Failure to have strong cybersecurity protocols at your college can have serious financial ramifications. Cybersecurity attacks can cause serious disruption to your operations, and there are also accreditation-relevant federal regulations, which speak to the need for cybersecurity.
Institutions are required by their accreditors to:
- Have processes in place through which they establish that a student who registers in any course offered via distance education is the same student who academically engages in the course or program.
- Make clear in writing that they use processes that protect student privacy.
Accreditors are required to do this by the federal government. But the government no longer provides explicit examples of ways to verify identity, such as using a secure login and passcode. The examples provided previously were removed in order to prompt institutions to engage with their accreditors to determine what is appropriate, but it does not require institutions to adopt any specific technology or technologies.
Beware of any vendors telling you that federal rules require you to buy their product or that their product alone will keep you in compliance. Also, keep in mind that although this rule specifies “distance education,” the preferred response for any institution would be to address student identity verification for all modalities of instruction, both for consistency and to avoid the hypocritical and unfounded sense that everything is perfect in on-campus classes.
This article is part of a biweekly series provided by the Instructional Technology Council, an affiliated council of the American Association of Community Colleges.
You should look at identity verification from a holistic standpoint. It is not solely the purview of distance education, IT, the registrar, academics or financial aid — they all have to work together.
Also, remember another provision of this regulation is that your accreditor must require you to “use processes that protect student privacy.” This implies that you not only know who your students are and what they’re doing, but you also need to know the identity and digital whereabouts of everyone with access to student information, which could include any college employee. All of this leads to a deep and abiding need for cybersecurity.
User authentication issues
Single sign-on (SSO) isn’t necessarily a requirement, but it will help to manage and protect your institution’s end users. Instead of users having a different username and password for different systems, SSO enables your institution to issue one username and password to each student and employee. Doing so makes life easier for everyone because end users are not managing several different passwords, and it enables the institution to more effectively manage security policies. SSO also makes multi-factor authentication (MFA) much easier to use.
MFA may be required for payment card industry (PCI) compliance if your institution directly accepts credit cards and or maintains credit card history. MFA is most likely required by your insurer if you carry cyber liability insurance (and you should). MFA requires a user to log in using a combination of at least two or more of the following: something they have, something they know or something they are. For example, a password (something we know) and a secondary security code sent to a cell phone (something we have) or a password (something we know) and a fingerprint (something we are). MFA can be inconvenient but acts like a safety net — when a user’s password is compromised, the second factor stops the perpetrator from logging in.
Malware
Even with SSO and MFA keeping out unwanted visitors, there is still the possibility that a reputable user with legitimate access to your systems could do something they shouldn’t, like clicking on a link or transferring a file that allows malware into your institution’s IT infrastructure. Malware (“malicious software”) could be any program that is intended to cause disruption to a computer system or network, or that leaks private information or permits unauthorized access to information or systems.
We combat malicious software via end-user training and security software or hardware. The best protection is a combination of all three. Informing users of what to do and what not to do to protect your institution from malware is critical because even the best anti-malware software and firewall systems are not foolproof in the face of poorly trained users. Some reputable vendors sell cybersecurity training packages, or you can work with your IT department and computer science faculty to build very good in-house training.
Good intentions are the scariest
As a new interim CIO, my biggest fear isn’t hackers gaining unauthorized access or cleverly written malware code leaking personably identifiable information to identity thieves overseas. Instead, what keeps me up at night are my diligent and well-meaning colleagues making a simple and seemingly innocuous mistake. We use MFA, robust firewalls, anti-virus and endpoint protection software, and even require cybersecurity training for all employees. We can stop most hackers and seriously hinder the rest – at least enough to make them look for easier pickings!
But we can’t stop people from doing their jobs or taking their classes. So, what happens when an employee, in the course of business, decides to download student data to a removable drive and then loses that drive? What happens when a student logs into an online course from a publicly accessible computer and walks away without logging out? What happens when an employee shares student information with his or her team through unsecure channels? What happens when someone prints out a page with confidential information and leave it lying on their desk while they step away for “just a moment?” Well, hopefully, nothing happens. Luckily, that’s the most likely scenario in each of those cases. But something bad could happen, and that’s scary!
The only solution in each of these cases is user training. The rule of thumb I share is “treat it like cash.” If you wouldn’t leave a $100 bill lying on your desk while you step away, don’t leave that printout there either. The same with the removable drive or a logged-in computer. And if you wouldn’t email your credit card number to a colleague, or upload it to a drive or drop box service, don’t do that with a social security number either. If you wouldn’t send a stack of $20 through interoffice mail, don’t drop student information in the interoffice mail either, and so on. This may seem extreme, but better safe than sorry.
