10231166

The Real Cost of Complacency: Why Cybersecurity Awareness Starts with Us

Tue, 07 Oct 2025 20:24:42 GMT

For the last two years, as Cybersecurity Awareness Month returns, I find myself thinking less about firewalls and frameworks and more about people.

Technology evolves. Threats evolve faster. But the heart of cybersecurity has always been human. The quiet decisions made every day by educators, administrators, and students determine whether our institutions remain safe or become headlines.

And in education, where purpose runs deeper than profit, the stakes feel different.

The New Reality of Risk in Education

Over the past decade, education has transformed. Hybrid learning, connected devices, digital testing, and research collaboration have all expanded what it means to “protect the classroom.”

But with that progress has come complexity, and complexity invites risk.

Many schools and universities are now operating with sprawling technology ecosystems managed by small, overstretched teams. These professionals are trying to keep up with relentless change while defending systems that were never designed for today’s threat landscape.

I’ve seen firsthand how easily a single vulnerability can cascade into real-world consequences: lost data, canceled classes, disrupted operations, and shaken trust. It’s never just a technical problem, it’s a human one.

Awareness Is Not a Checkbox

Every October, inboxes fill with reminders about cybersecurity awareness training. But genuine awareness does not come from compliance modules or quiz completions. It comes from culture.

It begins when people feel ownership. When they understand why it matters, not just what to do.

A district I worked with recently lost its long-time IT director unexpectedly. When the dust settled, leadership realized how much institutional knowledge had lived in one person’s head. It was not about negligence; it was about unseen vulnerability.

That moment reminded me that awareness is not about assigning blame. It is about creating clarity. It is the point when leaders say, "We do not have to know everything, but we need to know where we stand."

The Leadership Moment

Cybersecurity has become a leadership issue, not just an IT issue.

It is about creating space for uncomfortable conversations about risk, capacity, funding, and accountability. It is about understanding that every decision, from procurement to password policy, reflects values as much as priorities.

The most secure campuses I have seen are not those with the most tools. They are the ones where people talk to each other. Where technology teams, faculty, and administrators work from a place of shared responsibility instead of silos and assumptions.

That is not a technical investment. It is a leadership commitment.

Awareness That Lasts Beyond October

Cybersecurity Awareness Month is a good reminder to pay attention, but awareness can’t be seasonal.

The real challenge is how we sustain it through the rest of the year: how we build systems and cultures that make security second nature, not second thought.

For leaders in education, that means showing vulnerability. Admitting what we don’t know. Asking for help when we need it. Encouraging the same openness in our teams.

It also means balancing mission and protection, ensuring that the drive to connect, innovate, and share knowledge never compromises the safety of those we serve.

Closing Thought

Cybersecurity is not about locking down learning. It is about preserving it.

In every district, college, and university I have worked with, I see the same quiet determination: to keep moving forward despite the noise, the fatigue, and the fear. And that gives me hope.

Because awareness is not built by rules or reminders. It is built by leaders who care enough to keep asking hard questions.

As we navigate another Cybersecurity Awareness Month, that is where I choose to focus. Not on the threats that surround us, but on the responsibility that unites us.

Let’s Talk Mental Health: Higher Education IT Staff in a Disrupted World

Tue, 10 Jun 2025 16:29:05 GMT

Higher Education IT professionals must be committed to taking care of others. After all, great IT organizations were never in the business of looking after computing but were always in the business of customer service.

It is not about bits, bytes, clouds, anti-virus, border firewalls or even processing credit card payments online.

The best IT organizations make it all about people.

But we higher ed. IT people find ourselves in the middle of a disrupted industry and this disruption is not going away. In this case, it is not the disruption of GenAI, or data breaches run wild. Instead, it is about survival.

The tragic Spring 2025 story of Limestone University in Gaffney, S.C. is yet another in a growing list of institutions no longer able to weather the ominous reality. Founded in 1845, 16 years before the Civil War erupted in Limestone’s home state, Limestone overcame every challenge of a small private institution for some 180 years.

That is until April 29 when Limestone’s governing board officially announced its immediate closure. The announcement came after Limestone lost some 50 percent of its enrollment in the past decade, from about 3,200 students to 1,600. A large percentage of these are student athletes as the institution fielded 23 teams at the NCAA Division II level.

The closure story is repeated often enough nationally that it sadly runs the risk of no longer being newsworthy. According to federal data provided to The Hechinger Report ( https://hechingerreport.org/tracking-college-closures/ ), 28 higher education institutions closed in the first nine (9) months of 2024 alone.

What does this have to do with IT departments?

Everything.

From an IT perspective, many institutions rely on online learning, video conferencing, worker collaboration suites, CRMs, SaaS ERPs and SIS’, and comprehensive cybersecurity tools at levels that could not have even been dreamed about in the pre-COVID world. That’s not even addressing the emerging AI world, coupled with unfunded mandates from increasingly complex IT compliance requirements.

More and more money is needed to attract and retain fewer and fewer potential students at many institutions and that IT budget may look like fertile ground. Not surprisingly, some view IT as a liability – like a very expensive utility bill – as higher education muddles through this dark time.

Perhaps a necessary evil, but one that needs to operate as cheaply, as possible. True enough, IT brings significant expense money, and it generates very little direct revenue in most cases.

The Good Ole’ Days of IT being directed to “do more with less” is being replaced with “we can do IT without you”. All of which leads back to the higher education IT professional and the mental health impact of this disruption that really dates to the 2008 recession when budgets and staffing levels took a negative turn from which some departments never recovered.

Cybersecurity and data privacy professionals are arguably facing the highest stress levels in the organization. The Information Systems Audit and Control Association’s (ISACA) 2024 State of Cybersecurity survey report notes that 66 percent of cybersecurity staff believe their role is more stressful than it was five (5) years ago ( https://www.isaca.org/about-us/newsroom/press-releases/2024/nearly-two-thirds-of-cybersecurity-pros-say-job-stress-is-growing-according-to- new-isaca-research ).

Though its focus is on the higher education ecosystem in general, 2025 EDUCAUSE Horizon Action Plan: Mental Health Supports ( https://library.educause.edu/-/media/files/library/2025/1/2025horizonactionplanmentalhealth.pdf ) offers some practical, common sense and sustainable tips for the IT professional, their team, the IT organization, and beyond, to help.

Like most things in an IT organization, leadership – or lack thereof – is a key difference maker. A subtle action by a leader to prioritize staff mental health similar to the department’s larger goals of professional development, productivity gains or continuous improvement will make all goals easier to achieve.

It is well established that mental health wellness leads to less workplace tension, better employee retention, and less time missed due to illness. But it is also simply the right thing to do because the disruption is disrupting IT employees like never before and it seems like the disruption is here to stay.

Bill Balint is the owner of Haven Hill Services LLC, contracted as TriVigil’s Advisory CIO for Education.

Compliance: Just Not Good Enough

Wed, 30 Apr 2025 15:57:53 GMT

In a higher education world where cybersecurity, data protection and data privacy activities are bathed in multiple regulations, policies, procedures, standards and all the rest, what happens when victims claim, “compliance is just not good enough”?

The answer can be quite costly.

The March 2025 data breach incident at the Yale New Haven Health System (https://www.ynhhs.org/legal-notices) could potentially be such a case. Yale New Haven Health reported a data breach incident to the public on March 11, 2025, and a pair of 52-page federal lawsuits were filed on behalf of victims were already filed just over a month later. There are reports that as many as six additional suits were filed in the following days. A variety of law firms have created web pages where victims can seek legal engagement, so the number of suits could potentially increase.

It does not appear Yale New Haven Health is being accused of specifically failing to meet a given governmental regulation – such as HIPAA, PCI, GLBA, or a state breach notification law. The fact that a generic notification letter about the incident can be found at the Massachusetts Office of the Attorney General website implies at least that state’s requirements have been met.

