Information Security has been the top issue in the EDUCAUSE Top 10 IT Issues in each of the last 3 years. It will likely continue to be a leading issue on campuses in the future for several reasons, specifically, the increasing number and seriousness of external threats, the complex nature of managing IT priorities in the higher education ecosystem and the emergence of new technologies and services that need to be protected. On top of that, one of the biggest value propositions for implementing an information security strategy for many academic leaders and boards is to “make sure we are not called out in the press for a security breach”, and that is not a true or long term strategy.
The number of external threats is growing, and campuses are becoming more vulnerable to cybersecurity risks. The famous criminal Willie Smith once said, “I rob banks because that’s where the money is.” In terms of information security risks, Willie’s sentiments about following the easy money are just as applicable to chasing information in higher education today.
These are the issues that highlight why higher education remains a primary threat target:
- There is a large amount of potentially valuable information in higher education such as financial data, personal information and intellectual property which is attractive to malicious actors.
- The proliferation of connected devices on campuses makes it harder to secure and protect all potential entry points.
- Campuses have a large and diverse population of users who need to be educated on potential dangers, but who don’t always realize the issues or take them seriously. This means that it takes more effort and targeted training to get these users to understand the risks and become compliant with university policies.
Universities and colleges are also amazingly complex organizations and their scope for compliance regulations is wider and more complex than other industries. Not only do campuses offer services to students including online registration, billing, residential, food services and healthcare, they also support faculty with online collaboration and global research, administer a large portfolio of real estate and buildings, and manage significant data processing operations. This complexity contributes to the difficulty in applying controls that typically work in the corporate world to the higher education market.
Security standards and controls are nearly an anathema to academia as access, freedom to pursue learning, collaboration, research and outreach are more highly valued than regulations. As such, IT in higher education is often not centralized or standardized and is mostly governed through collaboration which makes it difficult to develop a mature information security program.
So, the short answer to the rhetorical question about whether to worry about information security in higher education is a definite yes.
What are the Top Information Security Risks in Higher Education?
A recent article in EdScoop identified the four issues that pose the greatest information security risks on campus:
- Phishing and social engineering
- End-user awareness, training and education
- Limited resources for the information security program
- Addressing data protection and privacy regulatory requirements
A much newer threat that just recently appeared on the horizon is the alarming surge of cryptocurrency mining on campuses. Cryptocurrency mining allows “miners” to earn financial rewards for validating cryptocurrency transactions. Large student-populations are ideal for cryptojackers as students leverage free sources of electricity, high-powered computing resources and lax or nonexistent campus policies. Some universities have identified cyptocurrency mining as a security risk and a few, like Stanford University, have instituted policies specifically banning the activity.
Do You Have an Information Security Strategy in Place Now?
EDUCAUSE defines Information Security as:
“Developing a holistic, agile approach to reducing institutional exposure to information security threats
To get a sense of how college campuses are doing with Information Security plans, we asked the attendees at a Campus Information Security Workshop held prior to the EDUCAUSE Security Professionals Conference in April to self-rate themselves with respect to whether they have a documented strategy for their information security program. Only 29% of the attendees said that they have largely achieved this goal and have a written strategy in place. On the other end of the spectrum, 21% of the attendees stated that they have barely started documenting their strategy and another 25% stated that they only have slightly achieved this goal.
While this survey was not scientific or comprehensive, it provides a rough order of magnitude around the maturity of Information Security strategies in higher education.
Operating in Reactive Mode Exacerbates the Issue
Perhaps more than any other sector, information security in higher education has continued to develop in an ad hoc manner, almost necessarily in a reactive mode.
What does that reactive mode look like in reality?
“We are going in every direction at once.”
The Information security umbrella covers several different areas, such as education, policy, compliance, risk management, incident response, business continuity, and disaster recovery. Weaving these components together while reacting to new threats, technologies, and compliance standards is a real challenge. It is no wonder that users are confused about the direction and focus of information security.
“We do not have buy-in.”
There is an inevitable impact to the organization when security direction becomes a series of disjointed initiatives and policies. From within the information security office, it is difficult to see what you are accomplishing overall. Members of the campus community feel that they are subject to a steady stream of messages, rules, and new procedures, making it more difficult to do their jobs. As a result, they are less likely to help achieve a more security-conscious environment. Users lack a frame of reference to bring each new procedure and initiative together into a cohesive security direction.
“There are many parts, but no whole.”
Nearly all institutions have information security policies and procedures. Leadership recognizes the necessity of security. Projects are taking place, but the efforts lack cohesion. This scenario describes security organizations that are in the early stages of maturing into a formal program.
What Should We Do About Information Security?
A large part of our journey in information security has been about moving from a disjointed set of activities to creating a program. The question of strategy gets to the heart of what it takes to move a program forward.
The Information Security strategy should be created and considered in such a way that it is built into an organization’s overall strategy. If the security strategy is not helping the institution meet its goals of educating students, conducting research and facilitating community outreach, then it is irrelevant and will not meet its goals.
In part 2 of our Information Security series, we will address how to move from a reactive to a proactive mode and how to gain control with a long-term Information Security strategy.
This blog post was based on an article titled “Crafting an Information Security Program Strategy” published in the Security Matters blog in EDUCAUSE Review on May 16, 2018 by Cathy Bates and Jon Young. Cathy and Jon are Senior Consultants with Vantage Technology Consulting Group working in the Strategic IT projects practice.