Importance of Cybersecurity for Institutions of Higher Education
Institutions of higher education are becoming increasingly digital in nature. Learning management systems have become an integral part of how colleges and universities deliver instruction. Even if the institution’s courses are primarily lecture in nature, learning management systems are used heavily to supplement the course content and serve as a means of communication. Because of this increasing digital presence, cybersecurity has become a central concern for colleges and universities.
Beyond just learning online, there is a great deal of activities that colleges and universities are conducting in an online environment that are related to the core functions of the institution. Through the use of enterprise resource planning (ERP) systems, everything from student registration and transcript services to financial aid and graduation applications, are handled using ERPs. With so much of the institution’s functions taking place online, cybersecurity is just as much a concern for higher education than any other sector in our society.
To single one ERP provider out, Banner, by Ellucian is the world’s leading higher education ERP. Over 1,500 institutions around the world use Banner. For schools that use Banner, it handles pretty much everything you can imagine with the exception of the delivery of instruction in the form of a learning management system. Banner offers functions that are administrative in nature like finance, purchasing, payroll, and human resources, but it also offers everything an institution would need with regard to students, like student recruiting, enrollment management, transcript management, class schedule management, degree/program management, financial aid, student billing, and graduation.
This is important with regard to cybersecurity because in July 2019, the U.S. Department of Education reported that hackers have breached at least 62 college and university networks by exploiting a vulnerability in the Ellucian Banner Web Tailor module of the Ellucian Banner ERP. The module is used by colleges and universities to customize their web applications. The vulnerability affects the authentication process used by ERP to manage user accounts. The institutions that were affected by the data breach reported that the hackers had created fake accounts within the system. The greatest concern for cybersecurity experts was that the hackers could use the vulnerability to gain access to students’ financial aid information.
This is significant because institutions of higher education are subject to various Federal regulations that require them ensure the privacy, security, and confidentiality of personally identifiable information (PII) and/or information security in general. These regulations include, but are not limited to the following:
Beyond these federal regulations, each state has their own regulations that colleges and universities must consider when trying to secure their student information and networks. These regulations (both federal and state) in mind, must be considered when creating cybersecurity plans, policies, and procedures for use by employees, students, and visitors.
Beyond just learning online, there is a great deal of activities that colleges and universities are conducting in an online environment that are related to the core functions of the institution. Through the use of enterprise resource planning (ERP) systems, everything from student registration and transcript services to financial aid and graduation applications, are handled using ERPs. With so much of the institution’s functions taking place online, cybersecurity is just as much a concern for higher education than any other sector in our society.
To single one ERP provider out, Banner, by Ellucian is the world’s leading higher education ERP. Over 1,500 institutions around the world use Banner. For schools that use Banner, it handles pretty much everything you can imagine with the exception of the delivery of instruction in the form of a learning management system. Banner offers functions that are administrative in nature like finance, purchasing, payroll, and human resources, but it also offers everything an institution would need with regard to students, like student recruiting, enrollment management, transcript management, class schedule management, degree/program management, financial aid, student billing, and graduation.
This is important with regard to cybersecurity because in July 2019, the U.S. Department of Education reported that hackers have breached at least 62 college and university networks by exploiting a vulnerability in the Ellucian Banner Web Tailor module of the Ellucian Banner ERP. The module is used by colleges and universities to customize their web applications. The vulnerability affects the authentication process used by ERP to manage user accounts. The institutions that were affected by the data breach reported that the hackers had created fake accounts within the system. The greatest concern for cybersecurity experts was that the hackers could use the vulnerability to gain access to students’ financial aid information.
This is significant because institutions of higher education are subject to various Federal regulations that require them ensure the privacy, security, and confidentiality of personally identifiable information (PII) and/or information security in general. These regulations include, but are not limited to the following:
- Family Educational Rights and Privacy Act (FERPA): Prevents institutions from disclosing education records or student PII without written consent;
- Federal Information Security Modernization Act of 2014 (FISMA 2014): Requires Federal data to be secure;
- Gramm-Leach-Bliley Act (GLBA): Requires “financial institutions,” including colleges and universities, to ensure the security and confidentiality of customer PII;
- Health Insurance Portability and Accountability Act (HIPAA): Requires institutions to protect health records and other identifiable health information via privacy safeguards and by limiting use and disclosures without authorization;
- Higher Education Act (HEA): Requires IHEs with Title IV programs to have policies, safeguards, monitoring, and management practices related to information security; and
- Student Aid Internet Gateway (SAIG) Enrollment Agreement: Requires IHEs with Title IV programs to ensure that all Federal Student Aid applicant information is protected.
Beyond these federal regulations, each state has their own regulations that colleges and universities must consider when trying to secure their student information and networks. These regulations (both federal and state) in mind, must be considered when creating cybersecurity plans, policies, and procedures for use by employees, students, and visitors.