But according to the Hartford Business Journal (https://www.hartfordbusiness.com/article/yale- new-haven-health-faces-lawsuits-over-data-breach-health-system-discloses-more-details), the suit claims Yale New Haven Health did not “…properly secure and safeguard Plaintiff ’s and Class Members’ sensitive personally identifiable information (PII) and personal health information (PHI), which, as a result, is now in criminal cyberthieves’ possession.” These lawsuits understandably infer that provider storing sensitive or confidential customer needs to use a portion of its revenue to fund customer data protection measures. The goal should be protecting data even beyond regulatory compliance demands.

A Big Year For Settlements

Beyond the question of governmental regulations and their relationship to lawsuits, there is no doubt higher education is suffering increased direct financial penalties resulting from data breaches.

Just one example from 2025 is the $2 million settlement of the class action data breach lawsuit against St. Louis University and SSM Health Saint Louis University Hospital from mid-April, stemming from the data breach of up to 93,000 individuals (https://www.hipaajournal.com/saint- louis-university-data-breach-lawsuit-settlement/). Besides the common practice of receiving identity theft protection benefits, claimants can receive up to $2,500 in unreimbursed expenses resulting from the breach. St. Louis University and SSM Health Saint Louis University Hospital are not alone, as various similar suits are on schedule to be settled later in 2025. Large or small, public or private, no institution appears immune.

Too Early? Too Late?

Another new lawsuit is among those that confront the long-debated ”time to notify the victims” issue. Michael Harris, a potential incoming student at Lee University, filed the suit against Lee in the U.S. District Court Eastern District of Tennessee (https://www.local3news.com/local-news/lee-university-sued-for-negligence-after-data-breach-impacts-thousands/article_ca5ecb44- 8872-4692-9dd8-4ce35defe574.html).

The lawsuit includes multiple complaints, among them is the claim that Lee waited for more than one year to notify the impacted individuals. One could argue notifying potential victims before all facts are known runs the risk of providing incomplete information. But waiting for an investigation to complete runs the risk of victims suffering the consequences of the breach without even knowing a breach of their information occurred.

Damage Over Dollars?

Of course, data breaches are often about a lot more than money. They hold the potential to devastate victims by inflicting non-economic temporary and sometimes even permanent damage. The recent takeover of the New York University (NYU) website by a hacker who briefly exposed NYU applicant information datasets back to 1989 (https://nyunews.com/news/2025/04/01/nyu-data-breach-lawsuits/) serves as a reminder.

Public policy – often via regulation – tries to limit the damage by requiring those who house sensitive and confidential data adhere to strict standards. But higher education institutions need to know that compliance with all regulations and data breach laws might not be enough.

These large settlements should provide institutions with a constant reminder.

Bill Balint is the owner of Haven Hill Services LLC, contracted as Trivigil’s Advisory CIO for Education.

The Experts Await: Higher Education Cybersecurity and Data Privacy Events Spring, 2025

Tue, 15 Apr 2025 17:00:42 GMT

TriVigil is dedicated to providing educational institutions with comprehensive cybersecurity solutions that harmonize people, policies, and technology. This commitment includes highlighting selected opportunities where cybersecurity and privacy professionals in the education sector can network, learn, meet with solutions providers and gain other insights.

There are literally hundreds of cybersecurity and data privacy events – local, regional, national, international and virtual. Everything from a one-hour webinar to global large-scale events with thousands of attendees. Some are purely focused on cybersecurity and/or data privacy, while others list these as merely a sub-interest or track. Some emphasize the education sector, while others do not focus on any specific industry.

Among the plethora of quality events blanketing every area of interest, TriVigil notes a pair of late spring 2025 events that include education as a specific focus.

The 2025 Educause Cybersecurity and Privacy Professionals Conference will take place in Baltimore May 19-21 ( https://events.educause.edu/cybersecurity-and-privacy-professionals-conference/2025 ). It is perhaps higher education’s best-known event focused solely on these topics. This year’s “Stronger Connections for Stronger Protections” theme is evident in all five attendee tracks:

· Awareness, Education, and Human Factors

· Governance and Strategic Alignment

· Transformational Leadership

· Navigating Compliance with Confidence

· Evolving Technologies and Practices

With the emphasis on collaboration, it is fitting the 2025 conference is efficiently expanded such that a small increase in time spent onsite provides a large increase for attendee opportunities.

The opening pre-conference workshop day remains from previous years (May 19), but the opening general session has been moved to the end of the first day, as well. This change allows for breakout sessions to begin immediately on the second day (May 20). The third day (May 21) has been extended to a full day agenda.

May 19 opens with eight preconference workshops. These include two full-day, three morning half-day and three afternoon half-day options. Derrich Phillips, founder of Aspire Cyber and of the CMMC Professionals Network (CPN), provides the opening general session entitled “Beyond the Firewall: How Community Strengthens Cybersecurity in Higher Education”.

May 20-21 should also be a treat as attendees can take advantage of 12 breakout session time slots, each 45 minutes in length. This is especially impressive as there are conferences twice as long that struggle to offer that many breakout session slots. Furthermore, the agenda also provides three separate times for attendees to take part in poster sessions. The conference concludes with a closing general session.

Better than 45 breakout sessions spread across those 12 timeslots will be delivered in presentation and panel discussion formats by representatives from about 40 different institutions and some 20 solutions providers. Presenters and panelists from institutions span large R1 institutions and state system offices to small liberal arts schools, community colleges and those in between.

2025 NICE Conference and Expo

The 2025 NICE Conference & Expo will take place in Denver on June 1-3, 2025 ( https://niceconference.org/ ). The conference touts itself as “… the annual convening of community members and thought leaders from education, government, industry, and non-profits to explore ways of developing a skilled cybersecurity workforce ready to meet the challenges of the future.”

NICE itself is a program led by the National Institute of Standards and Technology (NIST), established by the Cybersecurity Enhancement Act of 2014. Florida International University is a conference co-host, further underscoring the important role of higher education at the event. New America, a non-profit think tank, serves as the conference’s other co-host.

This year’s “Climbing Higher: Educating & Sustaining a Resilient Cybersecurity Workforce” theme would appear very relevant for a higher education sector challenged with talent acquisition and employee development. This is especially true with the internal cybersecurity workforce.

The event opens with half-day afternoon workshops on June 1, with the conference running for two full days on June 2-3. Although the list of sessions is not available yet, a glance at the 2024 agenda indicated eight breakout session timeslots and five plenary slots in addition to the pre-conference workshops. Over 30 breakout sessions in 2024 were delivered by a mix of academia, government and industry representatives.

Bill Balint is the owner of Haven Hill Services LLC, contracted as TriVigil’s Advisory CIO for Education.

Cybersecurity AI and Identity Management Receive Awareness Boosts

Thu, 27 Mar 2025 20:16:04 GMT

While National Cybersecurity Month (October) and National Data Privacy Week (late January) seemingly growing in adoption, a couple of more-recent cybersecurity events will hopefully take that next step.

AI Fools Week (Naturally Kicking off ‘AI’pril)

The good folks over at the National Cybersecurity Alliance (NCA) have created their inaugural artificial intelligence (AI) awareness campaign, fittingly entitled “AI Fools Week”, taking place the Week of March 31 ( https://www.staysafeonline.org/aifools ). NCA even jokingly refers to the month as “AIpril”.

As is often the case, NCA offers a very well-done toolkit of tip sheets, infographics, posters, etc. for those looking to initiate a ‘be safe when using AI” campaign at their institution or place of business.

One of the NCA toolkit’s more ironic, but interesting ideas is to leverage a concept dating back to Ancient Greece by creating a shared password (safe word) to combat “deepfake” voicemails, messages, even video calls. The kit suggests safe word systems are worthy for consideration beyond families – such as with fellow employees, close friends, caregivers and groups reliant upon virtual communication.

