The HECVAT (Higher Education Community Vendor Assessment Tool or Higher Education Community Vendor Assessment Toolkit) is a security framework and template that higher education institutions can use to measure the security risks associated with potential or existing vendors.

HECVAT is excellent for higher ed institutions because many third-party organizations tend to have structures and follow practices that lend themselves to increased cybersecurity risk. Furthermore, colleges and universities can use it to assess internal security posture as well, to ensure that they are keeping up with the same industry standards that they hold their vendors to.

By going through the full HECVAT, a college or university can acquire, upgrade, and maintain its hardware and software while minimizing the risk of a data breach. It also helps ensure that third-party vendors have the following:

  • Strong information security and security control practices
  • Updated cybersecurity programs
  • Effective data privacy policies

The HECVAT security assessment helps provide education institutions with a more in-depth view of their vendor security postures. They can use the tool to demonstrate that they have performed a cybersecurity risk assessment and have the necessary security controls to ensure data protection and can keep their clients safe. This article will discuss why HECVAT is important and why schools should begin integrating HECVAT into their vendor risk management (VRM) programs.

What is the HECVAT Security Assessment?

The HECVAT tool is a unique questionnaire developed by EDUCAUSE’s Higher Education Information Security Council (HEISC) in collaboration with the Research & Education Networks Information Sharing & Analysis Center (REN-ISAC), a coalition that helps members analyze and respond to cybersecurity threats, and Internet2, a non-profit computer networking consortium.

HECVAT was influenced by other cybersecurity regulations, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS). Established firms, therefore, may discover that they are already compliant.

In addition, HECVAT can also be used in conjunction with other frameworks such as NIST SP 800-171, ISO 27001, FISMA, and more. While HECVAT was developed with higher education in mind, any business can use HECVAT as their vendor risk assessment tool.

Why is HECVAT Important for Colleges & Universities?

Vendor risk assessments and vendor accountability are beneficial because even when a higher education institution has excellent internal cybersecurity protections because poorly-secured third parties can be potential weak spots. Using the results from HECVAT can help organizations identify weak links from their service providers while potentially revealing internal security issues. A single compromised third party can put the entire organization at risk.

Besides being useful for higher education institutions going through a procurement process for third-party vendors, IT professionals can also use HECVAT to demonstrate their understanding of risk and compliance with HECVAT compliance standards. In this way, completing a full HECVAT assessment may give an edge to vendors seeking to work with higher education institutions.

A completed HECVAT can indicate to universities that a firm has minimized its security risks. It can complement a membership with the Center for Internet Security (CIS), which helps refine cybersecurity best practices and tools. For example, Indiana University is also subscribed to the CIS SecureSuite Program to aid its cyber defense strategy.

Increased Risks in Higher Education

Schools, particularly higher education institutions, have security issues unique to the industry. HECVAT helps identify potential security gaps that affect the education industry more so than other industries, including the following:

  1. Universities and colleges handle and store vast amounts of institutional data, making them attractive targets for cybercriminals.
  2. Many universities and colleges lack an understanding of cybercrime and cybersecurity. This blindspot puts those institutions at higher risk of a security breach than other industries prioritizing cybersecurity.
  3. There is no standardized third-party procurement process across higher education institutions. Each university has its own set of standards, which may not be sufficient enough to assess third-party risks.
  4. Universities are often extremely segmented in their cyber policies. Each department might have its own methods of implementing cybersecurity or use its own software solutions, which can lead to inconsistencies throughout the entire school. This can lead to significant security, compatibility, and communication issues.
  5. Staff members, employees, and students often use personal devices, which can create thousands of endpoint security risks. Without a strong BYOD (bring your own device) policy or education on safe web surfing practices, schools put themselves at a higher risk of a cyber attack.
  6. The education industry ranks as one of the industries with the worst cybersecurity. Their IT infrastructures tend to be poorly constructed, systems and applications are left un-updated, and schools often still use outdated legacy devices that pose serious risks. Criminals can use vulnerabilities from out-of-date software and devices to access a network and steal data.
  1. Many colleges operate with very strict budgets that force them to decide between an in-house IT team or investing in additional staff, facilities, or departments. Many choose the latter because they don’t see an immediate benefit to prioritizing cybersecurity.
  2. Without a focus on cybersecurity, it’s hard for schools to assess their vendors properly. Not all third-party vendors are the experts they claim to be, nor are they as diligent as they propose. Cutting corners with cheap solution providers, such as unvetted cloud service providers, can put colleges and their associates at risk.

