Colleges and universities spend thousands of dollars to protect the personal information they have in their computer networks, and officials say guarding against hacking and intrusion requires constant vigilance.
Even with those efforts, the cost of a serious security breach can exceed what the schools pay for IT security personnel staff and network upgrades.
Kirkwood Community College will pay $400,000 to $500,000 in the wake of an incident in March where hackers gained access to eight years of archived application information that may have included names, birth dates, contact information and Social Security numbers for more than 125,000 people.
That cost estimate includes fees to the security firm Kirkwood hired after the breach and also the credit monitoring services the school will provide for one year to affected individuals.
Kirkwood and Kroll Security fielded more than 3,000 calls in the week or so following the incident, and more than 9,000 of the affected individuals have signed up for the credit monitoring, said Vice President for Student Services Kristie Fisher.
Kirkwood officials felt they had good data security before the hacking, but discussion about changes and upgrades began “the night the attacks happened,” Fisher said.
“We really started picking the brain of the FBI and the security firm we hired, in terms of additional and different security we could have in place,” she said. “We’ll probably change how we look at cyber security, having been a victim, but it’s something we’ve always put a lot of time and attention into. I think the reality is no one is safe from an attack like this.”
Kirkwood has automated protection systems in place, but Fisher said the way this hacker gained entry, an automated system would not have caught it. A Kirkwood IT staff member who monitors security noticed the suspicious activity and shut down the site that was accessed, Fisher said. The FBI is still investigating, she said.
Kirkwood in the past had to once notify a smaller number of individuals after a portable storage device was stolen that contained confidential information, but this was the first time the school had a data breach from a hacking incident, Fisher said.
Such large breaches are rare, according to information technology officials at Iowa universities. It’s been several years since a data breach notification letter has been required for them, officials at the University of Iowa, Iowa State University and the University of Northern Iowa said, and most often a breach involves smaller numbers, such as from equipment theft.
Schools over the past several decades have moved toward less use of Social Security numbers, except where they are required for things like payroll for employees and financial aid for students. In cases when a Social Security number is still necessary, that information is stored in campus data centers that have the highest level of protection, and the number of people with access is limited, officials said.
“You don’t find them stored except deep in the most protected places where you absolutely need a Social Security number,” said Jim Davis, ISU’s chief information officer. “One way to reduce your threat footprint is to not have that information in as many places.”
Many schools also have rules that personal information stored on laptops and mobile devices must be encrypted, in case of loss or theft.
“Defense in depth” is a common security strategy that means the institution uses many layers of protection in the hopes that if one fails, another will back it up, officials said.
“Attacks are certainly more sophisticated now,” she said of hacking attempts, which often are automated at first and then followed up by a person if weaknesses are found.
As technology improves for colleges and universities to defend against attacks, it also improves for the hackers, said Ken Connelly, associate director of security and systems for UNI’s ITS Network Services. That makes it a constant dance of improving firewalls and systems, and trying to predict how a hacker will attempt to gain access, he said.
“The attempts are there all the time,” he said.
The university networks also are much larger than they used to be, and faculty and staff travel the globe with mobile devices, said Davis. Iowa State brings in a company each year for penetration testing on select networks and systems, he said.“You use a lot of different ways to protect your data because you don’t know ahead of time what the attacks will look like,” he said.