According to Analysts, the Higher Education sector is the most breached of any industry. This white paper outlines key reasons why universities are more affected by security issues and how they can better prepare themselves to address IT security and vulnerability management challenges.
IT security is a hot topic these days, especially at colleges and universities. An April 2008 Symantec Global Internet report noted that the education sector experienced more IT security breaches than any other industry. What’s more, the number of higher education breaches and institutions affected continues to rise, as schools are under greater pressure to collect more and more student data. Between 2006 and 2008, the number of incidents reported by schools grew by 101 percent, and during that same period, the number of institutions affected rose by 173 percent. As recently as February 2009, the University of Florida reported an exposure of 97,200 student records, all of which contained names and Social Security Numbers.
Statistics like these in the education sector – as well as the increasing number of breaches in other industries – have garnered a great deal of publicity and have generated cause for alarm. There has been tremendous growth in the field of IT security training, as organizations of all sizes struggle to find professionals to help them address the challenge. There are a myriad books on IT security on the market, and the list grows monthly; and many colleges, universities, and technical schools now offer a degree or certification in IT security.
A December 2008 Gartner Group Survey found that “the role of the chief information security officer (CISO) is no longer rare, but many institutions have yet to formalize the role and the title. Policies and support for educating the community are also still evolving. Work still needs to be done, if security is to be viewed not as an IT problem, but as an institutional problem that needs addressing.”
The Gartner survey’s key findings include the following:
“Calculating the cost of security breaches and attacks is rare. More than 75 percent of institutions have not even calculated the cost of mobile PC thefts, which should be less difficult to calculate”
The technology environment in higher education is complicated by many factors. First, there are often ambiguous campus perimeters. Many schools have a transient student population, and, even when this is not the case, computer equipment is often moved during the school year between campus and home. This situation is further complicated by the fact that a distributed computing environment is common at large schools, making it hard for a central IT group to keep track of what’s out there. Furthermore, many schools offer distance learning options, meaning that some student computers may never actually be on campus.
Second, there is a tremendous amount of sensitive electronic data on most campuses. Determining the location of that data, who controls it, and how best to protect it is a daunting task, even at a small school. At large universities, there may be a central IT group – or even a central IT security group – but the daily management of many systems and/or handling of data is usually the responsibility of the individual colleges or departments.
Third is the issue of shadow systems. The university’s core systems, containing Enterprise Resource Planning (ERP), CC information, medical records, or other important student data, may be well protected; but there are frequently local copies of sensitive data that are not under that same protective umbrella. Even small schools have multiple departments, and some of these – Housing or Campus Dining, for example – need systems containing important student information in order to function. When these various shadow systems are connected to the Internet, or where the shadow systems are accessible from across the campus networks, the problem is compounded. This proliferation of systems in a highly distributed information environment makes it very difficult for colleges and universities to keep track of everyone who has copies of sensitive data such as students’ Social Security Numbers.
Academic freedom is a fourth concern. Open networks – indeed, the Internet itself – have their roots in academe. Networks have long been viewed as teaching tools, and the notion of imposing any restrictions on them has been forbidden. IT security measures that would exist as a matter of course in a business environment have, until recently, been frowned upon in academic settings in the name of academic freedom.
Finally, there is always the issue of funding. Because of financial constraints – now more than ever – schools are often forced to depend on a limited staff of professional IT support personnel. In fact, some campus IT departments are staffed primarily by computer science majors or other students with an interest in technology.
Unfortunately, this challenging campus IT environment exists at the same time when increasingly stringent government regulations continue to raise the bar for data protection and to impose harsh penalties for those who fail to protect sensitive data. At colleges and universities, IT managers must comply with many such regulations.
In addition to these federal requirements, colleges and universities in most states must comply with state privacy laws such as California SB 1386, a piece of landmark legislation that became operative in July of 2003. Laws like this require that any agency, person, or business that owns or licenses computerized “personal information” must disclose any breach of security to those whose unencrypted data is believed to have been disclosed.
In his article, “Back to School: Compliance in Higher Education,” Ken Bocek notes, “While most institutions are compliance with GLB, PCI, HIPAA, FERPA, and other regulations, the number of institutions involved in data breaches does not seem to be on the decline. It’s this point that makes higher education a lesson for all organizations.”