Identity Management Day 2025

Identity Management Day 2025 ( https://www.idsalliance.org/event/identity-management-day-2025 ) will take place immediately after AI Fools Week on April 8. The awareness focus is a free, day-long online conference. The NCA and the Identity Defined Security Alliance play host to the event, which started in 2021.

Of course, adhering to safe computing practices in this rapidly changing landscape is a 365-day per year battle (366 during leap years - LOL). Some might consider it impossible to avoid deepfakes for long because so much is beyond the individual’s control – especially in a GenAI world. But the silver lining is any improvement in protection is a positive and the event is geared toward promoting best practices.

Higher Education Cybersecurity Digital Magazines

Awareness days and weeks are nice and all, but this is also a daily effort where timely, helpful information made available within a few clicks is a vital asset. This is one way digital magazines can make a difference.

Higher education might increasingly be operating ‘like a business’, but access to information from those who understand the unique higher education environment remains a plus. Fortunately, higher education cybersecurity professionals can find plenty of education-specific content without cost. It is true the mix of public sector, non-profit and for-profit websites are valuable. But targeted digital magazines also provide critical additional insight. Though not a comprehensive review, three sites appear to be among the leaders in this space.

EdTech magazine’s cybersecurity site ( https://edtechmagazine.com/higher/security ), for example, published nine (9) new articles during a recent three-month period, featuring diverse topics like identity and access management (IAM), student BYOD security challenges, AI, and the age-old technical debt implications for security and privacy. Each article places the material into a higher education-centric context.

One specific nice feature is the site’s article filtering, which allows readers to deep dive into 14 sub-topics in an instant.

Campus Technology magazine has been a friend to the higher education IT community for some 35 years (known as Syllabus from 1988-2004 before adopting its current name). Cybersecurity has been part of its content for multiple decades and its website touts a cybersecurity portal ( https://campustechnology.com/Portals/Cybersecurity.aspx ) full of articles, podcasts, webcasts and whitepapers.

The site included 10 articles in a recent 90-day timeframe and these included information about subjects ranging from AI, Educause HECVAT’s release, Jamf’s purchase of Identity Automation, etc.

Education Technology Insights ( https://www.educationtechnologyinsights.com ) offers content spanning the education sector, with a focus on “…bringing forth a complete picture of how teachers are using different classroom technologies…”. Although there does not appear to be a cybersecurity-specific part on the site, there is plenty of content found via a general search.

There are loads of higher education-focused sites that offer cybersecurity content, but most do not have it as a specific focus area. Inside Higher Ed, University Business, and GovTech are just a few. Of course, there are also many cybersecurity digital magazines that cut across all industries and certain content has implications for the education sector.

Bill Balint is the owner of Haven Hill Services LLC, contracted as TriVigil’s Advisory CIO for Education.

Breaking the Silence: A CISO’s Guide to Beating Burnout

Wed, 12 Mar 2025 19:45:58 GMT

Let’s talk about something that most Chief Information Security Officers (CISOs) hesitate to discuss, BURNOUT .

Cybersecurity is a high-stakes, high-pressure field. The constant barrage of threats, the responsibility of protecting an organization’s digital infrastructure, and the expectation of being on-call 24/7 can take a toll. Burnout among CISOs and security professionals is real, prevalent, and dangerous , not just for individuals but for organizations as well.

Burnout can manifest in various ways: self-medicating with alcohol or drugs, struggling with depression, losing the ability to make decisions, or feeling so overwhelmed that you shut down. The risk is even higher during crises, such as a major ransomware attack, where long hours and intense pressure become the norm.

The good news? Burnout is preventable. Recognizing the signs early and taking proactive steps can make all the difference.

Understanding Burnout in Cybersecurity

Burnout doesn’t happen overnight; it’s a gradual process. Security professionals often start by feeling stressed and overworked, but over time, that stress turns into chronic exhaustion, cynicism, and decreased effectiveness . The key warning signs include:

Constant fatigue despite adequate rest
Loss of motivation or feeling disconnected from work
Irritability or mood swings with colleagues or family
Difficulty concentrating or making decisions
Physical symptoms like headaches, insomnia, or muscle tension
A sense of helplessness or feeling like you’re failing

If these symptoms sound familiar, it’s time to take action.

Strategies to Prevent and Combat Burnout

1. Take Strategic Breaks

Security incidents demand immediate attention, but working under constant stress isn’t sustainable. Taking short breaks throughout the day can help lower stress levels. I personally step away from screens for at least 10 minutes every two hours to give my mind (and eyes) a reset.

2. Find an Outlet Beyond Work

Engaging in activities that provide mental relief is essential. For me, that includes reading (both work-related and for pleasure), swimming, shooting, gaming, talking with friends, riding my trike, or going to the movies. Whatever it is for you, sports, music, art, hiking, find something that allows your brain to reset.

3. Use Your Vacation Time (and Actually Unplug!)

Many of us accumulate vacation days but hesitate to use them, fearing work will pile up. Use your time off. Fully unplugging, even for a few days, can reset your perspective and prevent burnout from spiraling.

4. Set Realistic Expectations

CISOs often feel like they must handle everything themselves. This mindset is a fast track to burnout. Know your limits and delegate where possible. If you have a team, trust them. Security is a team effort, and you don’t have to be a hero every day.

5. Prioritize Physical Health

Regular exercise is one of the best tools against stress. Studies show that physical activity boosts serotonin and helps improve cognitive function. Even a short walk or stretching routine can have a profound impact on your mental state.

6. Create a Routine to Reduce Decision Fatigue

CISOs make critical decisions every day. Over time, constant decision-making wears down mental resources. Structuring parts of your day, whether it’s a morning routine, meal planning, or even wearing the same style of clothing, can free up brainpower for more important decisions. Top executives, from Steve Jobs to U.S. presidents, rely on routines to reduce decision fatigue.

7. Get Enough Sleep (And Learn to Recognize Fatigue)

It sounds simple, but lack of sleep is one of the biggest contributors to burnout. Fatigue affects judgment, reaction time, and emotional resilience. If you’re waking up exhausted, it’s time to reassess your sleep habits. Short naps can also provide quick recovery when needed.

8. Talk About It—Don’t Struggle Alone

Burnout thrives in isolation. CISOs are often expected to be strong, resilient, and unshakable, but everyone needs support. Find someone you trust, a friend, colleague, mentor, or therapist—and talk about what you're experiencing. Sometimes, just saying things out loud can bring clarity and solutions.

Final Thoughts

Burnout isn’t a sign of weakness; it’s a signal that something needs to change. Recognizing the warning signs and taking proactive steps can prevent long-term damage to both your well-being and your career.

If you’re feeling overwhelmed, step back, reset, and reach out. You’re not alone, and help is available. Cybersecurity is a tough job, but it shouldn’t come at the cost of your health and happiness.

That Pesky Little Detail: Data in an AI World

Thu, 27 Feb 2025 20:54:45 GMT

A little cottage industry seemingly arises at the conclusion of each decade, joyously pointing out those long-since forgotten, failed techy items from the past 10 years that were supposed to impact the world but were miserable failures instead.

While we are only at the midpoint of the 2020s, it is safe to say AI will not be the next Google Glass, 3D television or the loads of other mainstays on the 2010s lists of IT infamy.

Higher education quickly realized both the potential AI positives and negatives as it applied to the teaching, learning and academic research space (think plagiarism on one hand matched against the prospect of personalized learning on the other). Underscoring this fact is the groundbreaking recent announcement that the California State University System intends to become the nation’s “first and largest AI-empowered university system” ( https://www.calstate.edu/csu-system/news/Pages/CSU-AI-Powered-Initiative.aspx ).

However, AI adoption for administrative tasks – providing desperately-needed help as struggling institutions look to lower costs, attract/retain more students, and obtain external support via fundraising, grants, etc. – has been a little more deliberate.

