Understanding how data can be disclosed and what to do to protect it is the key to minimizing data breaches.
At MIT data is sometimes sent around campus and between MIT and its business partners in electronic mail attachments, in many cases without protection. Much of this data ends up on individual laptop and desktop computers for a period of time, available to anyone with access to that computer. Unencrypted data left on computers can be compromised, either by loss or theft of the computer, or by unauthorized access caused by a computer virus or a weak password.
Privacy Rights Clearing House reports that between 2005-2014, there have been 727 data breaches in the education sector, involving over 14 million breached records.
Accidents have historically been the number one cause of data breaches requiring notification in higher education. Thirty percent of breaches reported is due to unintended disclosure and 17 percent is due to loss of a portable device. These breaches occur when people make mistakes or don't pay attention. For example:
- Losing a computer, hard drive or paper files
- Keeping computers unpatched and vulnerable to malware
This trend is turning, as more incidents are being reported. To mitigate this risk, training ocurring on a regular basis, needs to focus on protecting desktops and servers from unauthorized access and on the procedures for handling sensitive data for business purposes.
In certain circumstances, information systems can be penetrated by a deliberate attack. Most often such penetrations are done by hackers specifically looking for information to steal. Employee fraud, impersonation or theft are other deliberate means to access data. Approximately 36% of reported breaches, according to Privacy Rights Clearing House, were due to an outside attack, often via malware infection.
Places where computer systems contain thousands of records with sensitive information, such as a medical center, financial administration area, bursar, human resource department or alumni office are more likely to be targeted by an attacker than smaller systems containing fewer records.
System owners should be regularly viewing access logs, updating access authorizations as employees come and go, as well as putting other protections in place to limit access to these systems for employees with a business need.