Most Common HECVAT Violations (And How to Avoid Them)

The HECVAT (Higher Education Community Vendor Assessment Toolkit) was developed by the Higher Education Information Security Council (HEISC) as an initiative to help higher education institutions better protect their data, prevent the risk of data breaches, and measure the cyber risk of third-party solution providers. HECVAT provides a standardized template that schools can use to perform risk assessments and risk management processes concerning sensitive data and personally identifiable information (PII).

More than 150 colleges and universities use the HECVAT assessment tool to identify vulnerabilities and improve data protection policies. Third-party providers also use HECVAT to demonstrate their compliance with HECVAT standards and commitment to practicing strong data security.

Although HECVAT is designed to help schools with information security and is not enforced by law, meeting HECVAT requirements can help schools comply with other standards such as SOX, SOC 2, HIPAA, PCI DSS, and more. This article will examine the most common violations of HECVAT standards and how the education sector can avoid them.

Why Cybercriminals Target Higher Education

HECVAT is important because cybercriminals target the education sector at a much higher rate than many other industries. Many colleges and universities have poor security awareness and often have little to no cybersecurity policies in place. The lack of preparation and knowledge puts schools at severe risk of being attacked and having important data stolen or compromised.

A 2018 study found that in the US, the education sector was the least secure of 17 major industries, with application security and network security among the major issues. Kevin Moroney, Vice Provost for Information Technology at Pennsylvania State University, stated that the university faced around 20 million daily attacks, which was typical for a research university. A 2016 study of 20,000 organizations found that higher education had the most ransomware incidents compared to every other sector, including healthcare, which is regulated by HIPAA.

Cybercriminals targeting higher education seek out valuable student PII, such as contact information and credit card details, student loan information, staff employment records, research projects, and confidential infrastructural planning.

Here are the most common reasons why criminals and hackers target higher education schools:

• Large amounts of institutional data - The large number of student and staff records at higher ed institutions makes them attractive to cybercriminals who may be able to sell or ransom the data. Restricting access to mission-critical institutional data, such as enrollment data, can severely impair the functionality of a higher education institution. Higher ed offers potential access to personally identifiable information (PII) and sensitive data that can be used to commit identity theft, including social security numbers, bank details, and details of courses taken and learning difficulties.
• Valuable research - Many universities conduct crucial research that can be worth large sums of money if fallen into the wrong hands. Unpublished research data may command a significant price if held for ransom. Schools are often likely to pay for the safe return of years of research data, despite being highly advised against doing so.
• Legacy systems and technology - Institutions tend to have budgetary constraints that make them more likely to choose cheaper, outdated technology for hardware and software applications. Outdated technology is often ill-equipped to defend against modern cyber attacks and is at a higher risk of becoming breached.
• Decentralized IT - Decentralized IT can increase the risk of configuration problems and other vulnerabilities. Each department within the school often has its own IT manager, which enables poor communication between departments and various levels of IT security that allow hackers to exploit the weakest one. With no centralized or primary IT team analyzing network and user activity across all systems, it can be hard to detect and prevent cybercriminals from gaining unauthorized access.
• Remote work & schooling - With increasing remote learning on the rise, particularly following the COVID-19 pandemic, more students and staff are connecting to networks with unsecured devices. This poses a significant security risk as they can introduce and spread malware throughout a network. Unvetted cloud service providers, the use of personal devices, and poor cybersecurity practices create millions of new entry points for hackers to access.
• Lack of cybersecurity education - Students, professors, and employees often lack solid cyber knowledge, which can lead to poor cybersecurity practices, such as creating weak passwords, connecting to unsecured Wi-Fi networks, unsafe web surfing, lack of device security, and failure to recognize phishing attempts. Human error is often the leading cause of data breaches and data leaks, which means that schools need to do a better job of educating all users on cybersecurity.

Most Common HECVAT Violations

Although HECVAT is not currently mandated by federal law as other industry based frameworks are (such as HIPAA or GLBA), schools or their third parties that are in violation of HECVAT agreements risk damaging their business and profession reputations.

Higher education is not currently legally obligated to report all cyber incidents. EDUCAUSE, however, is monitoring this situation. It’s likely that higher education will soon face similar requirements to other sectors, such as the healthcare sector with HIPAA.

The Cybersecurity and Infrastructure Security Agency (CISA) is proposing higher education institutions report certain ransomware payments within 24 hours and cybersecurity incidents within 72 hours. If this becomes law, it will take place via the Cyber Incident Reporting for Critical Infrastructure Act 2022 (CIRCIA).

The most common HECVAT violations are as follows:

1. Poor Third-Party Vendor Security

When it comes to third parties, many colleges and universities lack adequate security measures, which is the main component of HECVAT compliance standards. Failing to secure third-party vendors or business partners poses an extreme risk to a school’s overall security posture, and a single breach from a third party could compromise the entire school system along with its other vendors.