But this is changing fast, as it seems every higher education information system vendor is now flexing its AI muscles – or at least the sales and marketing teams are doing so. Phrases like ‘Throw your CRMs into the trash bin because mine innovates using AI’ or ‘I’ll see your legacy registration system and raise you a machine language course schedule wizard’ are lurking in that sea of PR if you read between the lines hard enough.

The fear of missing the AI train must be balanced because higher education cybersecurity and data privacy risks because AI requires data and that’s where things get complicated.

Higher education is always among the most vulnerable industries because its data is so valuable to cyber attackers, and it is considered an easy target. No industry has the combination of user churn, number of inexperienced and casual users, the plethora of personal devices, and an overriding culture of openness. Couple it with IT budgets and staffing often facing unprecedented challenges and it is a mix that attracts bad actors from across the globe. The increasing AI usage will likely bring even more frequent, more sophisticated attacks.

Adding to the complexity is the presence of shadow systems housing sensitive or confidential data lurking in higher education for some 40 years. Among the relevant examples are a power user downloading student fiscal data onto a personal hard drive, a researcher locally storing sensitive data, and an office which has deployed an information system for which the IT department does not even know exists.

Consider the dark possibilities if a user innocently exposes such data to a GenAI model.

This all means answers to traditional questions like ‘Where is the data actually stored and what security measures exist for that data both at rest and in transit?’ and ‘How robust are the tools restricting data access?’ deserve more scrutiny than ever.

Perhaps more importantly, the question of ‘Does my executive who listened to AI hype at a conference last week and is now eager to buy an AI-infused product fully grasp the potential risk?’ At one time, it may have taken a concerning cybersecurity audit finding to catch the attention of the institution’s board or cabinet. But these can no longer those times and executive recognition of AI risk up front is critical.

Executive leadership should prioritize the creation of practical, common-sense policies governing AI usage. Tactical and operational leadership needs empowered to keep those policies up to date and to make key decisions on tools and techniques to help keep data safe. They can then build appropriate procedures, guidelines, standards, FAQs, and best practices so users can effectively work in an emerging AI world.

Bill Balint is the owner of Haven Hill Services LLC, contracted as TriVigil’s Advisory CIO for Education.

What The HECVAT: Version 4 Arrives

Tue, 18 Feb 2025 22:29:11 GMT

The highly anticipated Version 4 of The Higher Education Community Vendor Assessment Toolkit ^TM (HECVAT) has arrived, which is big news for the higher ed. IT community and the software vendors who serve the industry.

For HECVAT veterans, the inclusion of AI-related questions for vendors probably serves as HECVAT 4’s major highlight. The critical area of data privacy also receives a more in-depth treatment. It also includes a streamlined process for vendors attempting to complete the assessment, which should hopefully lead to even more assessed products. According to The Research & Education Networks Information Sharing & Analysis Center (REN-ISAC), vendors offering nearly 200 products have completed a HECVAT assessment. REN-ISAC tracks the current list ( https://www.ren-isac.net/hecvat/cbi.html ) as reported by vendors.

Educause has a dedicated Version 4 webpage ( https://er.educause.edu/articles/2025/2/hecvat-4-better-than-ever ) for those with HECVAT experience, bringing together relevant HECVAT 4 enhancements and other details. Much thanks go to the 21 individuals who served as HECVAT 4 volunteers and the nine-person HECVAT Advisory Committee. These folks join dozens of others who have pitched in over the years.

For newcomers, HECVAT is a no-cost questionnaire for vendors intended to assess cybersecurity, risk mitigation and privacy practices applicable to a product. Created in 2016 and governed by a mix of higher education IT experts along with industry heavyweights like Educause, REN-ISAC, and Internet2, HECVAT is fortunately driven by the higher education community itself. Compliance to items driven by an external force - such as federal or state law - may not meet the industry’s evolving needs in a complete and/or timely manner.

The HECVAT questionnaire for vendors is very extensive. Depending on certain factors, vendors can be asked to supply some 350 general facts or answers to questions in offering institutions a complete assessment. Like the HECVAT itself, the questionnaire is higher education-centered, which is a big plus. Questionnaire components include:

Organization Details
Documentation of cybersecurity-related items, how the vendor assesses third parties it uses, change management, and policies, processes, procedures.
Product
Authentication, authorization, account management, and data.
Infrastructure
Application and service security, datacenter, firewalls, ID, PIS and networking, incident handling, and vulnerability management.
IT Accessibility
Various elements of accessibility
Case-Specific
Consulting services, HIPAA and PCI compliance, and on-premises data
AI
General information, policy, security, machine learning, and LLM from an AI perspective
Privacy
General information, company details, documentation, third parties, chance management, sensitive data, policies and procedures, international-specific items, data, and AI from a privacy perspective

HECVAT also provides institutions with an impressive customizable mechanism to evaluate the vendor assessment based on institution-specific requirements and priorities. Educause supplies a brief video demonstration for institutions ( https://www.youtube.com/watch?v=yC3_cK0e1bg ) and more complete tips and best practices for written format ( https://www.educause.edu/higher-education-community-vendor-assessment-toolkit/how-to-use-the-higher-education-community-vendor-assessment-toolkit ).

Institutions can use these results to determine if the product is viable – or even preferable – based on how the product complies with the institution’s expectations or requirements. The questionnaire’s goal is to provide institutions with a deep perspective on a software product’s status in the critical areas of cybersecurity and privacy. It also holds the potential to look at competing products in these areas with an apples-to-apples to view.

More than 180 higher education entities have publicly reported their use of HECVAT. Since some of these entities are consortiums or State Systems and some likely have not reported usage publicly, the number of actual institutions using HECVAT is larger. The HECVAT 4 expansion into AI, privacy, etc. should bring even more participation.

The go-to resource for ‘all things HECVAT’ is part of the Educause website ( https://www.educause.edu/higher-education-community-vendor-assessment-toolkit ). The FAQ sections for institutions and corporations are most helpful for both the novice and the experienced individual.

Bill Balint is the owner of Haven Hill Services LLC, contracted as TriVigil’s Advisory CIO for Education.

Securing Higher Education: The Importance of CMMC Compliance

Mon, 10 Feb 2025 16:59:22 GMT

Higher education institutions performing research and other partnerships with Federal Government agencies are relied upon for insights and advancements but also for their ability to secure sensitive data associated with this work. For over a decade the Federal Government has relied upon contractual agreements and self-assessments to confirm that strict cybersecurity controls were in place. However, such self-assessments have proven inadequate and have resulted in weak security controls, sensitive information leakage, and even lawsuits charging false claims against universities for failure to implement contractual obligations.

Enter the Cybersecurity Maturity Model Certification (CMMC) —a framework designed to ensure robust cybersecurity practices and independent review of their implementation across the supply chain. For higher education institutions, understanding and implementing CMMC is not just a matter of compliance but a necessity for long-term success.

The Importance of CMMC

Higher education institutions often serve as hubs for federally funded research and development. These projects frequently involve sensitive information that must be safeguarded from malicious actors. Understanding CMMC and its implications on higher education is crucial for several reasons:

Critical Deadline: December 16, 2024
On this date, the final rule for CMMC went into effect, making compliance mandatory for any organization handling controlled unclassified information (CUI) or pursuing Department of Defense (DoD) contracts. For higher education institutions, this deadline solidifies the importance of aligning with CMMC to maintain eligibility for government research grants and contracts.
Protecting Federal Research and Contracts : Many universities conduct research funded by the DoD. CMMC compliance ensures they remain eligible for these critical projects.
Building Trust with Stakeholders : Compliance with CMMC demonstrates a commitment to safeguarding data, fostering trust with government agencies, private sector partners, and the broader academic community.
Reducing Cyber Risks : Universities are prime targets for ransomware, intellectual property theft, and espionage. CMMC provides a structured approach to mitigate these risks.

