Skip to main content

Balancing Zero Trust with Academic Freedom in Higher Education

By December 1, 2020May 12th, 2022Blog

While communication management and governance are universal cybersecurity concerns across all businesses, there are few organizations with a more complex cybersecurity risk profile than higher education. Colleges and universities process payments and wire transfers; store staff and student Social Security numbers, citizen IDs, and health records; develop sensitive intellectual property; and provide housing. Not only are the cybersecurity risks associated with such data significant, but so are the consequences of a breach. Breaches can lead to loss of funding, loss of accreditation or, in extreme cases, to lawsuits and/or criminal charges against leadership.

It is easy to understand why “management through silos” is an appealing approach within the higher education community, especially given the numerous and costly compliances that each individual department must meet including HIPAA , FERPA, PCI, SAIG, HEA, GLBA, NIST 800-171, and Sarbanes-Oxley.

According to a National Association of Student Financial Aid Administration (NASFAA) report, “The cost of compliance with federal regulations at institutions is between 3 percent and 11 percent of total non-hospital operating expenditures.”

The report went on to break down compliance costs this way:

  • Of the estimated $27 billion cost of federal compliance for the entire higher education sector, an estimated $17 billion goes toward higher education (including financial aid) and all-sector compliance, with the remaining $10 billion going to research-related compliance.
  • When broken down by sector, community colleges were estimated to rack up $6 billion in compliance costs and for-profit institutions were estimated to incur $1 billion with four-year, nonprofit institutions incurring the remaining balance.

“It just drives people bananas, and they don’t pick good passwords no matter what you do”, Burr told the Wall Street Journal.”

While those costs are high, being saddled with fines and penalties can add an enormous burden for an already cash-strapped institution that is also trying to attract and appease top researchers, instructors, and students, each looking for unencumbered resources, freedom to explore new teaching methodologies, or an opportunity to gain a unique experience. As a result, universities often need to find methods to balance zero trust with academic freedom. To complicate matters further, CISOs are having to look for additional ways to manage cybersecurity during a world-wide pandemic as more staff and students are working remotely.

Up to now, the first line of defense when fighting cyber threats has been educating students and staff on better password hygiene practices. And while that approach has provided some measure of success, it does not address a larger issue. In the 2019 State of Password and Authentication Security Behaviors Report conducted by the Ponemon Institute, the bigger issue is the use of passwords themselves—not the lack of knowledge, but the lack of convenience.

2019 State of Password and Authentication Security Behaviors Report conducted by the Ponemon Institute

2019 State of Password and Authentication Security Behaviors Report conducted by the Ponemon Institute

Let’s face it: the Ponemon Institute’s findings represent how most of us feel about passwords. In a 2003 interview with the Wall Street Journal, Bill Burr, who developed the lower/upper case and special character password rules while a manager at the National Institute of Standards and Technology (NIST), said, “It just drives people bananas, and they don’t pick good passwords no matter what you do.” Burr is correct; passwords do drive us “bananas” and, as a result, we often make poor password choices that, in turn, introduce new risks. And with millions of staff and students working and studying remotely, never has there been a greater risk from phishing, hacking, and other fraudulent actions .

The Ponemon Institute went on to measure the actual costs of simple password resets. Its research found that entering and/or resetting passwords took an average of 12.6 minutes per week, 10.9 hours per year. Based on the average headcount in this research of almost 15,000,  the institute estimated the loss of productivity and labor averaged $5.2 million annually. That is a sizable amount for any organization, let alone an institution in constant search of endowments.

To compensate for poor password hygiene, some campus CIOSs have added a two-step verification process known as multifactor authentication (MFA) that includes a mobile two-factor authentication code sent via text message. However, even MFA does not guarantee that the information is safe from hackers and other bad actors who can detect digital signature patterns, decipher correct answers to security questions, and steal sensitive information.

But there is hope. While most of us have come to terms with the fact that it is impossible to totally eliminate cyber threats, fortunately there are ways to reduce risk, even for organizations as complicated as those in higher education.

One way is by implementing an MFA process with multi-frictionless biometric verifications across the entire network, including vendor portals. And according to TechBeacon, there are numerous reasons for adding vital protections across the entire network. Here are some of those:

  • Security breaches caused by hackers who steal passwords account for 95 percent of all cyber-attacks.
  • Identity theft is increasing because it is a low-risk/high-reward crime, especially for criminals located outside a legal jurisdiction.
  • Network-side IT security, such as antivirus software, firewalls, malware detection, vulnerability testing, intrusion blocking, and other network monitoring is useless against a holder of valid but stolen credentials. A login seems authentic if no one knows the credentials have been stolen.
  • A hacker may go undetected for years if the hacker logs in with stolen credentials. In corporate espionage, valuable information that creates a competitive advantage may be compromised without anyone being aware of what is happening.

Today’s technology advancements in frictionless biometric authentication adds additional layers of defense against cyber threats. Biometric developers have made great advancements beyond simple finger/palm prints and facial recognition. They have developed an authentication layer that includes behavioral characteristics that are related to an individual’s pattern of behavior, such as one’s gait or voice. It is nearly impossible to copy or imitate somebody else’s behavior well enough to fool behavioral biometrics verification because everyone’s mannerisms and body language traits are shaped by social and psychological factors, making them unique. This is one of the main reasons many OEMs are stepping up to do their part in combating cyber threats and have begun to incorporate biometrics into their devices. In addition, people are becoming more familiar with using their physiological characteristics like finger/palmprint, face, and retina to unlock their computers and mobile devices.

While savvy CISOs will continue to educate staff and students on password best practices, they are also utilizing multifactor biometrics to help balance zero trust with academic freedom, which is no easy task in their highly complex and competitive environment.

To learn more about the advancements in biometric authentication, visit


Request Demo

"*" indicates required fields