Fostering a data security culture

In today’s digital economy, universities need to share the same commitment to data security in order to keep it safe

Data and the student experience

With 2.3 million students in the UK, the UK higher education sector will process millions of personal data records daily as part of normal business operations to support the student.

Before the student has even arrived on campus, the data they have provided is used to set up their learning environment: essential IT services; identification and authentication, and collecting payments are just a few of the many tasks that occur in preparation for their first day of study.  Data is an essential resource that underpins the university’s ability to deliver its student experience.

As the year progresses, data will be updated, collected, managed, processed, and a high proportion of that data will contain a student’s personal data in various forms.

Personal data has value

Personal data that the student has entrusted to the university has immense value if it gets into the wrong hands.

‘Fullz’ is the fraudsters’ term for the financial information of a victim, which includes the name, home address, credit card, date of birth, bank details and so forth. The more information on the victim the higher returns that can be made when the data is resold and or eventually used in a target fraud.  All of this information and more has been supplied by the student.

TalkTalk, Equifax and TicketMaster are examples of high-profile data breaches which have resulted in large amounts of personal data being compromised, some of it being used fraudulently.

Data breaches are not exclusive to computer system breaches; what about those bags of unsecured sensitive waste that have disappeared, or printed student records complete with payment data recently misplaced?

Stolen personal data is an exploitable commodity and fraudsters need a constant supply of data to ply their trade.

Data security is driven by people

Training, education and awareness are key to implementing a data security culture, but for the culture to embed itself successfully, those being trained need to accept that data security is not something people ‘do’, it is a working lifestyle for the organisation with everyone having their part to play regardless of their role.

The “people” factor is often ignored, yet it is critical in managing the secure environments necessary for processing personal data in both its physical and digital form. IBM’s Cyber Security Intelligence Index, identified that in 2014 95% of successful security attacks were the result of human error. Whilst not all attacks resulted in data loss, the vast majority of them were, in hindsight, preventable.

Convenience should never compromise security, but when under pressure to deliver to a deadline, data security is often seen as an area for compromise, but the reality is when circumvented it is putting both the university and the student at significant risk.

Data security should be a top priority for senior management. In today’s digital economy, all senior management need to share the same commitment to data security in order to keep it safe.

Fostering a data security culture

Embedding the data security culture needs a strategic vision coupled with an achievable starting point. Identifying the areas where the highest amounts of personal data are being processed (and could be lost) gives that starting point.

Presenting data security as an asset to the individual staff member that they can apply to both their personal and professional lives germinates the reality that data security has to be a lifestyle followed at all times.

The Payment Card Industry Data Security Standard (PCI DSS) specifically mandates the need to embed security awareness with staff and validate their understanding of the training and importance of protecting the data being processed. While PCI DSS is focused on card data, the principles of the standard can apply to all types of personal data and provides an approach for implementation.

The data security culture within the organisation should be based on the principle that data security is an integral part of every business process and is essential in ensuring that a student’s personal data is safe while it is in the custody of the university.

PCI DSS Special Interest Group (SIG)

Formed in 2011 the PCI DSS Special Interest Group is a focused membership organisation comprised of HE/FE professionals working within the sector. The SIG supports its members with a wide range of services including training, events, resources and expertise as they work towards PCI DSS compliance. The PCI DSS SIG is the sector expert on Payment Card Data Security.

For more, visit: pcidsssig.org.uk