Why It Is Important

The higher education sector is no stranger to cyberattacks. From ransomware to phishing schemes, the threats are constant and evolving. For institutions managing sensitive government contracts, the stakes are even higher. Non-compliance with CMMC after December 16, 2024 can result in:

Loss of Funding : Failure to meet CMMC standards could lead to the loss of lucrative research contracts and grants.
Reputation Damage : A cybersecurity breach can erode trust and damage an institution’s reputation, affecting enrollment and partnerships.
Increased Liability : Universities that fail to secure sensitive data may face legal and financial repercussions.

What Higher Education Institutions Can Do

So, how can your institution prepare for CMMC compliance? Here’s a roadmap to get started:

Train Your Workforce - Ensure that your organization fully understands how to recognize areas that need to be secured, the CMMC requirements, and how to get started.
Complete a CMMC Readiness Assessment - Work with a CMMC expert to identify your sensitive data (FCI and CUI), inventory assets, create network and data flow diagrams, and limit assessment scope through architecture.
Complete a CMMC Self-Assessment - Assess each of the control requirements against your implementation. Determine remediation measures.
Implement Missing Critical Controls

Access Management : Ensure that only authorized personnel can access sensitive systems.
Multi-Factor Authentication (MFA) : Add an extra layer of security to user accounts.
Data Encryption : Protect data at rest and in transit with encryption protocols.

CMMC
-
specific Documentation
: policies (e.g., access control, awareness and training), Plans (e.g., System Security Plans, Incident Response Plan, Contingency Plan), and other documents (e.g,., list of authorized users, facility diagram, risk mitigation procedures).
Engage the appropriate Professional (e.g., for Level 2 a Certified Third-Party Assessment Organization (C3PAO) to perform a CMMC certification assessment.

Conclusion

The December 16, 2024, CMMC deadline underscores the urgency of preparing now. Compliance is more than a regulatory requirement—it’s a commitment to safeguarding the future of higher education. By taking proactive steps to secure systems and data, universities can protect their research, reputation, and partnerships. Don’t wait for a cyber incident to take action. Start your CMMC journey today and ensure your institution is prepared for the challenges ahead.

School District Leaders: Is Your District Suffering from Cyber Insecurity?

Fri, 31 Jan 2025 15:35:37 GMT

With cyber threats growing at an alarming rate, National Data Privacy Week (January 27–31, 2025) serves as a critical reminder: Take Control of Your Data. For many school leaders, cybersecurity can feel like an overwhelming challenge, filled with technical jargon and uncertainty. However, protecting your district from cyberattacks doesn’t have to be an insurmountable task.

The Rising Threat to Schools

An improved cybersecurity posture begins with recognizing that schools are increasingly targeted by cybercriminals due to the wealth of sensitive information they manage— student records, financial information, and staff credentials . The consequences of a cyberattack go far beyond operational disruption; they can impact student safety, community trust, and district finances.

Here are some of the most common cyber threats facing school districts today:

Ransomware – Hackers lock critical systems and demand payment for their release.
Phishing Emails – Deceptive messages trick users into revealing sensitive information or downloading malicious files.
Data Breaches – Unauthorized access to sensitive student and staff data, leading to privacy violations and financial losses.

Because student and staff safety are paramount in school district operations, the consequences and repercussions of these attacks can be severe and long-lasting. This makes it essential for districts to prioritize cybersecurity. As a school district leader, you have the power to strengthen your district’s defenses.

5 Steps to Fortify Your District’s Cybersecurity

1. Conduct a Cybersecurity Audit

Start by assessing your current systems to identify vulnerabilities. Understanding your district’s weaknesses is the first step toward building a stronger defense.

2. Develop a Cyber Incident Response Plan

A cybersecurity strategy is just as crucial as a physical security plan. Outline clear protocols to detect, contain, and recover from cyber incidents. Conduct regular drills to ensure your team is prepared to act swiftly when a threat arises.

3. Provide Cybersecurity Training for Staff & Students

Your best defense is awareness . Equip educators, students, and families with the knowledge to recognize phishing attempts, suspicious links, and unsafe online behavior. Cybersecurity is a shared responsibility.

4. Invest in Essential Security Tools

Implementing firewalls, encryption, multi-factor authentication, and endpoint protection can significantly reduce the risk of cyber threats. Strong defenses begin with the right technology.

5. Seek Expert Support

Partnering with cybersecurity professionals can provide the specialized guidance needed to protect your district. Consider working with trusted security advisors, local law enforcement, and government agencies , and evaluate whether cybersecurity insurance is a worthwhile investment.

Take Action This Data Privacy Week

National Data Privacy Week 2025 is the perfect opportunity to kickstart or enhance your district’s cybersecurity strategy. Whether it’s conducting an internal security review, hosting a cybersecurity awareness session, or drafting an incident response plan, every step forward matters.

At TriVigil , we understand that taking control of cybersecurity can feel daunting, which is why we offer a Quick Start program—helping districts move from cyber insecure to cyber secure with practical, actionable solutions.

Want to learn how to strengthen your district’s defenses? Let’s take the first step together.

Scott Bailey provides contracted consultant services to TriVigil.

Never “Get Over It”: 2025 Data Privacy Week

Mon, 27 Jan 2025 13:02:14 GMT

The body content of your post goes here. To edit this text, click on it and delete this default text and start typing your own or paste your own from a different source.

Becoming The Boss: Owning Your Data Privacy

Tue, 21 Jan 2025 17:57:19 GMT

With National Data Privacy Week just days away (Jan. 27-31, 2025), this year’s theme of “You have the power to take charge of your data” does a terrific job of focusing attention where it is warranted.

So, how exactly do we ‘take charge’?

A great place to start is to use Jan. 27-31 as that time to educate yourself, clean up where your online private data lives, and develop a plan to regularly keep providers from unnecessary access.

You are typically the customer of online tools (email accounts, online services, social media accounts, web browsers, mobile apps, online gaming, etc.), and it is time to wield that authority. Your private data is worth a fortune to some of these providers, but you do not need to be a computer whiz or a cybersecurity expert to reign in those who covet your data. Accepting and acting on that empowerment is the key concept.

An early step is to review the proliferation of tools you have accumulated that you no longer need and get rid of them. This will narrow the risk immediately. A few of us (and we know who we are!) have been piling these up dating back more than 25 years. Anyone remember when the predecessor of AOL burst onto the scene in 1985 to provide Commodore 64 users the ability to connect online? That’s 40 years ago as of this writing if you are keeping track.

It is long past time to sweep away those old tools and even newer ones that are neither enriching nor simplifying your life. Private data is often collected by these tools and is possibly shared even if not actively used. Our contacts, photos, and where we live could be among these items.

Set the bar high and wipe out the rest. With the online trash moved to the dustbin of our histories, it is time to look at the big players in our lives.

Deep dives into privacy settings for some 150 tools can be found at the terrific National Cybersecurity Alliance ‘Manage Your Privacy Settings’ site ( https://www.staysafeonline.org/articles/manage-your-privacy-settings ). The May 2024 edition splits privacy settings links across 17 categories for quick review - everything from mobile banking to dating sites. Reviewing the list is also a great way to jog your memory of that mobile app you signed up for 10 years ago but have long forgotten about.

This is where the value judgment with your most important tools is critical. “How much convenience do I want vs. how much privacy do I require?” is the defining question, but it likely will not result in a common answer across all the tools we access. For example, not providing your zip code may mean you have to entire it manually upon every visit to that site. How important is the time and hassle of typing in your zip code each time? It all depends on the value added.

When in doubt, there is typically no harm in locking down your privacy settings to the strictest level possible. If the provider’s options are either too limited or the tool becomes lousy when you tighten the settings, replacing it with a competitor offering more privacy options should be on the table. A provider failing to protect your private data by now may never improve until a new law forces their hand.

