Students Are Customers: Third-Party Risk Management Is Essential to Protect Their Data

Cyberattacks can impact any organization, but certain industries are more attractive to cybercriminals because of the valuable data they carry. Healthcare continues to be a well-known top target, but higher education is proving to be more vulnerable to cybercriminals year after year.

Since cybercriminals find these attacks very profitable and easy to execute, schools and colleges must prepare for increased cyberattacks. Many data breaches occurred at the third-party vendor level in the health and education sectors. As organizations outsource more of their business functions, third-party risk management has become essential to protect the personal data of their students/customers.

A New Era in Online Learning

In the wake of COVID-19, and the growing popularity of online learning, it's become apparent that students can and do make choices about where they want to pursue their education. Today's students are looking for an educational experience that includes customer service.

Over the past two decades, there's been a bit of controversy around whether higher ed institutions should treat students as customers. Some educators believe treating students as customers is incompatible with the traditional pupil-instructor relationship. So, how do we decide to label them students or customers? Customers drive revenue, and without revenue, the organization/business will not succeed. 

Students and customers are essentially the same. Whatever label we use to describe these individuals, the institution's job is to help them achieve their educational goals and protect their personal information.

Ransomware Threats and the Impact on Universities and Colleges 

Ransomware attacks have affected universities and colleges recently. Notable cases include the 157-year-old Lincoln College, which closed its doors due to financial damage caused by a ransomware attack. And the FBI issued a warning in late April of 2022 after Austin Peay State University announced a ransomware attack by the BlackCat gang. In response to the attack, all university network users were asked to disconnect, and all exams were canceled. Two days later, BlackCat claimed credit for a ransomware attack at Florida International University that took 1.2TB of data. According to BlackCat, the attack included contracts, accounting documents, Social Security numbers, and email databases for students, teachers, and staff. However, the university disputes BlackCat's claim and says the sensitive information wasn't exposed. Nine other higher ed institutions were also targeted by BlackCat.

Vulnerabilities in Third-Party Systems 

Several of the BlackCat cyberattacks exploited vulnerabilities in the systems used to provide online classes and to service online student accounts. During COVID-19, higher ed institutions scrambled to keep up with the need to provide distance learning. In the rush to go online, some institutions didn’t perform adequate due diligence on the third-party providers of the learning platforms. Despite the unfortunate discovery and exploitation of the platform's vulnerabilities through ransomware attacks, these incidents have clearly brought the issue to light, which should incentivize intuitions to address security concerns with third-party providers. 

Why Third-Party Risk Management Is Crucial in Higher Education 

Online learning platforms are certainly not the only potential security issue. Due to higher education institutions' efforts to cut administration costs and offer new services and programs, the number of third-party vendors with access to personal data is growing. This is why a robust third-party or vendor risk management program is crucial to protecting the personal data of students, faculty, and staff. 

It's important to remember that a successful third-party risk management program requires the support of senior leadership and the board. That support means setting the right tone-from-the-top and messaging around third-party risk management as an institutional priority. It also means allocating enough resources, including skilled staff, technology, and budget, to ensure the program can operate effectively.

Implementing a successful third-party risk management program is one of the most important steps institutions can take right now to safeguard their operations and protect the data of their students (customers), faculty, and staff.