Oct 08 2008

Security Awareness, Proactive Approach

The team responsible for network and data security at Pennsylvania State University is hoping to thwart data theft and security breaches with a two-phase program it began implementing this fall.

Penn State’s program coincides with studies that show a mounting avalanche of data theft and compromised security at universities over the past year. The Identity Theft Resource Center says its “breach list” (which records the number of confirmed data breaches in many categories, including education) jumped to 494 by mid-September. That number eclipsed 2007’s total of 446.

The ITRC says 494 represents only a fraction of the actual number of breaches in the data theft sweet spot of education, business, retail, health and banking. It attributed the increase not only to an overall spike in data thefts and compromises, but also to an increasing awareness of the problem among vulnerable industries, more detailed information generated by state data breach reporting laws and more proactive security measures from network operators.

Penn State plans to install full-disk encryption on all university notebook computers and is also taking steps to identify, locate and protect personally identifiable information on university-owned computers.

Kevin Morooney, Penn State vice provost for information technology, says the school faced an increasing amount of data loss, theft and unauthorized access. In a recent statement to Penn State’s University Faculty Senate, Morooney detailed some of the data security issues his staff has faced in the past few months.

“With an increasingly intense and sophisticated threat, data protection and managing access to it has to sit alongside creation,” says Morooney. “It is a cultural shift we’re all going through right now, and it will take time to get there. But there’s no doubt that we have to get to a new place.”

Since 2002, Morooney says, more than 12,000 Penn State computers have been broken into. More than 30 notebook computers have been lost or stolen since January, and four department systems were found to harbor malicious software, he added.

The encryption and identification program will work with the Penn State community to open a dialogue on data protection at the school and also work with faculty and staff to ensure they understand what kind of information university officials want to protect.

“Since it is a cultural shift we’re talking about, dialogue and common understanding of needs and concerns have to be broadly recognized,” Morooney says.