Fortunately, elected leaders are increasingly forcing those who possess our data to ensure privacy of that data is respected. Besides the traditional federal level laws executed via HIPAA, GLBA, and FERPA, various states have taken it further by authoring their own data privacy laws.

According to the International Associate of Privacy Professionals ( https://iapp.org ), similar laws had been signed in 19 states by early 2025 and several others were in the law-making process. The most well-known and first of these is the California Privacy Rights Act (CRPA) ( https://oag.ca.gov/privacy/ccpa ).

Taking control of your private data will likely be time consuming, it may degrade the value of some tools, and it might even result in changing providers – such as switching web browsers or email clients. However, making data privacy a regular part a safe computing commitment is time well spent!

Bill Balint is the owner of Haven Hill Services LLC, contracted as TriVigil’s Advisory CIO for Education.

A Resolution of Control: National Data Privacy Week

Thu, 19 Dec 2024 19:04:05 GMT

When it comes to all things cybersecurity, one is wise to always be thinking ahead. So – in a sense – 2025 should probably be well underway in the minds of the higher education Cybersecurity Family, including for ‘cousins’ like the data privacy clan.

Along these lines, one great New Year’s resolution is to kick off 2025 by embracing the 4th Annual Data Privacy Week, taking place January 27-31. Although a recent idea, the event’s roots date back more than 40 years.

According to the Federal Privacy Council (FPC), established by presidential executive order in 2016, Data Privacy Week honors the January 28, 1981 signing of the first legally binding international treaty addressing the protection of data in an increasingly digital world. That

January 28 date was designated National Privacy Day in the U.S. beginning in 2009 via congressional resolution. Privacy Day was expanded into a full work week in 2022.

Granted, the concept of data privacy extends well beyond a classic data breach. Cybersecurity and data privacy, therefore, certainly do not share a definition. But with so much privacy compromised by countless cyberattacks, it is easy to see why the public may equate them. At a high level when it comes to data, cybersecurity is focused on protecting private data and data privacy is more about individuals taking control of their own data.

Perhaps the European Union’s General Data Protection Regulation (GDPR), which sent shock waves through the U.S. higher education world when it was passed in 2016 and in

effect in 2018, might remain the ultimate example of that difference. GDPR and its ‘right to be forgotten’ clause added an entirely new burden for colleges and universities trying to figure out how to delete data about a person, often in a surgical manner.

Even figuring out what data elements the individual is allowed to have erased based on their relationship with the institution can be a time-consuming task. The institution must also contend with data retention requirements before acting.

Data on individuals who never became part of the institution community - such as a recruit from 15 years ago who never enrolled but filed a financial aid return or perhaps a

prospective donor who filled out a survey during homecoming but then never responded to further outreach – was everywhere in the pre-GDPR days. Data for student recruits on a search tape who never even applied could be stored in student information systems,

ancillary systems (CRMs, etc.), data warehouses, little shadow Access databases living on some power user’s hard drive and in office staff spreadsheets.

The potential damage caused by breaches and lack of user knowledge has simply exploded from there. A complicating factor for the institution is personal and institutional private data about an individual are ever-more deeply intertwined. In a social media and mobile

device-centric world with AI entering seemingly every realm at lightning speed, both the individual and the institution benefit from added data privacy.

As we know in the education sector, a critical first step is learning an discovering a solution before it is too late.

Fortunately, some institutions have taken the lead in adopting Data Privacy Week with information tailored to a higher education community. These are terrific examples of an institution benefitting its community, which in turn benefits the institution.

Yale University is among these leaders in spreading the work in a manner tailored to a campus community where there are many layers and differences among users. Yale’s Data Privacy Week webpage ( https://cybersecurity.yale.edu/data-privacy-week ) provides an extended video from experts, links to foundational resources from entities like the Federal Trade Commission and the National Cybersecurity Alliance, and a link to the National

Privacy Test from NordVPN ( https://nationalprivacytest.org/ ). Other content is also included.

Speaking of the National Cybersecurity Alliance (NCA), a key part of its site provides direct links to the privacy setting webpages at some 150 of the most popular apps, platforms and corporations ( https://www.staysafeonline.org/articles/manage-your-privacy-settings ). NCA provides a toolkit to support action steps for those who ‘Become a Champion’. Details can be found at its National Data Privacy Week webpage ( https://www.staysafeonline.org/data- privacy-week ).

While our users will soon focus on improving themselves using those new year’s

resolutions, resolving to enable them in taking control of their own data is a marvelous way to kick off 2025 and National Data Privacy Week is just the ticket.

Bill Balint is the owner of Haven Hill Services LLC, contracted as the Advisory CIO for Education at TriVigil.

Bah Humbug: Cyber Risk in Education – A Real Lump of Coal in the Stocking!

Fri, 13 Dec 2024 16:45:04 GMT

The holiday season is upon us, and for many in the education sector, it's a time for relaxation, reflection, and festive cheer. But before you hang up your stockings and sip that hot cocoa, let’s talk about something a bit less jolly—but just as important. Moody’s Investor Service, a leading global credit ratings agency, has dampened the holiday spirit by increasing the risk rating for education and non-profit sectors from “moderate risk” in 2022 to “high risk” in 2024. While "creditworthiness" and "cybersecurity" may not seem like a natural pairing, in today’s digital world, they are more interconnected than ever. Moody’s has long provided ratings for educational institutions based on financial health and related creditworthiness.

As cyber incidents in the education sector have surged in recent years, leading to financial losses, operational disruptions, and long-term damage to reputation, Moody’s now evaluates how educational institutions manage their cybersecurity risk and factors this attribute into its ratings. It is estimated that the education and non-profit sectors own nearly $356 billion in high-risk debt. From ransomware attacks to data breaches, the risks are as real as Scrooge himself, and if educational institutions fail to take proactive steps, they may very well end up with the proverbial lump of coal in their stockings.

With the holidays approaching, remember that while the season is about joy and goodwill, cybersecurity requires vigilance. The updated Moody’s cyber risk ratings are an important reminder that the education sector’s ability to mitigate cyber risks directly impacts its financial health and future stability. By investing in robust cybersecurity practices now, institutions can preemptively defend against the "Bah Humbug" of a cyberattack.

Is improving your education institution’s cybersecurity posture one of your New Year’s resolutions? If so, TriVigil can be your trusted partner in turning that pledge into a reality.

Wishing you a safe, secure, and cyber-safe holiday season!

Scott Bailey is a compensated consultant for TriVigil.

‘Tis The Season for The Gift That Keeps on Taking

Fri, 06 Dec 2024 17:45:35 GMT

‘Tis the season for hustling and bustling, while also (hopefully) watching the bottom line along with the inevitable waiting lines at the checkout.

For those in education writing ‘the big checks’ – perhaps with careers in addition to dollars – the costliest lump of coal in the stocking might just be a data breach at their institution.

What those of us in the industry hear and read on the financial side of data breaches is downright scary and even stretch the bounds of legitimacy. Counting on Mr. Scrooge to help with a donation is not an ideal strategy!

Questions like the following seem to be on the rise, including “Are these numbers real or just a scare tactic from the cybersecurity sector?”, “How do these so-called experts really know what it costs?”, “What happens if the institution simply cannot afford the cost?”, and “These numbers cannot be correct for education where we are not some huge corporation with industry trade secrets and/or stockholders?”

Unfortunately, cyberattacks are ‘celebrating’ their 25 ^th anniversary depending upon which historical reference is used, and it is a gift that keeps on taking with no end in sight.

First, it is unfortunate that a few institutions have paid the ultimate price, as did current and potentially future students either losing the gift of higher learning or - at best - having it interrupted, delayed and perhaps diminished.

One only needs to glance back at the tragic story of Lincoln College, which went from record student enrollment in 2019 to extinction in less than two years – closing at the conclusion of the 2021-22 academic year. Just a stunning, sad outcome.

