connected devices and software.
Information for Boards of Trustees
Boards of Trustees play a critical role in the cybersecurity risk management process so long as they are informed about the steps their school is taking to protect its information. Having a detailed conversation with members of the IT team and Administrative Leadership can help ensure that there is an institution-wide approach being taken to mitigate information security threats.
Specifically, boards may be asking the following questions, which CFOs and leadership teams should be prepared to answer:
- Do you have an IT security strategy and plan that is aligned with your highest value information?
- What makes you feel confident in your security and controls over the school's data?
- Would your school be able to detect a breach? How often does management review incidents and breaches and when was the last one?
- When was the last time the school had an IT security assessment performed against a standard security controls framework?
- When was the last time key suppliers and partners were reviewed with respect to access to data and systems?
- What investments are you making in improving your employee’s and faculty’s understanding and everyday use regarding information security?
Put Your Cyber Approach to the Test
With so much to consider, it can be difficult to get your information security evaluation started. We created an online evaluation of the checklist surrounding Policy and Governance Processes and Tactical Areas of Focus above to help shed some insight into where your organization stands with its approach. Our virtual checklist is primarily derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and our experiences with our clients. As a note, use of this checklist does not create a "safe harbor" with respect to cyber risks, or applicable federal or state regulatory requirements. To begin our Cybersecurity Posture Assessment, click here.
For More Information
For more information regarding the questions you should be asking about cybersecurity, please contact us.
Published on July 29, 2021
© Copyright CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.