The HECVAT framework is specifically designed to manage third-party vendors, who often need complete access and handle critical data. HECVAT is a great framework for schools to use as a roadmap to better third-party security (along with other popular frameworks such as NIST or ISO 27001).

How to Manage Third-Party Vendor Security

Schools must implement minimum security requirements for their vendors and require third parties to meet all checklist items during the procurement process to satisfy the risk appetite or tolerance. Additionally, schools must also establish a process that continues to monitor vendor security and track their progress over time. By doing so, these higher education schools provide themselves a way to measure vendor criticality and better manage vendor relationship.

However, with potentially hundreds or thousands of vendors that a school may work with, the vendor management process can be especially time and resource-consuming. One solution for this is to employ a third-party risk management service, such as UpGuard Vendor Risk.

Third-party risk management tools like UpGuard allow schools to gain an executive overview over the entirety of their vendor lists. They can track if a vendor has failed to uphold their security standards, track compliance with various frameworks and regulations, quickly detect security breaches, build remediation workflows, and automate the HECVAT questionnaire process.

2. Human Error

Human error plays a significant part in 95% of cybersecurity breaches. The key is to understand the different types of human error and develop policies and procedures around those errors that help minimize the risk and prevent future occurrences. HECVAT helps provide a framework that should help schools gain a better understanding of the cyber risks involved.

There are two main types of human error: judgment and skill-based errors. In the first case, a staff member may make a mistake while performing a familiar task due to a lapse of judgment or concentration. A skill-based error is when someone performs an action that leads to a data breach because they failed to understand the security risks, whether from a lack of education or training.

• Falling for phishing or social engineering attacks - Failing to recognize phishing attempts is an example of a skill-based human error. Without the knowledge or education of common phishing attempts, the risk of a student or employee clicking on a malicious link increases dramatically. In higher education, spoofing attempts are common, especially when the attacker pretends to send an email from a verified source, such as a professor, or a link to a fake but realistic-looking website, such as one from the university.

• Unsafe internet browsing practices - Connecting to unsecured public Wi-Fi networks, downloading files from suspicious websites, clicking on unverified hyperlinks, and not updating web browsers are all examples of poor internet surfing practices that can lead to a data breach.
• Incorrect disposal of confidential data - Data must be erased appropriately and disposed of before the storage device can be discarded. Throwing a hard drive or laptop in the trash can lead to a HECVAT violation by exposing sensitive data. Deleting or moving data to a recycle bin can also leave the data in a state where it can be recovered.
• Theft or loss of devices - A lack of physical device security can also lead to data theft. Unless your school operates strictly on the cloud and through online classes, physical device (laptops, mobile devices, thumb drives, etc.) security policies must be implemented both on and off campus for employees, professors, and students. Losing devices that are not secured can allow criminals to easily access the school’s network and potentially gain access to the main servers.

How to Avoid Human Error

To reduce human error, higher education needs to:

• Maintain procedures to monitor students and employees accessing the network
• Provide regular training so that all network users understand cybersecurity risks
• Install security updates, firewalls, and antivirus software

These steps need to be a part of the school’s written cybersecurity policy and threat response plan. Training is a critical component in reducing human error. Understanding PII and the need for authentication leads to appreciating why and how data protection helps educational institutions.

When a phishing attack occurs, it’s imperative to act quickly. To do this, higher ed institutions need up-to-date security policies and procedures in the event of a data breach. It is also necessary to have appointed a Chief Information Security Officer (CISO) to lead information security and coordinate efforts to recover data and mitigate the effects of cyber attacks. This can make security incident response faster and more effective.

In addition to clear, written details regarding disposal methods, there is also a need for rules about who has access to data and who has the authority to dispose of it. Staff needs training to ensure that sensitive or confidential data is destroyed with no chance of recovery, including the sensitive data of third-party cloud services. Higher ed institutions must hold third-party providers to rigorous security standards to ensure their compliance with HEVCAT and keep their staff and students secure.

IT security systems can help hold the line and keep data safe. These include firewalls and access controls to monitor who has access to private data, for what purpose, and when.

3. Poor Access Credential Policies

A username and password system is among the most common ways for organizations to restrict access to mission-critical or personal data. While they may be considered the weakest link in terms of authentication, they can help maintain data protection and information security.

Too often, data is left unprotected by passwords, or passwords are weak and easy to crack. Failure to maintain a proper password policy and procedures could lead to a lower score in the “Authentication, Authorization, and Accounting” part of the HECVAT questionnaire.

In other cases, credentials could be found on the dark web due to a data leak. If any threat actor purchases this information, they can easily access a school’s internal systems without having to use any hacking methods. If successful, an attacker targeting access credentials may steal, modify, or destroy data. The criminal may aim to lurk in the system over time to perform any or all of these actions.

How to Avoid Access Credential Issues

The institution must implement clear policies on setting strong passwords and changing them after the appropriate life cycle. Passwords such as “123456” and “password” are among the most commonly used passwords in 2022, but also amongest the weakest and easiest to guess. Password managers are a great option for employees that easily forget their passwords or tend to lose their login information.