According to the College’s official announcement, Lincoln “…was a victim of a cyberattack in December 2021 that thwarted admissions activities and hindered access to all institutional data…”. Lincoln further reported it took three months to fully restore the lifeblood of its information systems – recruitment, retention, and fundraising. Despite best efforts, a 157-year-old institution found itself with no viable option but to close its doors permanently.

According to the respected extensive annual research conducted by Ponemon Institute, contained in IBM’s 2024 Cost of a Data Breach Report, the price tag for those data breaches occurring from March 2023 through February 2024 at 604 impacted organizations spanning 17 industries and 16 countries reached an average of $4.88 million. This represents more than a $1 million average increase in four years. Unfortunately, the U.S. numbers are much worse at an average of $9.36 million.

Those seeking even a wisp of a silver lining can take comfort in the fact that education only ranked 15 ^th of the 17 researched industries with a $3.5 million cost average across the 16 countries. The three primary components – detecting the breach in the first place, the revenue loss incurred due to the breach, and all the actions needed to resolve the breach – can each top $1 million.

So, what will the damage be if a data breach hits this campus?

The Ponemon analysis used activity-based costing – which assigns cost to each activity in an organization. This would include items such as the human and software costs incurred just to determine and investigate the breach, as well as the ensuing loss of revenue and reputation. The resources needed to recover from the cyberattack – bringing in third-party cybersecurity companies after the fact, sometimes paying ransom, maybe providing identity theft insurance, legal counsel fees, the entire public relations strain, and communicating with victims all take a bite from a very expensive pie. At least one state incident response law even includes a possible $750,000 fine.

What is often is overlooked is the potentially devastating loss in productivity by the many employees who find the institution’s IT environment to be their lifeblood – made worse of the breach happens at a critical time of year.

Every major breach reaction runs the risk of generating major financial penalties. As just one painful example, research found victims still paid ransom in 37 percent of cases when law enforcement was involved. Moreover, only 52 percent even involved law enforcement in the first place.

So, what practical, common-sense actions really exist?

A great place to start is engaging a true, trusted partner before a catastrophe occurs. A partner with a clear understanding of the rapidly evolving cybersecurity landscape from a higher education-specific perspective. One that recognizes the ‘enrollment cliff’ crisis, changing perceptions about the value of education, and the entire concept of openness and academic freedom that often poses unique challenges.

The Ponemon research reveals 26 factors either decreased or increased the total cost of the breach by at least $150,000 across all 17 industries and 16 countries. No institution can expect to find the right combination of investments and emphasis with so many factors at play.

Bill Balint is the owner of Haven Hill Services LLC, contracted as the Advisory CIO for Education at Trivigil.

State Breach Notification Laws: When a Dark Force Prevails

Fri, 08 Nov 2024 18:01:40 GMT

With 2024 National Cybersecurity Awareness Month (NCSAM) now in the books, it appears NCSAM is continuing gain more traction on the 20 ^th Anniversary of its 2004 creation. Formed in the U.S., concept has become an international initiative observed on a global scale since October was designated as European Cybersecurity Month in 2012.

Perhaps the most important outcome of this increased focus is that executive leaders understand that cyber threats are a fundamental business risk and not simply ‘an IT issue’. A true understanding that “If there is a catastrophic cyberattack, the damage will likely reach higher on the organizational chart than the CIO and CISO.”

Specifically for the higher education sector, there are multiple outlets beyond just the campus IT department reinforcing safe computing practices, spotlighting the perils of cyber threats.

This increased visibility has been a long time coming and is long overdue.

Consider the Melissa Virus, which led to the FBI creating a ‘Cyber Division’, occurred in 1999. It has taken a quarter century to transform what was once a quiet little cybersecurity cottage industry into a computing behemoth.

But history tells us even the most prestigious academic institutions cannot prevent all cyberattacks and that some of these attacks produce catastrophic impacts. All the spending for the software, the hiring, and the training has not come close to defeating the ominous reality still staring at the industry.

Sometimes, dark forces simply ‘win’.

Among the countless attempts to use public policy as a weapon against these forces, perhaps it is time for state data breach notification laws to receive added focus. While federal rules and laws like GLBA, FERPA and HIIPPA are more universally known, compliance with state laws is a critical part of data breach incident response and understanding the laws prior to an incident is vital.

California became the first state with a notification law that took effect in 2003 before NCSAM even existed. The other 49 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have each followed suit by enacting laws during the ensuing years.

Not surprisingly, these laws tend to change as cyberthreats evolve and massive cyberattacks catch the public’s attention. The potential identity theft and exposure of personal, confidential information for millions of constituents builds demand for action from elected officials.

One example is the Commonwealth of Pennsylvania, which made important changes in both 2023 and 2024. The most high-profile change is that an entity that has a breach involving certain data elements impacting more than 500 state residents must inform the state’s Attorney General’s Office and notify consumer reporting agencies.

Intermittent changes like these are a complicating factor because the rules are often not static and might not be the same as they were the last time an institution fell victim to a breach. Furthermore, the laws – while generally similar – are a patchwork across the country and have important differences in some cases.

Based on a small, informal sample of state laws, a general key is that an individual’s last name – if combined with first name and/or middle initial - is a trigger point to examine what other data items were compromised in the event of a breach. Some states have exceptions where the law can be triggered even without the name under certain conditions.

The breach of data in three key areas - social security numbers, driver’s license numbers and/or fiscal information – appear to be universally accepted as being part of personal information, especially when paired with name. But definitions are broader in some laws. Dates of birth, student Id numbers, health insurance policy numbers, passport Id numbers, and biometric data are just some examples of what is included based on state.

The amount of time permitted to provide breach notifications, the number of breached records needed to trigger certain steps, and the penalties for non-compliance are also state-specific. Even the names of the laws differ by state.

Fortunately, there are many websites that can assist in the learning process. Among the comprehensive options is The National Conference of State Legislatures, which provides links to many state laws via its Security Breach Notification Laws webpage ( https://www.ncsl.org/technology-and-communication/security-breach-notification-laws ).

There are also numerous comprehensive commercial websites – such as those created by law firms or other entities that track public policy – where state laws can quickly be compared for informational purposes. However, a best practice is to review state-specific deep dive websites that offer nuances and even advice on how to apply a state’s law.

Bill Balint is the owner of Haven Hill Services LLC, contracted as the Advisory CIO for Education at Trivigil.

Navigating Cyber Turbulence: A Superintendent's Path to Dissecting E-Rate Cybersecurity

Tue, 08 Oct 2024 17:23:36 GMT

In my most recent blog post , I explored an analogy between the role of a commercial airline pilot and a school district superintendent. Both roles require a constant awareness of their surroundings, and they must carefully monitor their radars to avoid turbulence and disruptions. Just as pilots, superintendents, and ed tech leaders are continually bombarded with information that must be prioritized and addressed, guiding those in their care to their respective destinations safely.

Reflecting on my own journey, I remember a pivotal moment when I was a candidate for administrative certification. I faced timed, high-pressure in-basket challenges that required me to respond to simulated crises—like parent concerns, bus accidents, and board member requests—rapidly and effectively. Passing that test was nerve-racking, but it prepared me for the real-life turbulence that comes with the superintendent role. I’m confident that a cybersecurity event has been added to those in-basket activities.

FCC’s New Pilot Program on the Horizon

In keeping with the pilot/superintendent analogy, some good news has just appeared on the radar. Recently, the FCC announced a three-year cybersecurity pilot program under the Universal Service Fund, allocating up to $200 million to help schools and libraries bolster their cybersecurity defenses.

