“Traditional cybersecurity hygiene practices, while undeniably crucial, are no longer enough to address the complex and sophisticated threats that educational institutions face today.” can leverage advanced machine learning (ML) and AI to autono- mously scan and categorize student data, regardless of where it is stored (including in structured and unstructured data reposito- ries, email/messaging applications, cloud or on-premises storage) all with semantic context. It can identify the data, learn its usage patterns, and determine if it’s at risk. This thorough discovery and identification process is also especially important for educa- tional institutions aiming for FERPA compliance. Action item. Host workshops and webinars to educate staff about the types of sensitive data (PII, IP, etc.) in your institution and why it’s crucial to protect them. MONITOR AND CLASSIFY STUDENT DATA FOR RISK After identifying student data, it is equally important to moni- tor its usage, sharing patterns and access logs. This continuous monitoring can quickly and accurately detect risks from inappro- priate permissions, risky sharing, and unauthorized access. When this process is conducted autonomously, the burden on IT and security teams is drastically reduced – a massive benefit for the education sector, which often lacks those resources. Equally important is to ensure student data is classified based on its sensitivity and significance, which enables institutions to apply suitable data protection measures and implement data re- tention policies. Action item. Dedicate a week to auditing and correcting data permissions across all platforms. Make it a company-wide initiative. REMEDIATE DATA RISK ISSUES The ability to identify and classify sensitive student data puts in- stitutions in a great place; but once identified, any vulnerabilities and risks found must be remediated. Leveraging deep learning, DSPM solutions can compare each data element with baseline se- curity practices used by similar data to detect risk – even without relying on rules and policies. Even better is to address these access risks in real-time – whether it is remediating access control issues, disabling sensitive file sharing, or blocking an attachment in a messaging platform. Action item. Mock drills to simulate scenarios where sensitive data might be at risk due to inappropriate permissions or risky sharing. This happens far more often than you think. PROMOTE CONTEXTUAL AWARENESS Context matters. A piece of data that seems harmless can be- come a security risk when placed in a different context — like a student’s first name. On its own, a first name like “John” seems 36 harmless. But combined with other pieces of data such as a last name, email address, or office location, it can be used to craft a convincing phishing email. Here’s an example. Let us say a student or staff member re- ceives an email that addresses them by full name and references specific class location or recently published research. It would ap- pear more legitimate and could trick an unsuspecting person into revealing sensitive information or clicking on a malicious link. Education staff and students should be trained to consider the broader implications of the data they manage, including how it interacts with other data and systems. However, monitoring alone isn’t sufficient. The sector must also be equipped with automated remediation workflows capable of responding to threats with speed and precision. In the event of a security incident, these systems can quarantine affected sys- tems, revoke access, and initiate incident response protocols to contain and mitigate damage. Action item. Use real-world examples to show how data can be misused if taken out of context. Encourage staff and students to think before they share. DEPLOY BUSINESS CONTINUITY AND SECURITY POLICIES The development and enforcement of clear, comprehensive data security policies are crucial. These policies must be tailored to the educational context and enforced consistently, with transpar- ent consequences for non-compliance. But beyond policies, data security in education requires the engagement of all stakeholders. It is not solely an IT issue; it involves administration, legal teams, academic departments, and students. Action item. Create a collaborative culture where data security is a shared responsibility, which can translate to more effective DSPM strategies. FINAL THOUGHTS. THE FINANCIAL UPSIDE Robust data security practices serve as a multifaceted strategy within educational institutions. Beyond acting as a protection mechanism against potential breaches, these practices are instru- mental in mitigating the rising costs of cybersecurity insurance. By demonstrating a solid commitment to data security through regular risk assessments, implementing advanced threat detection systems, enforcing strict access controls, and maintain- ing an educated and aware workforce, educational institutions can improve their security postures. Ultimately, deploying DSPM solutions in the educational sec- tor should be strategic and proactive. By identifying all sensitive data, monitoring risks, and remediating threats, institutions can protect student data and intellectual property effectively. This process transcends technical solutions and requires a cultural shift that el- evates awareness and education about cyberse- curity risks. Karthik Krishnan is the CEO at Concentric AI. NOVEMBER/DECEMBER 2023 | SECURITY TODAY    HIGHER EDUCATION