What is HECVAT? Vendor Assessment in Higher Education

HECVAT, also known as the Higher Education Community Vendor Assessment Toolkit, is a security questionnaire template whose goal is to evaluate risk related to data and information security in higher education. Seen as an attractive target for cybercriminals, the higher education sector needed better defense put in place to guard against increasing numbers and more sophisticated attacks.

For example, over 900 colleges and universities were affected by the MOVEit supply chain attack alone through the educational non-profit National Student Clearinghouse. The breach exposed data of hundreds of thousands of students and faculty members. Experts believe the exposed data provides cybercriminals with a golden opportunity for launching future ransomware, account takeover, social engineering and other cybersecurity attacks. While these attacks aren’t a new phenomenon, they underscore the ability to damage the security of higher institutions of learning indirectly through both supply chains and third-party data breaches.

The Importance of HECVAT

HECVAT was developed in 2016 together with the Higher Education Information Security Council (HEISC) Shared Assessments Working Group, Internet2 and the Research and Education Networks and Information Sharing and Analytics Center (REN-ISAC) as a response to the increasing challenge of information security and its threat to the higher educational sector.

According to a global survey of British cybersecurity company Sophos, 80% of higher education institutions suffered a ransomware attack in 2023, a 15% increase from the year before. More than half of institutions (56%) attacked ended up paying the ransomware, a trend experts say only further encourages cybercriminals to continue exploiting higher institutions for monetary gain. Since the majority of attacks on these institutions are successful and carry a significant cost, these institutions look for ways to defend against them.

The HECVAT security questionnaire template assists higher institutions of education in evaluating risks related to data and information security in two ways. First, it standardizes the process so that the educational institutions have a specific process customized to their sector to evaluate their third parties for risk. Second, it streamlines the process of evaluation so that it is less resource-intensive, which is key for a sector with smaller cybersecurity budgets compared to the commercial sector.

HECVAT is important to higher institutions of education for several reasons:

• It enhances the security posture of higher institutions. With standardized and streamlined approaches to cybersecurity, it is far easier for them to identify and manage risks.
• It makes it easier to meet compliance. Due to the large volume of sensitive data they store and use, higher institutions are subject to a number of regulations such as GDPR, FERPA and HIPAA. HECVAT ensures that they comply with these and other regulations relevant to their organization.
• It builds trust in the organization. When other vendors see that an institution and its third parties comply with HECVAT, it enhances their view of it as a business with strong cybersecurity practices in place.
• It is a low-cost tool for third-party risk management. In contrast with proprietary cybersecurity solutions, the HECVAT is free and different versions are available depending on the available resources of the institution.

Who Should Meet HECVAT Compliance?

HECVAT compliance is necessary for both institutes of higher education to evaluate their vendors and for vendors looking to enter business relationships with institutes of higher education. It is currently used by more than 150 colleges and universities and more than 50 commercial vendors to help reduce cybersecurity risks, save time and resources, and build trust in their brand or institution.

Why Cybercriminals Target Institutions of Higher Education

In 2023, data breaches in higher institutions of education cost $3.7 million to organizations globally. This sector also takes longer to recover from these attacks, with 40% taking over a month compared to 20% in other industries.

The reasons cybercriminals pursue this sector include:

• A larger attack surface that is difficult to protect. Students use various devices from both inside and beyond the university network, making the organization’s attack surface much harder to protect. In addition, many students, employees and faculty members lack the knowledge to instill a strong culture of cybersecurity at these institutions.
• Limited budgets for cybersecurity solutions. Unlike enterprise-level companies with large budgets and resources for an in-house security team, educational institutions have smaller budgets for these tools. Any IT staff responsible for dealing with cybersecurity attacks may be overwhelmed and burnt out, making it harder to defend against attacks.
• High volumes of sensitive and PII data. Higher institutions of education store the personal information of both students and faculty, including payment information, medical and educational records, access credentials and even sensitive research data. Cybercriminals can steal or compromise this data for financial gain, competitive advantage or even political motivation.

HECVAT and Third-Party Risk Management (TPRM)

Although institutes of higher education often do not have the same cybersecurity budgets and solutions that a software solution does, they face the same threats. However, these institutes of higher education increasingly rely on cloud technology and other SaaS solutions for their third-party tools and services, data and information protection. They may, for example, store their data in Google or Amazon Cloud and work with an email service for student outreach, and need a standardized system for evaluating the risk these third parties pose to their institution.
The MOVEit supply chain attack and its infiltration of hundreds of educational institutions through the National Student Clearinghouse highlight the importance of organizations having the ability to assess the security posture of their third parties. HECVAT, along with an internal third-party security management, is a good place to start this process.

The Difference Between HECVAT Lite and Full

HECVAT includes several versions that can be used for higher institutions of education depending on their needs.

The two main types of HECVAT versions include:

• HECVAT Full. This questionnaire is the most comprehensive, including 250 questions. It is used as an in-depth evaluation of vendors (e.g. cloud service provider or payment system) who will either handle sensitive data or provide critical services for the institution.
• HECVAT Lite. A less comprehensive, shorter version of HECVAT is suitable for lower-risk vendor assessments. This might include smaller companies who lack the resources to respond to a longer version, or preliminary assessments of companies before they commit to a longer version.

Other versions include:

• HECVAT On-Premise. This questionnaire is aimed at evaluating the risk involved with a third party that will be used on-premise. Common uses for this version include the evaluation of Enterprise Resource Planning Systems (ERPs) and any type of hardware and software infrastructure such as servers, data storage systems or network devices.
• HECVAT Triage. This version is used during an initial risk assessment. It is useful when an institution needs to assess risk from many vendors during a short period of time and prioritize them accordingly. 

The majority of these versions (HECVAT Full, HECVAT Lite and HECVAT On-Premise) are for the vendor to complete and deliver to the institution. HECVAT Triage is for the institution to deliver to the vendor.

How Panorays Helps Manage Third Party Risk

With large attack surfaces primarily composed of publicly-facing assets such as domains and subdomains, it’s essential that vendors doing business with institutions of higher learning be evaluated thoroughly for third-party risk. Traditional third-party assessments are typically fragmented and manual, making it challenging to scale to meet growing demand. 

Panorays offers seamless third-party security assessments, offering third-party contextual risk management that evaluates risk according to each vendor’s unique relationship with the organization. It achieves this as a hassle-free process, with minimal dependence on third parties that still delivers a comprehensive assessment of your supply chain. It is also scalable and enables organizations to expedite the onboarding process with its automated AI-powered tools. 

This process includes: 

• Supply Chain Discovery and Mapping.  Automatically discover unknown parties, including third, fourth and fifth party suppliers. Learn the relationship between each supplier and your relationship and their level of criticality to your business. 
• Risk DNA Assessment. Get customized cyber risk ratings based on a combination of external and internal risk assessments driven by AI capabilities such as workflow automation that deliver an accurate and comprehensive assessment of your cyber posture. AI-powered questionnaires and external attack surface assessments are a critical component of this risk assessment to eliminate reliance on third-parties for information.
• Continuous Threat Detection. Uncover critical findings, conduct third-party threat intelligence and aggregate insights to deliver a contextualized view of your supply chain.  
• Remediation and Collaboration. Achieve comprehensive collaboration with third parties with automated remediation steps so that you can take immediate and proactive steps against the next cybersecurity threat posed to your organization. 

Want to learn more about how Panorays can help your organization manage third-party risks? Get a demo today.

FAQs