The loss of personal information due to data security breaches has become a daily headline. In 2012 alone, many notable institutions suffered security losses:
- Northwest Florida State College lost 276,000 student records
- University of North Carolina-Charlotte lost 350,000 student accounts
- Housatonic Community College lost 87,000 student accounts
- University of Tampa lost 6,818 student accounts
- Clarksville-Montgomery County School System lost 14,500 accounts.
It is alarming that despite their considerable IT budgets, they continue to suffer from such regular security breaches. It can truly puzzle the mind. But at the heart of the matter, the problem is rather straight forward: regardless of size, as an organization matures over time, their IT infrastructure struggles to keep pace. Therein lies the epic Sisyphean struggle facing businesses of every size and shape during their lifetime – a business wants to continue utilizing existing IT infrastructures and investments, but at the same time must perpetually rebuild them to adopt the latest and greatest security features. The matter is simply compounded exponentially with larger IT infrastructures.
So, is your student data at risk? It’s very likely, especially if it’s an antiquated system built in a time when security did not perform center stage. So, what do you do about it? The irresistible Siren’s call of course is to do absolutely nothing. You certainly save money for your institution with that kind of short term thinking. After all, one may falsely feel content doing nothing since preventative measures are often thankless anyway, and as another famous saying goes, “if it ain’t broke, don’t fix it.” Please allow me to persuade you otherwise.
First off, there is the straight moral imperative. You are asking users to share and entrust their data with you. As the caretaker, it is your duty to safeguard it. You yourself would likewise expect others to take the same precautions with your personal information as well. If however that’s not enough to keep you awake at night, then perhaps the legal imperative is. Yes, the victims may seek restitution for any negligence on your part as they did with LinkedIn and their $5 million lawsuit. While there is a deal of difficulty in proving that one “suffered direct harm or injury”, who wants to be dragged into the court system through a legal gray area to prove their innocence? And oh, there’s also the whole daily headline thing we discussed earlier where your institution will be served a delicious PR disaster a la carte, with public disgrace being served as the soupe du jour. Need I say more?
So what to do?
- First: use a trusted SSL certificate whenever exchanging personal information over the web. This is non-negotiable. The only downside to SSL is cost, which some small institutions may fret over but this should be a no-brainer. Without SSL, the information being exchanged over the web is publicly up for grabs to anyone that happens to be looking up (metaphorically speaking). All of SimpleApply’s clients use trusted SSL certificates, no exceptions.
- Second: store as little personal information as possible. The less information you store, the less information you’re obligated to protect, the less you have to worry about leaking, the less a hacker would have to gain from an incursion. Don’t collect Social Security Numbers, dates of birth, mother’s maiden names, credit card numbers, etc if you don’t absolutely-positively-definitely-unconditionally have to.
- Third: when you must store personal information, store it securely. Encrypt everything, and then encrypt some more.
- Implement database-wide encryption using a strong algorithm such as AES. Microsoft offers Transparent Data Encryption (learn more about TDE) which enables anyone to set this up without advanced planning. Implementing this ensures that only you will have access to the database and will prevent an attacker from simply restoring or reading your database outside your IT environment. SimpleApply offers this service to all of our clients. The most attractive feature of this option is the fact this occurs seamlessly behind the scenes. However this does not protect your data if an intruder has gained access to your IT environment directly. To protect yourself from a direct intrusion continue reading below.
- Encrypt individual data fields containing private information using the latest 256-bit AES encryption standard. SimpleApply encrypts all private student information using this method. So, even if an intruder gains entry to your IT server environment and executed a brute force attack using 50 super computers have computing capacities of 20 Peta-FLOPS it would still take 3×1051 years to exhaust the 256-bit key space. A long time, yes indeed.
- Encrypt any “one-way” data, such as passwords, using salt cryptography when possible. This is an effective method of encryption when data never needs to be reread after its initial input. SimpleApply employs this on a record by record basis where each student’s encrypted password is stored alongside its own unique salt hash. Why this extra layer of unique protection for passwords? Because not only do their passwords allow an intruder to gain access to user information, but also because many ordinary people (against recommendations) often reuse the same passwords for multiple accounts. So you never want password data to be readable by anyone, ever, even yourself, or your staff. Employing this method ensures that any widespread compromise to security becomes impractical for a data thief–as it would require an implausible amount of time to crack the encryption on every single user, individually, one at a time.
- Fourth: train your staff on basic security practices and principles. This is the most commonly overlooked hole in many institutions. Because the greatest security technologies in the world cannot stop your staff from posting private information on public domains, scribbling passwords and Social Security numbers on post-it notes, carelessly throwing away sensitive paperwork without shredding, and it won’t protect them from clever social engineering or phishing scams. But by digitizing your processes at least all of those petty paper leaks can be eliminated. Through some simple training, many of those innocent bad habits can also be put to an end.
There you have it. Risk to data security is in a real crisis today. There are millions upon millions of victims every year and the number grows annually. And because of its profitability and opportunity of financial gain there are no targets that are off limits –be they schools, colleges, universities, charities, NPOs, government agencies, or other institutions. The difficulty of course is in the implementation. Protecting student data should be one of your top priorities. The comforting fact is that the security technologies and processes needed to protect your data are out there today. Here at SimpleApply we provide admission application software, net price calculators, and custom Section 508 compliant form solutions with all of the latest security functionality already built-in right out of the box. So feel free to contact us or drop us a line to reshape the way your collect and store applicant information today.