In tomorrow’s college classroom, data security training will sit front and center.
Technology is reinventing education, and schools are producing unprecedented amounts of data to teach and manage their students, staff, and faculty. Technology is already helping schools control costs, improve student retention, and personalize learning.
We can expect these trends to continue, especially as flipped classrooms and blended and online learning continue their rapid spread. Over 70% of academic leaders reported that online learning is critical to their institution’s long-term strategy, according to the Babson Survey Research Group. And though the hype around MOOCs (massive open online courses) has faded, they’re more popular than ever.
These technologies are reshaping the learning and teaching process. But they also make colleges and universities attractive targets for hackers and make data breaches a bigger danger than ever.
Colleges and universities are in an unusual position when it comes to data security. Not only are they regulated by laws like FERPA (Family Educational Rights and Privacy Act), but they must also find a way to balance their commitment to academic freedom with the need to protect their data.
As David J. Shaw, the chief information security officer at Purdue University, told The New York Times, “A university environment is very different from a corporation or a government agency, because of the kind of openness and free flow of information you’re trying to promote.”
(Learn about higher education’s unique data security challenges in our data security white paper.)
Higher education leaders are certainly aware of the data security challenges they face. The Center for Digital Education recently surveyed higher education leaders about data security:
- 72% think data breaches are one of their greatest concerns
- 73% say cybersecurity is a high or very high priority among their other technology priorities
- 70% expect spam and phishing to be a major threat in the next 12 months
Thinking about the growing role of technology (and data) in the classroom, here are three data security issues in higher education we expect to trend in 2016.
1.) More Data Will Mean More Problems
With new technologies come new concerns — especially around privacy and data security. Many emerging technologies rely on big data — so much data that Kathleen Styles, the Education Department’s chief privacy officer, recently called colleges and universities, “Data Factories.”
As Styles explains in a blog post on privacy and new uses of data, “The combination of new technologies and new uses of data create today’s cutting-edge privacy issues, including ‘Big Data,’ matching with wage data, data sharing in general, the use of analytics, cloud computing, MOOCs, and school use of web engagement tools.”
Higher education institutions create and consume a particularly broad range of information from educational, employment, and medical records to intellectual property, research data, and sensitive financial information.
Besides the privacy issues, all these data make colleges and universities attractive targets to hackers, hacktivists, and even state-sponsored cyberespionage.
The Ponemon Institute, which conducts independent research on data security, estimates that cybercrime costs the education industry an average of $3.89 million annually. Between 2010 and 2015, a total of 314 data breaches occurred at US educational institutions, exposing 7,852,750 records. In 2014 the education industry experienced 10% of total data breaches in the US, according to Symantec.
Privacy concerns around data collection forced one educational technology company to shut its doors in 2014, and in 2015 we saw a major university allegedly targeted by nation-state hackers for its research. We can expect more stories like these in 2016.
2.) BYOD Will Become Bring Your Own Everything
To promote the free flow of information, college and university networks often must accommodate numerous private devices — think of all the new students arriving each year with their smart phones, laptops, tablets, etc.
A survey conducted by Bradford Networks found that 85% of educational institutions have some form of BYOD policy (bring your own device). And these aren’t just for personal use: 52% of respondents said devices are integrated into the classroom experience.
Over 75% of surveyed institutions allowed faculty to use personal devices to access the school network, 72% allowed students, and 57.5% allowed all other staff and contractors to do the same.
The use of personal devices is so ubiquitous on campuses that one expert has suggested a new acronym: BYOE or Bring Your Own Everything.
And it looks like the current flood of devices is only priming the pump.
In its 2015 Horizon Report, The New Media Consortium (NMC), in collaboration with EDUCASE Learning Initiative, predicts schools will encourage more students to bring their own mobile devices into the classroom.
That’s just the near term! NMC expects wearable technologies to be classroom staples within the next two to three years and the internet of things to arrive in classrooms in the next four to five years.
Each device presents a potential security risk to an institution, a way for data to leak out or an avenue for malware to sneak in. Unsurprisingly, colleges and universities’ security performance drops during the academic school year with the influx of new students and their new devices.
It will be interesting to see how schools balance their desire to promote learning and the exchange of information with the need to secure their networks. One thing is certain: BYOE will be a challenge in 2016.
3.) IT Will Be Treated as a Behavioral Science
Most higher education leaders are confident in their security measures. What they report as their number one pain point is user adherence to policies.
In other words, users — not the technology — are the issue.
This situation isn’t unique to higher education. As we are fond of quoting, according to Marc Van Zadelhoff, the VP of IBM Security, 95% of data breaches or cyberattacks involve “mistakes by those with access to a company’s systems.”
But higher education’s unique balancing act of access and security can make technological solutions to data security particularly difficult to implement, forcing institutions to rely even more heavily on the good sense and cyber-hygiene habits of their employees and students.
Fortunately, schools can address employee habits and practices through training. These kinds of solutions may actually be well adapted to the higher education environment, since they can promote users’ sense of responsibility and autonomy. Online data security training, for instance, can help schools teach employees best practices while still respecting the free flow of information.
The human element in data security gained some prominence this year when Cisco released a new security manifesto. One of the manifesto’s core principles is that “security must be viewed as a ‘people problem’.”
The manifesto explains, “A technology-centric approach to security does not improve security; in fact, it exacerbates it. Technologies are merely tools that can enhance the ability of people to secure their environment. Security teams need to educate users…People, processes, and technology, together, must for the defense against today’s threats.” (See our post on CTOs and data security training for more.)
Or as Werner Boeing, the CIO of Roche Diagnostics, puts it, “People believe that IT is about technology, but it’s really a behavioral science — understanding the behaviors of your company’s staff, leaders, and customers — and facilitating the adoption of a new vision.”
In 2016, expect to see more discussion of data security as a people problem and the role of cybersecurity training as an essential complement to technological solutions.
Liked this? Read this:
- Our data security white paper for higher education
- 5 reasons data security training should matter
- Data security training as an HR Initiative.