Technology & Innovation

Cybersecurity for VASCOs: Protecting Sensitive Data

A comprehensive framework for VASCOs to implement cybersecurity best practices, identify vulnerabilities, train staff appropriately, and develop incident response protocols for protecting sensitive veteran data.

15 min read

As a VASCO, you handle extraordinarily sensitive information daily: Social Security numbers, service records, disability ratings, financial aid data, academic transcripts, and more. A single data breach could expose hundreds or thousands of veterans to identity theft, fraud, and serious harm. Yet many VASCOs lack formal cybersecurity training, relying on institutional IT policies that may not address the unique vulnerabilities of veteran services operations. Cybersecurity isn't just IT's responsibility—it's everyone's, and the stakes for veteran data are exceptionally high.

The Cybersecurity Threat Landscape

  • Higher education experiences 40% more cyberattacks than other industries
  • Veterans are 2x more likely to be identity theft targets (military service history makes them valuable)
  • 83% of data breaches involve human error—not sophisticated hacking
  • Average cost of higher ed data breach: $3.86 million, plus reputational damage
  • VASCOs often have elevated system access but inconsistent security training

This guide provides practical cybersecurity protocols specifically tailored to VASCO operations, helping you protect the veterans you serve while maintaining operational efficiency.

Understanding the Threat Landscape

Before implementing protections, understand the most common threats VASCOs face:

Threat 1: Phishing Attacks

What it is: Fraudulent emails designed to trick you into revealing passwords, clicking malicious links, or downloading malware

Common Scenarios:

  • "Urgent" email from "VA" requesting you verify student information via link
  • Fake student email asking you to open attachment or click link for certification documents
  • Spoofed IT department email claiming your password will expire, directing to fake login page
  • "Dean" or supervisor requesting wire transfer or confidential student information

Impact: Account compromise, data theft, ransomware infection, financial fraud

Threat 2: Unsecured Data Storage

What it is: Sensitive information stored in locations without appropriate security controls

Common Scenarios:

  • Student records in personal Dropbox, Google Drive, or email accounts
  • SSNs and benefit info in unencrypted Excel spreadsheets
  • Physical documents left unsecured on desk overnight
  • Backup USB drives containing sensitive data without encryption

Impact: FERPA violations, identity theft, regulatory penalties, institutional liability

Threat 3: Weak Authentication

What it is: Insufficient password security or lack of multi-factor authentication

Common Scenarios:

  • Simple, reused passwords (VeteranServices2024!)
  • Passwords written on sticky notes near computer
  • Shared accounts or passwords among office staff
  • Multi-factor authentication disabled for convenience

Impact: Unauthorized system access, data exfiltration, impersonation

Threat 4: Insider Threats (Unintentional)

What it is: Well-meaning staff accidentally creating security vulnerabilities

Common Scenarios:

  • Emailing student records to personal email to work from home
  • Discussing student cases in public spaces (coffee shops, hallways)
  • Leaving computer unlocked when stepping away from desk
  • Using public WiFi to access student information systems

Impact: Data exposure, FERPA violations, privacy breaches

Essential Security Best Practices

Implement these foundational security practices immediately:

Practice 1: Strong Authentication

✓ Password Requirements:

  • Minimum 16 characters (longer = stronger than complex symbols)
  • Use password manager (1Password, LastPass, Bitwarden) to generate and store unique passwords
  • Never reuse passwords across different systems
  • Change immediately if breach suspected

✓ Multi-Factor Authentication (MFA):

  • Enable MFA on ALL systems containing student data (SIS, email, cloud storage)
  • Use authenticator apps (Google Authenticator, Microsoft Authenticator) over SMS when possible
  • Keep backup codes in secure location
  • Never share MFA codes or bypass MFA for convenience

Practice 2: Secure Data Handling

Digital Data:

  • Only use institutional systems (never personal cloud storage)
  • Encrypt sensitive files (built into Office, Google Docs)
  • Delete data when no longer needed (don't hoard)
  • Use secure file transfer methods for sharing
  • Never email SSNs or sensitive data unencrypted

Physical Data:

  • Lock filing cabinets containing student records
  • Shred documents before disposal (cross-cut shredder)
  • Never leave sensitive documents unattended
  • Lock office when leaving, even briefly
  • Minimize printing of sensitive information

Practice 3: Email and Communication Security

Identifying Phishing Emails:

  • Verify sender address carefully (hover over name to see actual email)
  • Be suspicious of urgent requests, especially financial or password-related
  • Don't click links in unexpected emails—navigate directly to websites instead
  • Hover over links to preview destination before clicking
  • When in doubt, contact sender through known channel to verify

Sending Sensitive Information:

