KENNESAW, Ga. | Nov 25, 2020

Late in the afternoon on Friday, October 9th, the Georgia Department of Human Services (DHS) announced a data breach of personally identifiable information (PII) and protected health information (PHI). Their public statement can be viewed at https://dhs.georgia.gov/press-releases/2020-10-09/dhs-notifies-customers-about-breach-confidential-information

WSB TV interviewed Dr. Andy Green about this breach, which is available at https://www.wsbtv.com/news/local/cyberattack-georgia-agency-exposed-private-information-parents-children/6OA4DKDTWNAQJFWXTRK26KVDIU/. Dr. Green also blogged about the breach previously at https://andygreenphd.com/2020/10/13/the-state-of-georgia-dhs-breach-and-the-bigger-picture/

Firms everywhere have struggled with enabling the work from home (WFH) workforce because of the COVID-19 pandemic, and institutions of higher education like Kennesaw State University (KSU) are no exception.  Students, faculty, staff, and administrators need access to sensitive information like grades, student records, research data, financial data, and employee records to get their jobs done.  While many universities have processes to enable these various constituencies to access sensitive data securely, they typically design them to address an “on-prem” scenario where these groups are on campus. Allowing secure remote access to data is a solution that many universities simply have not addressed in their security operations.

So, how can institutions of higher education work to securely enable WFH for these different constituencies?  Dr. Green offers a few suggestions for consideration:

• Develop and implement written policies regarding the sharing of legally protected or sensitive data and train employees on them.  University administrators should collaborate with legal counsel and risk management to tailor policies that address the different responsibilities each of these groups face – faculty have different needs than staff and students.
• Implement a virtual private network (VPN) solution that allows students, faculty, staff, and administrators to connect to the campus network securely.
• Implement a multi-factor authentication solution (like DUO, for example) for all university-based services.  KSU has implemented DUO as their solution of choice.
• Implement a secure remote meeting and communication solution for use in classes and daily communications.  KSU has implemented Zoom and Microsoft Teams campus-wide to address this concern.
• Implement a data loss prevention (DLP) strategy to lessen the possibility of legally protected or sensitive data leaving the university.