Universities across North America are doing the happy dance when it comes to alumni donations. With 2013 being dubbed as the “big gift revival” there is little wonder why. Research is showing college donations have come roaring back with donors in North America giving about $34 billion to colleges the past year. And just as sure as universities are aware of the upswing, there is no doubt that cyber-thieves are as well.
At this week’s Educause 2014 Annual Conference, Paul Jeffreys, the Director of IT Risk Management for the University of Oxford, gave a great presentation on steps needed to make universities cyber secure. Because while retail breaches are the big ones making the news, there is no shortage of cybertheft in the educational realm. The Privacy Rights Clearinghouse (PRC) conducted research on how technology affects individual privacy and discovered that from 2005-2014, there have been 727 breaches involving educational institutions – 73% of those occurred in colleges and universities, equaling 4 million breached records at a rate of just over one per week.
Losses due to a breach affect more than dollar figures – they destroy student, parent and donor confidence. Colleges and universities survive on reputation, and damages that are caused by a breach could result in a loss of alumni donations and a reduction in the number of students choosing to apply or attend the school – bringing the roar of donations to a whimper for colleges and universities.
According to Ponemon Institute’s ninth annual Cost of Data Breach Study: Global Study, the education industry has the second highest per capita data breach cost of all industries, with healthcare being drastically higher. The study finds that the average per person cost of education based data breaches is $294, and the overall mean per US industry is $201. So how much does each data breach on average cost the affected institution? A whopping $5.8 million is the current average cost per data breach in the US.
So we have to wonder: does anyone really believe that this rate of breaches will taper off (in any industry)? Take the University of Maryland, a victim of one of the many reported breaches, that left personal information at risk, affecting over 309,000 individuals that were issued school ID’s since 1998. After the University of Maryland’s breach, the U.S. Secret Service stepped in to investigate the university’s computing and information systems. The University is offering their students free memberships to credit card monitoring services, seminars to educate their staff on protecting their identity, doubling its IT security staff and vowing to make additional investments to secure systems at the school.
All of these efforts are necessary – but wouldn’t protecting the personal information to begin with be a lot easier than cleaning up after the fact? When it comes to credit card data – whether it’s a tuition payment or an alumni donation – universities should do the following:
- Meet PCI DSS standards for payment acceptance
- – The payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) have mandated that all businesses that store, transmit or process cardholder information must maintain compliance with
Secure the point where electronic payments are entered
- – This means
- (P2PE) of data when the card is swiped or the numbers entered into a keypad over the phone. Online, it means authenticating the card no present transaction and protecting that data in transit.
Tokenize all credit and debit card transactions
- – Mask the card number to protect the cardholder.
- is imperative for any transaction that will take place on a recurring basis. This could be a yearly alumni donation or it could be a quarterly tuition payment charge to a card on file.
We’re looking forward to the rest of today and tomorrow’s Educause Annual Conference. Because as Paul Jeffreys pointed out, it’s about protecting the whole educational organization against cyber-attacks, and that definitely includes payments and donations.