  • Use institutional secure email system or encrypted file sharing
  • Never include SSNs in email body—use last 4 digits only if necessary
  • Verify recipient address before sending (typos = wrong person)
  • Use BCC for group emails protecting student privacy

Practice 4: Device Security

  • Computer security: Enable automatic screen lock (5 minutes max), use full disk encryption, keep software updated, never leave unlocked
  • Mobile device security: Require passcode/biometric lock, enable remote wipe capability, avoid accessing sensitive data on public WiFi
  • Remote work: Use VPN for off-campus access, never use public computers for student data, ensure home network is password-protected
  • USB drives: Encrypt if used for sensitive data, never leave unattended, properly dispose when no longer needed

Cybersecurity Training Program

All staff handling veteran data need regular cybersecurity training:

Required Training Components

Module 1: Data Classification & Handling (Annual)

  • What constitutes sensitive veteran data
  • FERPA requirements and implications
  • Proper storage, transmission, and disposal methods
  • Real-world case studies of breaches

Module 2: Phishing Awareness (Quarterly)

  • Identifying phishing attempts
  • Common social engineering tactics
  • Simulated phishing tests (coordinate with IT)
  • Reporting suspicious emails

Module 3: Incident Response (Annual)

  • Recognizing security incidents
  • Immediate response steps
  • Who to contact and when
  • Documentation requirements

Module 4: Emerging Threats (Semi-Annual)

  • New attack vectors and scams
  • AI-powered phishing and deepfakes
  • Ransomware trends
  • Updates to security policies

Training Best Practice

Short, frequent training beats annual marathons. 15-minute quarterly sessions with real examples are more effective than 2-hour annual lectures. Make it relevant to VASCO-specific scenarios.

Incident Response Protocol

Despite best efforts, incidents happen. Having a clear response protocol minimizes damage:

Immediate Response Steps (First 30 Minutes)

  1. 1

    STOP and CONTAIN

    Don't click further, don't delete evidence. If malware suspected, disconnect from network

  2. 2

    NOTIFY institutional IT security team immediately

    Call, don't email. Provide: what happened, when, what systems/data involved

  3. 3

    NOTIFY supervisor and compliance officer

    Data breaches have reporting requirements—start the chain early

  4. 4

    DOCUMENT everything

    Take screenshots, note times, preserve evidence. Write down exactly what occurred

  5. 5

    CHANGE compromised passwords

    If account compromise suspected, change password immediately from different device

Common Incident Scenarios and Responses

Scenario: Clicked phishing link

Response: Notify IT security immediately. Change all passwords. Monitor accounts for unauthorized activity. If work device, disconnect from network until IT clears it.

Scenario: Lost/stolen device with student data

Response: Notify IT security and supervisor immediately. If device has remote wipe enabled, initiate. Document what data was on device. May require notifying affected students depending on data sensitivity.

Scenario: Accidentally sent email to wrong person

Response: Contact recipient immediately requesting deletion (call, don't email again). Notify supervisor if sensitive data disclosed. Document incident. May require breach reporting if FERPA data exposed.

Daily/Weekly Security Checklist

Daily Security Habits:

  • ☐ Lock computer when leaving desk
  • ☐ Verify email senders before clicking links
  • ☐ Secure physical documents before leaving
  • ☐ Log out of systems when finished
  • ☐ Question unusual requests for information

Weekly Security Review:

  • ☐ Review sent emails for misdirected messages
  • ☐ Check for software updates on devices
  • ☐ Audit who has access to sensitive files
  • ☐ Shred accumulated paper documents
  • ☐ Review and delete old data no longer needed

Key Takeaways

  • Human error causes most breaches: 83% of incidents are preventable with basic security practices
  • Enable MFA everywhere: Single most effective security measure you can implement
  • Question everything: Verify unexpected requests, especially urgent ones involving data or money
  • Use institutional systems only: Never personal cloud storage or email for student data
  • Train regularly: Short, frequent cybersecurity training beats annual marathons
  • Have incident response plan: Know exactly what to do and who to call when something goes wrong

Cybersecurity isn't about achieving perfect protection—that's impossible. It's about implementing reasonable safeguards, maintaining constant vigilance, and responding effectively when incidents occur. The veterans you serve have entrusted you with their most sensitive personal information. Protecting that trust requires more than good intentions; it requires consistent security practices, ongoing education, and a culture that prioritizes data protection.

Start this week by enabling multi-factor authentication on all your accounts, conducting a security audit of your workspace, and scheduling regular cybersecurity check-ins with your team. Security is a habit, not a one-time project. Every email you verify before clicking, every document you properly secure, and every password you make stronger protects the veterans who've sacrificed for our country. Their data security is your responsibility—take it seriously, practice it daily, and never become complacent.