Like most other industries, higher education establishments increasingly rely on information technology. Online training and remote learning, for example, require the collection of usernames and passwords, among other private data. Confidential student records, admissions, and attendance are all increasingly monitored, modified, and stored online.

Many of these educational institutions are security disasters waiting to happen. Cybercriminals know this well. They can attack these organizations with relative ease compared to other businesses, and they can gain access to massive amounts of personal, confidential, and critical data.

Learn how education institutions can comply with HECVAT here.

What Does HECVAT Include?

HECVAT currently comprises four primary tools:

  1. HECVAT Full - This HECVAT questionnaire contains 265 questions over 22 different sections. HECVAT Full offers a comprehensive and investigative look at an institution’s most critical data-sharing engagements and is HIGHLY recommended for service providers that handle PII — whether via cloud services or on-premise — or for those unsure whether their processes involve PII.
  2. HECVAT Lite - HECVAT Lite version is a shorter, less in-depth questionnaire that service providers that do not process personally identifiable information (PII) or other critical data can utilize.
  3. HECVAT On-Premise - Providers that don’t operate on the cloud and don’t handle PII and critical data can use HECVAT On-Premise to assess their risks. On-Premise is restricted to companies that host their data on-site.
  4. HECVAT Triage - Institutions can use this short questionnaire to decide which of the previous three tools they should use for their assessments.

In addition, higher education institutions can use the Community Broker Index (sometimes referred to as the Cloud Broker Index) to connect with vendors that claim to have completed this higher education cloud vendor assessment tool. However, note that this information's accuracy relies on the solution providers.

There is also a Users Group. Through this shared assessments working group, campuses can share information, ask questions, and request modifications to make the HECVAT template more useful.

According to EDUCAUSE, more than 150 colleges and universities currently use HECVAT. This number will continue to grow, making cybersecurity for schools safer and more secure for staff, students, and partners.

How Do Cybercriminals Attack Higher Education Institutions?

Between 2005 and 2021, education institutions experienced almost 2000 data breaches. Cyber attacks on colleges and universities are rising, particularly ransomware and phishing attacks.

The FBI has begun to focus more on higher education, but it’s not enough to rely on law enforcement. Institutions must protect themselves first, and they are responsible for the welfare of their students, staff, and associated businesses. Cybercriminals targeting a university pose a threat to the university and everyone that comes into contact with it.

Ransomware in Colleges and Universities

The rapidly increasing number of ransomware attacks at higher education institutions has put a focus on how poorly schools have been protecting and educating themselves. If an attacker gains unauthorized access to the school’s system, they can lock down all systems and prevent access to sensitive data until a ransom payment is made.

Although law enforcement officials and cybersecurity experts strongly advise against schools paying any type of ransom, unfortunately, that is not always the case. Smaller schools risk shutting down entirely if they lose access to critical data, as they cannot be operational without it. Any organization affected by ransomware also loses the trust of the students and customers in its ability to protect its most important assets.

Learn how colleges and universities can prevent ransomware attacks here.

Phishing in Higher Education

Poor cyber education is one of the leading causes of phishing attacks affecting colleges and universities. Phishing is a product of social engineering attempts to trick users into clicking malicious links or opening infected files. Failing to recognize these scams is a failure of education by the university.

All staff, employees, and students should undergo basic cybersecurity training when onboarding or enrolling at the school. Schools often offer seminars or training related to sexual harassment, drug abuse, and other safety concerns — it’s time to include safe cybersecurity practices as well.

Learn more about the most common types of phishing attacks.

Unpatched, Outdated Software & Systems

Outdated systems and unpatched software can lead to easily exploitable vulnerabilities. Cybercriminals may target older schools who may still be using legacy technology or old software that haven’t been patched for open vulnerabilities. Older technology and systems aren’t equipped to defend against modern-day cyber threats.

Budgets should be created with an investment into improving technology and systems or colleges create significant risk of being breached. At the minimum, schools should begin to upgrade their software and ensure everything is patched to the latest version to begin protecting themselves.

Ready to see
UpGuard in action?