Why Automated Sensitive Data Catalog
A common misconception is that IT teams can manually compile a list of sensitive data
Security concerns presented by online learning during the COVID-19 times
The past few months have kept the education sector on its toes. More than 15 districts comprising over 280 educational institutions in the U.S were hit by ransomware attacks between Jan and April 2020. This number has more than doubled since the same period last year. While the sector has always been a prime target for data-centric threats, the pandemic has given the data thieves a longer leash, with virtual learning becoming the new norm for students.
The Gadsden Independent School District in New Mexico was faced with a second cyberattack in seven months when ‘Ryuk’, ransomware locked out its systems. The attack forced the school district to shut down its internet and communication channels. The district denied the hacker's request to pay up the ransom to retrieve the stolen data, and the cleanup and repair process took 4-5 days.
Incidents like the above call for efficient data security systems in the education sector. Data security systems can help identify critical data that lie in abundance in the industry and secure them.
Read more on why data security should be a priority for the education sector.
Why is the education sector a prime target during the pandemic?
Below are a few reasons why the pandemic has turned into the perfect breeding ground for data thieves:
- Data thieves and cybercriminals are operating in the ongoing pandemic era, armed with the knowledge that schools and colleges have to rely on virtual learning as part of the new norm. If their data is breached or stolen, the institute would most likely be pressured into paying up a ransom to retrieve access.
- The IT divisions in the educational institutions are heavily tasked with facilitating virtual learning measures for the students and faculty, giving them very little time to monitor networks for breaches and attacks.
- Students and teachers connect through a plethora of personal and on-prem devices while engaging with each other during virtual sessions. This widens the attack area for opportunistic data thieves.
- The education sector has seldom invested heavily in data security measures, which makes them an obvious target for cyber attacks.
Impact of data-centric attacks on the education sector:
The impact of cyber attacks varies depending on the following factors:
- the kind of attack that is launched on the institutions.
- the degree of damage that the attack poses. Houston County Schools took almost two weeks to get back in session after a malware attack shut down the school’s systems and phone lines.
- the institution’s data back up system and the volume of data that it carries.
The education sector functions on outdated technology infrastructure and legacy systems. These are comparatively easy to hack. In such cases, the recovery time extends further, given the high degree of damage due to the attack. The institutions must also factor in the security set up that must be installed to prevent similar attacks in the future.
Effective ways to manage data-centric threats:
- Train both the faculty and the students to identify phishing emails that may potentially compromise their systems. Phishing emails often contain the words “immediate”, “urgent”, etc. in their subject lines to evoke a sense of importance and urgency. Poorly constructed phrases in the emails are also typical of such attacks.
- Do not open/click on unsolicited emails and links.
- Do not share your financial or personal information over emails.
- Hackers are taking advantage of the ongoing pandemic to send out emails that claim to contain information on COVID-19. Trust legitimate government websites alone when you need to gather such information.
- Update your systems and software and do not download unauthorized and random software.
- Compliance with data privacy laws and regulations can also be an effective way to manage data-centric threats.
How can Kogni help manage data-centric threats in the education sector?
Kogni can help the sector comply with a range of legal regulations that protect the privacy and security of the students and faculty’s private information, such as FERPA, COPPA, HIPAA, GDPR, CCPA, etc.
FERPA:
The Family Educational Rights and Privacy Act (FERPA) is one of the many laws that protect the privacy of student education records and ensure the privacy and security of sensitive information. FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
A few key clauses under FERPA are:
-Parents or eligible students have the right to inspect and review the student's education records maintained by the school.
Kogni, an acclaimed data security solution, can help the institution comply with this clause. Anytime a parent or student requests to access their records, institutions leveraging Kogni’s powerful data discovery feature can pull up the records instantly from all available data sources.
-Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading.
When a parent or a student above the age of 18 places a request to rectify their records, educational institutions leveraging Kogni’s data discovery capabilities can instantly pinpoint the records to allow its correction. Kogni thoroughly scans your data landscape to pinpoint the data to enable compliance with this clause.
Apart from the aforementioned key clauses, Kogni’s data security solution enables your compliance with many other clauses under FERPA.
COPPA:
The Children’s Online Privacy Protection Act (COPPA) dictates how operators of websites and online services must protect the personal information of children under the age of 13 and puts the parents in the driver’s seat.
Below are a few key clauses under COPPA and how Kogni can help your institution comply with them:
-Organizations must give parents a way to review the personal information collected from their child
When a parent requests to access their child’s personal information, institutions that have Kogni by their side, can pull up the data instantly from all available data sources.
