Cybersecurity Due Diligence When Purchasing a Career College, FERPA & GLBA Compliance

It’s more than just Antivirus updates and OS patches! It is FERPA & GLBA Complaint as well.

Schools, colleges, and universities are perhaps the last places one might think would interest the “cybercriminals.” After all, what could they potentially hope to gain from an attack on a soft target like an educational institution? Well, that is specifically why there is a sudden spike in cyberattacks on such institutions (see sidebar) – because they are SOFT TARGETS!

When purchasing a career college or when making a decision to merge with another educational institution, college and university administrators must exercise additional cybersecurity due diligence aspects of the transaction. Failure to do so could lead to severe consequences.    

Cybersecurity Due Diligence Imperatives for Educational M&A

When purchasing a career college, the most obvious items on an IT checklist are likely to be:

  • Does the acquired college have updated antivirus on all servers, desktops and connected devices?

  • Are all assets patches, upgrades up to date?

While this is an excellent starting point, it doesn’t even start to address the potential cybersecurity vulnerabilities and liabilities that could be lurking underneath. For instance:

  • What does data security plans for the target institution have in place?

  • Is there an explicit acknowledgment among staff what constitutes personal data, and how sensitive data should be handled, stored and protected online?

  • How is online data safeguarded – Encryption? Multi-Authentication?

See our webinar: “Introducing Diamond MSS” to learn more about Career College Cyber Security

Unless these, and a whole array of other, cybersecurity due diligence initiatives are addressed before the purchase or merger, the chances are that the acquiring entity is setting itself up for potential trouble (legal, compliance, regulatory…and financial) down the line. Purchasing a career college without conducting a proper cyber risk assessment, could leave you vulnerable to the consequences of cybersecurity vulnerabilities – sometimes long after the transaction has been consummated.

Cybercriminals Utilize Complacency   

In today’s hectic and highly competitive educational setting, the need for performing cybersecurity due diligence when purchasing a career college is even more prominent. Even with FERPA & GLBA compliance protecting the privacy of student education records, schools are still under attack.That’s because crucial faculty and leading members of the administration team are often focused on other priorities, including:

  • Teaching classes or coaching students

  • Grading exams and tests

  • Involving in after-class and extracurricular activities

  • Conducting research and investigations related to their specializations

  • Lobbying for funding and grants

  • Developing curriculum for upcoming semesters and terms

Cybersecurity Headlines You’d Like to Avoid

University of Hawaii – Sept 25, 2017: Personal information of up to 2,400 faculty, staff, students, and student applicants exposed as a result of Spear Phising

Maricopa Community Colleges – Dec 13, 2013: Personal information of nearly 2.5 million students, former students, vendors and employees may have been exposed to security threat. Cost: Upwards of $26M

Harvard University – June 19, 2015: Data breach discovered that is suspected to have impacted eight associated schools, colleges and administrative entities at the university

Cybersecurity Nightmare

  • One of our clients recently experienced a cyber nightmare while they integrated their IT systems with a third-party vendor. The fallout from such incidents can be tremendous:

    • they will inevitably suffer brand damage

    • they will need to contact all their students to make them aware of the breach

    • there will likely be a lengthy “post incident review” required, to ensure that the root causes of the data breach are fully exposed, and addressed

    • undoubtedly, increased scrutiny and additional mandatory compliance measures (at least for the foreseeable future) by Ed will follow, and

    • they will probably suffer legal consequences – from Ed and perhaps through civil proceedings from impacted students (or their parents/guardians)

    With the Diamond Managed Security Services (DMSS) Approach such vulnerabilities are proactively reviewed and dealt with before they become nightmares!

Institutions of higher-learning also lack IT funding and resources needed to establish and maintain on-going in-house cybersecurity expertise. It is just too costly!

As a result, while there is no intentional lapse, there indeed is complacency in realizing the colleges’ cybersecurity shortcomings. Regularly having an outside 3rd party conduct a cybersecurity threat assessment would be the easiest way to address this situation.

In the absence of such measures, cybercriminals exploit the unintentional complacency that creates opportunities for them. Additionally, when the institution is acquired without a cybersecurity due diligence audit, the cybercriminal often gain access to an even more significant pool of personal and private data.

What Cybercriminals Look For?

Depending on where their interests lie, Cybercriminals come in all shapes and forms. So, when you are purchasing a career college, you don’t know what information assets you might be inheriting, what the “Hackers & Script Kiddies” want, and what vulnerabilities you are opening yourself to until you conduct an assessment against the system:

  • There may be student attendance records, grades and term results that the cybercriminal would like to access, fabricate or manipulate

  • Staff and student personal data, such as Social Security numbers, bank accounts, passwords, credit card numbers and driver’s license numbers are also a prime target

  • Student data can be especially valuable to the Cybercriminal as it may include the parent’s data, too.

  • Sensitive data related to staff salaries, qualifications and capabilities that a competitor would like to get their hands on

  • If the career college you are purchasing conducts proprietary research or is involved in confidential studies, cybercriminals from the corporate and educational sector might be interested in expropriating that information

Of course, other cybercriminal activity might be targeted at stealing financial records, gaining access to institutional and personal bank accounts and disrupting the reputation of educational institutions. If there are potential vulnerabilities in the cyber security systems and processes of the target institution you are seeking to acquire, you could inherit all of the associated risks and liabilities, unless a pre-acquisition Risk Assessment flushes out such dangers for remediation.

Proactive Cybersecurity Strategies

In today’s highly interconnected world, it’s not a matter of “IF,” but “WHEN” a cyber-attacker will attempt to probe your system’s weaknesses for potential gain.  In instances where significant technology milestones are in progress, such as integrating a third-party vendor system (see sidebar) or switching an acquired college or school onto your IT systems, potential vulnerabilities are most open to exploitation.
There are some services and strategies that you can consider to ensure that you don’t unintentionally inherit any cyber risk systems and undisclosed liabilities from merged or acquired IT systems, and that you don’t “import” any such vulnerabilities into your in-house systems or to other institutions. Some of these include:

  • 3rd Party Risk Assessment

  • Governance, Assurance and Compliance Reviews

  • IT Infrastructure Reviews

  • Data Privacy and Protection Audits

  • Threat and Vulnerability Assessments

  • Incident Management

  • Risk Management

Many educational institutions don’t have in-house capabilities to continually stay abreast of all the evolutions in the cybersecurity domain. For them, opting for Managed Cyber Security Services that oversee all aspects of cybersecurity on behalf of the colleges’ administration might be a better way to deal with cybersecurity.
All protocols related to compliance with the Family Educational Rights and Privacy Act (FERPA) and the Gramm Leach Bliley Act (GLBA) are fully managed under a single service, giving you the time and the space you need to evaluate other critical aspects of the purchase transaction.


About the Author:

Schedule a Demo