By Owen Daugherty, NASFAA Staff Reporter
With everything that has happened since the pandemic upended typical operations on college campuses, it would be understandable if a focus on cybersecurity measures was not at the top of the priority list for financial aid offices.
But in reality, financial aid offices are on the front lines of protecting valuable information of both institutions and students, and a majority are woefully unprepared to combat cyberattacks and lack the tools necessary to keep students’ information safe and secure, according to Jeff Arthur, vice president of regulatory affairs and the chief information officer at East Coast Polytechnic Institute (ECPI).
“This is the year of cybersecurity chaos,” Arthur said, noting how the transition to remote instruction makes institutions more susceptible to cybersecurity attacks. “We're amazed at how vulnerable many colleges are.”
Arthur’s institution has a focus in providing undergraduate computer science degrees and teaching cybersecurity professionals. But after ECPI fell victim to an attack, he made it part of his mission to sound the alarm and help raise awareness among financial aid offices.
If schools don’t address the shortfalls sooner rather than later, it will be too late to act after being hit by a cyberattack, Arthur said. There are numerous headlines and examples of institutions being crippled by cyber attacks and held virtually hostage until they pay a ransom to hackers.
Many institutions lack proper data backup procedures and other cybersecurity best practices, Arthur elaborated. Ransomware and malware attacks are on the rise, as opportunities for bad actors increase with financial aid offices operating remotely or in a hybrid capacity.
To be prepared for cyber attacks, two basic concepts can be implemented to secure data and information. Creating an air-gapped backup is one of the most important steps financial aid offices can take, and it's not as intimidating as it sounds, Arthur said. An air-gapped backup is essentially ensuring that a copy of your data is stored offline and cannot be accessed, since if a system is not connected to the internet it can’t be hacked remotely by a bad actor.
“The absolute best defense you could have to an attack is to have proper backups,” Arthur said.
The other key to being prepared is to implement artificial intelligence (AI) cyberthreat detection. Again, that may sound like something well outside the purview of a financial aid office and too high-tech, but as the sophistication of attacks has grown, so too must cybersecurity defenses.
The AI defense acts as a first layer of protection by automatically identifying and flagging any unknown file or system, even sifting through emails to detect any suspicious activity.
While the Department of Education (ED) is not going to tell financial aid offices explicitly what to do or what resources and tools to use in order to be prepared, Arthur said, the department and Federal Student Aid (FSA) have made cybersecurity awareness more of a focus in recent years by providing some guidance.
Dan Commons, FSA’s chief information security officer and director of the Enterprise Security Group, discussed the challenges financial aid offices face during a session last week at FSA’s training conference that focused on cybersecurity.
Commons spoke to the exponential rise in cyber attacks and threats, and predicted that the coronavirus will fuel an increase this year, particularly at public colleges and universities that may be more vulnerable.
He also pointed to FSA’s recently published draft strategic plan that outlined two key focus areas for the office moving forward: helping institutions through outreach and communication to improve their data and cybersecurity practices, and strengthening data protection and cybersecurity safeguards already in place.
“It’s very unusual to have cybersecurity up front like this and major initiatives for organizations like this,” Commons said.
Because schools protect sensitive data, they will be at the forefront of this effort, Commons said, noting FSA is concerned “with how you protect the privacy data, what kind of cybersecurity controls you have around your environment.”
“We’re going to communicate with you as much as possible,” he added.
Commons outlined how the threats are evolving and are no longer simply just hackers trying to break into an institution’s system. Nowadays, institutions need to be on the lookout for ransomware, phishing email campaigns, and the threats associated with distance learning and more remote, mobile technology — even through smartphones.
“As technology has evolved, the cyberthreat has increased exponentially higher and faster,” he said.
Commons walked through what FSA’s process is when an institution reports a data breach, and informed attendees how to report a breach so FSA can offer support.
The new focus from ED and FSA is welcomed, Arthur said, but underscoring Commons’ message, added that it will still come down to the practices institutions put in place to protect themselves.
Arthur said he’s been encouraging institutions to use the money they received from the institutional portion of the Higher Education Emergency Relief Fund (HEERF) to help bolster cybersecurity since it can be tallied as helping the school transition to remote learning, one of the allowable uses of the funds.
Ultimately, while a financial aid director may believe cybersecurity is mainly the responsibility of their school’s IT department, Arthur said the financial aid profession can help facilitate dialogue and raise awareness about the importance of this issue.
“The financial aid director is the champion for their institution’s compliance with Title IV regulations,” he said. As a financial aid director, I think you want to make sure that your IT department in your university is doing what it should to protect eligibility for Title IV because you're the one that best understands how the compliance processes work.”
For schools worried about the price tag of getting up to speed with cybersecurity best practices, Arthur said any upfront investment will pay off in the long run and likely be far cheaper than paying to retrieve data once it’s already been compromised.
“If you're a [college or university] president, and you understand the threat and the risk, it's an insurance policy that you can't afford not to have,” he said. “It really is a risk to not have it.”
Publication Date: 12/8/2020