While the bulk of data breaches making recent news are the result of phishing or hacks, a large percentage of breaches stem from stolen devices, such as a crash-and-grab of a laptop left on a car seat, for example.
It goes without saying that protecting data when a laptop is stolen is paramount. According to a 2015 Deloitte study, the average cost of a data breach per Australian organisation is more than $2.5 million per year, and rising. But with new legislation on the table, Australian educational institutions will need to take cybersecurity more seriously.
Earlier this year, The University of Sydney lost a notebook computer containing sensitive information about disabled students at the academic institution, which “may have been unlawfully accessed”. Though the laptop had password protection, it did not guarantee the security of the information stored on the device.
If passed, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 will present a challenge for any educational institution saying ‘We are not sure if we have been breached’. The onus will be on the institution to ensure they are aware of data breaches, as disclosure must be made if an organisation believes a breach may have occurred.
Educational institutions can no longer be lawfully blind to cybersecurity risks. If The University of Sydney was to lose another laptop under the aforementioned circumstances, they would be required, by law, to disclose this information to affected individuals and the relevant regulator – or risk fines.
Fortunately, there are steps schools and universities can take to protect corporate data.
Wipe Institutional Data Clean
It pays to be prepared. Should a laptop be stolen, having in place a fast, secure and complete remote monitoring and management (RMM) solution will allow a school to take control of the laptop even though it is off its network. Schools and universities with an RMM system in place can log into devices remotely or use an automated script to delete any sensitive information, quickly limiting exposure. Some solutions even offer remote management capability with mobile devices such as tablets and smartphones. They also let a school segregate institutional information from personal information on any bring your own devices to allow quick access without disturbing personal data. Remote monitoring is essential to minimising the impact of a data breach. However, schools should stay away from consumer-oriented remote monitoring tools that do not give them the security or integrated systems management features they need to operate in a professional IT environment.
Enhance Systems Security
There are two ways to protect institutional systems from illicit entry. First, user passwords can be quickly changed through a password management tool. Second, multi-factor authentication will make sure that anyone trying to log into the school’s systems needs more than just a password. This way, the systems are protected even before the school is alerted of the theft.
System Automation to Fight Crime
Procedures can be created that automatically capture desktop screenshots and even pinpoint the geographic location of a laptop using Google location application program interfaces. These tools provide valuable information that can help authorities locate the stolen laptop, and even the culprit.
No matter the scenario, schools and universities must take measures to safeguard themselves against the risks associated with a lost or stolen laptop or mobile device. And with the data breach notification bill now before the House of Representatives, it is imperative that educational institutions step up their cybersecurity capabilities.
Craig Allen is Technical Director APJ at Kaseya, a leading provider of complete IT management solutions for educational institutions.