The Data Fraud Problem Today
Cybersecurity breaches are on the rise everywhere; no organization, whether educational or corporate, can be lax in taking precautionary measures. Education leads the industries in data breach numbers (second only to medical institutions), and 77% of breaches occur in post-secondary schools. While there is growing awareness of student aid abuse and fraud, another possible source of cyber fraud that colleges have frequently overlooked are third-party vendors.
Schools have the same responsibility toward students as businesses have to protect their customers. For example, the 2013 Target retail store breach that affected thousands of customer accounts began with a heating and air conditioning company. Hackers of every stripe look for the easiest ways into an organization, and as vendors, may have the chance to establish trust with an unsuspecting school administration.
The majority of vendors are trustworthy businesses. But the ones that aren’t could do extensive damage to a school’s reputation and many students’ lives. The great news is that financial aid directors (DFAs) can use our tips below to vet their vendors and ensure they’re entrusting precious student information to the right people.
What DFAs Can Do to Safeguard Student Information
The first step is to vet a vendor. Vendors of financial aid software, for example, may share access to students’ sensitive financial records and other information with the DFA. Vetting new vendors is especially critical to establishing a trustworthy business relationship over time.
The National Cybersecurity Institute of Excelsior College recommends that administrators begin by:
- Performing a risk-assessment study of which supplier holds the greatest amount of confidential data, such as student financial records, including social security and driver’s license information.
- Asking potential vendors about what safeguards they use to protect their data. If they aren’t protected, your data is at risk also. See below for more important questions to ask.
- Reviewing the Service Level Agreement (SLA) to determine what security measures and liabilities are covered.
- Performing due diligence in checking a vendor’s business and other credentials, including the names of the company, as well as the owners, address, tax identification number as well as any history of criminal activity.
Vendors Checklist – The Questions to Ask
Ask a prospective vendor the following questions to reduce the chance of mishandled data:
- How will our data be stored and protected?
- What algorithms are used to store data?
- How is data securely transmitted?
- Is anyone else who has access to the data thoroughly screened?
- What security or other audits do you use?
- How is physical security maintained at the data storage center?
- What levels of access are granted and how are they controlled?
- How are users and password management verified?
- Is the ownership and usage of data defined within a contract?
In addition to the usual in-house password controls and other precautions, a prudent Financial Aid Director or Administrator should order an audit or review of all vendors on a regular basis to weed out potential problems by identifying any discrepancies. Commonsense user practices, combined with state-of-the-art security technology can reduce the possibility of security breaches, safeguarding sensitive data while allowing legitimate exchange of information.
For those financial aid departments that still manually process assistance applications, the risk for student aid fraud is even greater. A company offering financial aid specialty software that securely encrypts data is one of the DFA’s most important partners in helping to prevent vendor and other security breaches.
StudentVerification automates verification and C code resolution with a secure, student self-service platform. Through StudentVerification, all of students’ sensitive documents are protected with government-grade data encryption. This eliminates the insecurity of email and the inconvenience of faxing or delivering documents in person. That’s what you call a Win Win!