-Organizations must give parents a way to revoke their consent and refuse further use or collection of personal information from their child
You can access all data belonging to a particular student with a few clicks when using Kogni’s efficient data discovery feature. The requested data gets pulled up in an instant on your screen which helps you process the parent’s request.
-Organizations must give parents a way to delete their child’s personal information
When a parent initiates their right to deletion, educational institutions can use Kogni’s effective data discovery solution to instantly collect their data from all available sources and comply with this clause.
Educational institutions must also comply with the Health Insurance Portability and Accountability Act (HIPAA). A HIPAA audit assesses your institution’s ability to protect the PHI/ePHI (Protected Health Information/electronically Protected Health Information) against its compromise.
Since educational institutes handle a variety of student/faculty/parent health data, it is a must that they comply with HIPAA to avoid violation and therefore huge penalties that come along with it. Kogni discovers, secures, and monitors your PHI/ePHI regardless of its location in your data landscape and can help accelerate HIPAA compliance.
Below are the key HIPAA requirements that Kogni can address to achieve compliance-
- Access Control- A covered entity must execute technical policies that limit access to ePHI to authorized personnel.
Kogni discovers all your HIPAA-related sensitive data regardless of their location. It then classifies the data under preset groups created by Kogni or custom groups created to suit your institution’s unique needs. It makes identifying the data location simple at any given point of time by adding tags to your data and mapping it across users, folders, and permission. May your PHI/ePHI be in a database, filesystem, No-SQL, Big Data, or anywhere across your institution’s data landscape, Kogni helps you locate it in no time. Kogni also supports data in various formats like structured, semi-structured, and unstructured.
Kogni monitors both data at rest and real-time data no matter where they reside and offers unified single-pane visibility to your data. It is also uniquely positioned to identify and report on your critical data that reside in Saas (Slack, Jira, Salesforce) and other hosted services.
- Audit Controls- Under HIPAA, a covered entity must deploy hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
Kogni monitors various enterprise channels such as files, folders, emails, etc. This allows entities visibility into how authorized business units interact with their HIPAA database. Our enterprise data security tool continuously monitors for deviations based on risk patterns and alerts your institution to prevent data misuse from turning into a full-blown data breach.
- Integrity Controls- To validate HIPAA compliance, a covered entity must have in place the required policies to ensure its ePHI is not improperly handled or destroyed.
Kogni helps your institution architect a robust analytics process. It tracks your HIPAA-related data’s activities like location, state, alterations it goes across your entity’s data landscape, its interaction and activities when in your cloud environments, etc. It then logs the potential threats attached to your PHI/ePHI and notifies by sending out appropriate alerts.
Kogni also offers other expert capabilities to accelerate your HIPAA compliance-
- Kogni alerts users
-when an authorized user accesses your ePHI from a different geographic location
-when they interact with a never-before-accessed HIPAA-related information
-when they log in from a system that does not have the required client-based certification or when in an unsafe network zone
- Kogni offers high precision data analytics with a number of data points to ensure the accuracy and actionability of the information.
- Kogni is built on advanced machine learning capabilities and other data mining and heuristics analytics techniques that bring down false positives to negligible numbers.
GDPR:
European parliament’s efforts to protect its citizens’ data, gave birth to the much-awaited General Data Protection Regulation (GDPR). The law applies to each member state under the European Union and aims to create a data protection strategy that covers both consumers (parents and students in this case) and their personal data.
Kogni, the data-centric software’s GDPR-compliant features enable institutions to discover sensitive data in their data sources, secure data as it is ingested and continuously monitor data sources for possible breach and policy violations. Kogni, with its automated sensitive data discovery, is uniquely positioned to help institutions adhere to GDPR within an accelerated time frame. Its data loss prevention mechanism for GDPR helps institutions secure their sensitive data.
CCPA:
The California Consumer Privacy Act (CCPA) is a much-needed law that favors customers’ right to data privacy. The law gives customers (students and their parents, in this scenario) rights concerning the collection and usage of their personal information.
CCPA applies to any organization, all over the globe, that collects and uses the data of California inhabitants.
Institutions must take a comprehensive approach to CCPA compliance by implementing an all-inclusive enterprise data security tool, such as Kogni. Kogni can help them track the location and purpose of their customers’ personal information. It helps customers exert their rights to information, portability, erasure, etc., They can also manage opt-outs when they no longer consent to the sale of their personal information.
Our expert Data Security Software, Kogni, is FERPA-, COPPA-, HIPAA-, GDPR-, and CCPA- ready out of the box. Explore Kogni’s 24/7/365 expert sensitive data discovery, security, and monitoring capabilities for free for 90 days.