This new initiative, aptly named the "pilot" program, has a time-sensitive application window open from September 17, 2024, to November 1, 2024. For school districts, this is a tremendous opportunity to respond swiftly and reinforce their digital defenses. This program aims to set a national precedent for sustained funding in the school cybersecurity landscape, enabling applicants to analyze and improve their cybersecurity postures. As more districts apply, the FCC can better evaluate how to extend support more permanently in the future.

The Role of a Trusted Cybersecurity Partner

Just as a pilot relies on an air traffic controller for navigational assistance, superintendents and ed tech leaders also need a trusted partner to help them navigate the turbulent cybersecurity landscape. That’s where TriVigil comes in. TriVigil, a company dedicated to empowering school districts with comprehensive prevention and protection services, can serve as your air traffic controller.

With a focus on people, policy, and technology, TriVigil provides the tools necessary to navigate the complex and constantly evolving digital environment in education. Cybersecurity may be highlighted during October’s National Cybersecurity Month, but in reality, it’s a 12-month

responsibility.

October 15 ^th E-Rate Cybersecurity Webinar

On October 15 ^th at 2:30 ET I will be participating in a webinar with Dr. Sheryl Abshire, former CTO Calcasieu Parish Public Schools, and Mark McGinnis, TriVigil’s Chief Evangelist, to discuss the importance of the E-Rate program and specifically the new Cybersecurity Pilot Program. If you would like to learn more, please feel free to join us by registering HERE .

Stay Vigilant, Stay Secure

In these challenging times, remember that vigilance is essential. The safety and security of our educational communities depend on proactive cybersecurity measures. As we move forward, let's continue to prioritize these initiatives and seize opportunities like the FCC's pilot program. A more secure digital future awaits. Let’s move this to the top of our in-basket tasks!

Scott Bailey, Baileywick Consulting LLC (paid consultant of TriVigil)
Contact TriVigil

'Falling' into National Cybersecurity Awareness Month 2024

Wed, 18 Sep 2024 19:09:34 GMT

Faculty members are tired. Students are tired. Staff and administrators are tired. Those charged with trying to pay the bills are simply exhausted.

The education industry is bone weary from the almost daily news about yet another cybersecurity attack, stealing even more of the public’s private data. Weary of seeing their lives being increasingly complicated by constantly changing (and sadly not always effective) attempts at protecting their sensitive and confidential data. Passwords and PINs and facial recognitions and bouncing to text messages with that code to type back in before it expires.

It is really all too much.

The latest saga in this warped docuseries that never seems to have a final episode was the National Public Data (NPD) breach of background check data in which more than 2.5 billion records were stolen containing personally identifiable information, including social security numbers and even names of relatives. The fact NPD is sometimes used as a fraud prevention service is a microcosm of the irony surrounding many of these cases.

None of this is bound to stop anytime soon, but maybe a little well-spent time and focus on cybersecurity once a year could reduce that ominous risk.

Enter National Cybersecurity Awareness Month (NCSAM), which celebrates its 20th Anniversary in October. While certainly not as appealing on the surface, at least, to other celebrations that also claim October like National Roller Skating Month and National Positive Attitude Month, NCSAM takes no back seat when it comes to importance.

Sure, vigilance against the evils cybersecurity attacks is a 24 X 7 X 365 endeavor. But embracing 31 of those days to educate ourselves and take action – hopefully concluding with a great trick-or-treat ending – can make the following year less of a personal concern.

A great place to get started is with the non-profit National Cybersecurity Alliance (staysafeonline.org). The site features a treasure trove of practical, easy to digest quick pointers that can help make safe computing practices much easier to adopt.

Just one great resource is a webpage featuring links to the privacy policies for dozens of the most popular and important websites when it comes to personal information. Clearly arranged into categories such as mobile banking, health applications, social media and even dating sites, the Alliance can lead you to answers in a hurry.

The story gets better for those of us in education. NCSAM includes a section dedicated to free and low-cost resources targeted to teachers and students in the K-6, 6-12 and higher education sectors. Among the resources are tips for how best to encourage children to care about cybersecurity. Simple, practical advice all contained in what NCSAM estimates is a four-minute read.

NCSAM obviously makes its most positive impact when the institution itself gets on board. An institution’s participation by using October to recognize the serious impact cybersecurity attacks have on our lives, that of our institutions and society, in general, can make a significant positive impact. A great first step is for the institution to become a Cybersecurity Awareness Month Champion, which is a simple and free designation to – in the words of the Alliance - “represent those dedicated to promoting a safer, more secure and more trusted internet.”More than 100 educational institutions – ranging from K-12, higher education – took the pledge in 2023.

Since NCSAM was cofounded in 2004 by The Alliance along with the U.S. Department of Homeland Security in 2004, it is fitting the U.S. Cybersecurity & Infrastructure Security Agency (CISA) also offers a great free resource via its Secure Our World site (www.cisa.gov/secure-our-world) site.

Secure Our World is a terrific resource for education, as it includes resources like posters that can be placed in halls, classrooms, labs and libraries. There are more than a dozen two-page ‘tip sheets’ with colorful, easy-to-read infographics that can help our institution’s community at a glance. With subjects like passwords and multi-factor authentication (MFA), the focus is on the end user. Throw in a free cybersecurity bingo card for youth and another for organizations, and even the most resource-constrained institution can benefit.

The reality is no 31 days will stop events like the NPD breach. It will not stop the gloomy report from Malewarebytes (Based on ThreatDown research) that education was the victim of 265 known attacks in 2023 after the 129 just one year earlier.

But the silver lining in the cybersecurity space is that any improvement makes a positive difference. One fewer successful attack can make a tremendous impact. We can all hope for a year when cybersecurity professionals in education can replace thoughts of NCSAM with National Positive Attitude Month.

Bill Balint is contracted as the Advisory CIO for Education at Trivigil via Haven Hill Services LLC

Navigating the Digital Skies: A Superintendent's Perspective on Cybersecurity in Education

Wed, 14 Aug 2024 17:41:34 GMT

Written by: Scott Bailey

former Superintendent and current CEO of Baileywick Consulting

During my tenure as a K-12 public school district superintendent, I often likened the role to that of a commercial airline pilot. The comparison is more than a metaphor; both roles are highly accountable for the well-being and safety of those in their care—whether passengers and crew or students and staff. Just as pilots constantly monitor their radars for potential threats, school superintendents must be ever-vigilant, scanning for risks that could impact their educational communities.

Even after retiring, my commitment to supporting school district leaders remains strong. Through my ongoing involvement with the District Administration Leadership Institute ( DALI ) Superintendent Summits, I’ve had the privilege of engaging with educational leaders from across the country. One concern consistently rises to the top: cybersecurity. According to a recent Consortium for School Networking ( CoSN ) survey, cybersecurity is the No. 1 priority for ed-tech leaders in 2024.

Aviation and Cybersecurity in Education?

The parallels to aviation persist. Like pilots determined to avoid turbulence and ensure a smooth flight, school district leaders are equally resolute in mitigating disruptions and shielding their communities from threats. In today’s landscape, where ransomware attacks and data extortion stories are making headlines with increasing frequency, it’s more crucial than ever to implement robust cybersecurity strategies.

Working with Trusted Partners

However, the challenge is significant. School districts often operate with limited staff dedicated to cybersecurity, making it essential to find a trusted partner to help shoulder the burden. One such partner is TriVigil , a company committed to empowering school districts with comprehensive prevention and protection services. TriVigil’s focus on people, policy, and technology provides the tools necessary to navigate the complex and ever-changing digital landscape.

For those of you leading school districts, I urge you to stay vigilant. Cybersecurity is not just an IT issue; it's a mission-critical priority that affects the very fabric of your educational community. Consider connecting with the cybersecurity advisors at TriVigil to explore how their services can help safeguard your district. They even offer a complimentary consultation to get you started.

Stay vigilant, my friends! The safety and security of your educational community depend on it.

Scott Bailey of baileywick consulting LLC is a paid consultant of TriVigil.