As part of a regular security audit, schools also need to review employee access permissions to prevent significant lateral movement should a cybercriminals gain unauthorized access to compromised accounts. Limiting employee access privileges to only the data that they need is one example of how a school can contain and control a future breach.

The institution must also monitor its access privileges and ensure permissions are up to date. For example, Memorial Health Care System received a $5.5 million fine in 2017 for a data breach concerning electronic protected health information (ePHI) affecting 110,000 people. The breach took place because Memorial did not remove a former employee’s login credentials, and over a dozen employees continued to use the old login to access sensitive information for a year.

4. Application Security Hacking

Application security refers to any techniques - whether procedural, software, or physical - used to protect computer applications from external security threats. To a large extent, developers enhance application security during the application’s development stage.

However, application security takes place largely after the software is in circulation. With applications released at a far higher rate than previous years, securing them has become a arduous process to ensure they stay safe in the face of developing threats.

As threats continue to evolve, application security must also evolve. Checking for applications’ security flaws is an essential part of maintaining security when challenged by multiple ways of communicating, connecting, and sharing data, not least of all with SaaS (software-as-a-service) and other cloud services.

How to Avoid Application Security and Hacking Issues

To be fully HECVAT compliant, it’s necessary to perform proper risk assessments to highlight areas that may be vulnerable to hacking.

A firewall is an excellent example of a software security control that can vastly improve application security and prevent or minimize infiltration by an external threat. Properly router configuration would also be a hardware security control that helps increase an institution’s security by masking the IP addresses of network devices.

Antivirus and anti-malware applications also improve application security and can help detect malicious files before they corrupt a system. They can provide a helpful security management system with comprehensive databases, monitoring functionality, event log retention, real-time metrics, and the ability to automate responses to potential threats. With the oft-included spyware detection and removal tools, they can significantly help ensure the safety and integrity of data.

A higher education institution with an adequate IT budget could implement all these measures to solve application security and hacking issues. Understanding these techniques can help the institution use HECVAT to vet existing or future third-party cloud providers.

Threat detection tools can be useful when partnering with third parties or allowing access to remote workers. They allow external network environments to be examined, providing information about misused trust relationships and potential threats.

What Happens After a HECVAT Violation?

In the event of a data breach or an attack, higher education establishments can face numerous costs, damages, and fallout associated with their poor security practices or lack of vendor risk management processes.

Lawsuits

Although HECVAT is not currently mandated by law, security breaches resulting from HECVAT violations can lead to fines from other regulatory standards and laws. Additionally, victims can also sue schools and vendors for violation of data privacy if they fail to adequately secure important data. A 2018 study identified that class action lawsuits against universities after data breaches were increasingly frequent.

It is no longer necessary for the plaintiff to demonstrate “actual or imminent harm” due to the data breach. This means that people can sue an organization, even if the exposure of their data does not directly lead to identity theft. The “substantial risk of future injury” may be enough for a claim. This could mean hefty financial penalties for colleges and universities failing to protect sensitive data.

Find out how higher education schools can better manage their vendor security risks.

Reputational Damage

Higher ed institutions must also consider the potential cost of reputational damage that a data breach or cyber attack can cause. A university’s reputation can suffer for years after an attack, particularly if the response is not prompt or effective. A damaged reputation can also affect enrollment numbers for the following years.

Cost of System Repair

According to a 2020 Sophos survey, the cost of resolving a cyber attack in higher education averages about $2.7 million per incident. This figure includes the cost of downtime, repairing devices and networks, recovering data, updating security, and paying ransomers. The cost of remediation after such an attack is almost double the average across all sectors.

What is a Good HECVAT Score?

The maximum score after completing all sections of the full HECVAT questionnaire is 2660. A good HECVAT score, therefore, is anything above 2400 or 90%.

The minimum acceptable score for a third-party vendor taking the HECVAT questionnaire is 70%. However, even with a minimum allowable score, the higher education institution will mostly likely conduct follow-up interviews or consider other vendors before entering into a partnership.

A score below 70% means that the third-party vendor is not fulfilling several important conditions of the HECVAT standard.

Higher ed institutions can use the Cloud Broker Index (CBI) to see a list of vendors that have already completed the HECVAT evaluation successfully. Also known as the Community Broker Index, this list can help HE institutions evaluate potential third-party solution providers and speed up the assessment process.

Both the full HECVAT toolkit and the HECVAT Lite tool for expedited security assessment include a documentation section to demonstrate what the company has done to certify its security strategy and a safeguards section grouped by the following categories:

• Company Overview
• Documentation
• IT Accessibility
• Assessment of Third Parties
• Consulting
• Application / Service Security
• Authentication, Authorization, and Accounting
• Business Continuity Plan
• Change Management
• Data
• Datacenter
• Disaster Recovery
• Firewalls, IDS, IPS, and Networking
• Policies, Procedures, and Processes
• Incident Handling
• Quality Assurance
• Vulnerability Scanning
• HIPAA
• PCI-DSS