David Crain, Assistant Provost & CIO, Southern Illinois University
Am I just paranoid or should we be concerned with the present state of security within higher education? I very much think the latter.
In the last few weeks, we learned that a cybercrime group in Russia may have obtained 1.2 billion stolen identities. We also just witnessed the Sony PlayStation network taken down by hackers which, incidentally, is the second major attack on Sony, with the first one exposing 77 million personal records. These recent events are just the latest in a long list of security incidents over the last year that has included other high profile data breaches such as:
• 2 million Facebook, Gmail and Twitter accounts had data stolen, according to money.com.
• Possible 12 million credit card numbers stolen from Target.
• 4.5 million records were stolen from Community Health Systems.
But what do these corporate breaches have to do with higher education? The answer can be found in the most recent data breaches reported by high profile institutions, Indiana University and the University of Maryland. If these two prominent institutions can experience a breach then we all must certainly take note. According to the Privacy Rights Clearinghouse, there were 22 reported data breaches in colleges and universities during the first seven months of 2014.Many, if not all of the breaches, can only be estimated, from hundreds of thousands to millions of records. In one of the largest higher education data breaches, last November a community college system reported the breach of personal information for two and a half million individuals. It’s important to note that these are just the known incidents, because in many cases, an organization doesn’t even realize that they’ve been compromised until months after the breach.
What concerns me about this trend is that the number of reported incidents seems to be growing exponentially. Higher education is a growing target for cyber criminals. In fact, in 2013, Higher Education was the number one target for cybercriminals, according to a recent report.
So, why are we in academia being targeted? I believe that there are a number of reasons:
1. Universities typically foster an atmosphere and attitude of open access to information. Although this openness has many academic advantages, it often runs contrary to information security best practices.
2. Most universities have robust internet connections to support residence halls and academic research. These same internet connections can be used by hackers to get fast access to our data.
3. Higher education relies on a great number of student employees. IT Departments typically have high turnover rates for staff positions because of relatively low salaries. The resulting large numbers of new and inexperienced employees make information security awareness difficult.
4. We have a great variety in the types of valuable data compared to other industries including:
i. Credit card and Social Security numbers.
ii. Financial data for students, parents, alumni, employees.
iii. Valuable intellectual property and other research data (research institutions are the primary target for cyber-attacks in higher education), often including national defense and other government funded research data.
iv. Health information from student health centers, clinics, hospitals, medical schools, etc.
5. Confidential data on thousands of privately owned machines which have access to campus networks, but are not secured by the enterprise. A recent study found that the majority of college students now own three or more wireless devices (The ECAR Study of Undergraduate Students and Information Technology, 2013). In addition to trying to secure our own systems, universities often have a hundred thousand or more privately-owned devices on their network that need to be secured.
6. Tight budgets have often led to increasing the lifespan of computer systems and data networks within many universities. These older systems are often much harder to secure than more current systems.
“Most universities have robust internet connections to support residence halls and academic research which can be used by hackers to get fast access to our data”
Exacerbating this is the fact that we have far fewer resources to invest in information security than our counterparts in the corporate world. In fact, according to a recent Gartner report, universities, on average, spend $152 per employee on information security which is much less than the average of $381 spent per employee across all US industries (IT Key Metrics Data 2013: Key Information Security Measures by Industry.) The fact is, universities have far more users than is represented by the number of employees on campus, as the number of students will often triple or quadruple the count of employees. The fact that we spend just 40 percent as much per employee on information security is troubling enough, but reduce that number to account for institutional FTE (students plus employees) and the situation becomes truly dire. Additionally, we have an added compliance burden that most industries don’t face. In addition to PCI (credit card) compliance, we have HIPAA (health information) and FERPA (student information), along with some specific data requirements from many of our research granting organizations, as well as from state and federal regulatory agencies.
We can summarize the current environment of information security in higher education by saying that there are a number of factors that increase the probability of data breaches continuing to occur:
1. We have become the number one target for cybercrime.
2. We have many types and sources of data that must be protected.
3. We have additional responsibilities not faced by other industries.
4. We have a very unique challenge with thousands and thousands of personally owned devices being present on our networks.
5. We spend far less money to secure our network and data than other industries.
There is a huge gap between higher education compliance responsibilities and funding for information security. I would argue that because of our very complex nature, that funding for information security in higher education should be at a far higher level than in most industries. Instead, we fund information security at a mere fraction of where it should be. We owe it to our students, employees, and alumni to do everything feasible to protect their data. I assert that additional investment in information security is not just the ethical thing to do, but is also the most financially responsible course of action for university administrators to pursue.
In conclusion, consider this: the cost of a data breach in 2013 averaged $188 per compromised record, according to a whitepaper by Ponemon Institute. For institutions with potentially millions of confidential records, the financial impact of a large data breach could literally close a university down. So where do you think money should be spent at your campus?
So should we be concerned with security within higher institution? I would say that we have to be.