Hackers are attracted to the vulnerabilities of institutions of higher education because, traditionally, these environments have a diverse set of users and devices, each with potentially different functions and responsibilities.
Systems at many universities are not necessarily maintained by the central IT organization, making it difficult to apply consistent standards. These systems are often maintained by individuals without the skills or training necessary to properly secure them. Here at Rice University, a private institution of 6,000 undergraduates and graduate students, we've found that other risk factors include the significant amount of student turnover due to graduation and matriculation; the influx of campus visitors; research conducted by outside organizations; and the perennial challenge of developing sound password management strategies (which risks frustrating faculty and staff).
Understanding the causes of potential data breaches in the higher education environment is critical to prevention. At many universities, poor administration of systems can lead to compromise. Systems that are not installed using a reviewed and secure standard can provide a rich environment for attackers. Older, legacy systems, built with previous security standards that are no longer updated, are frequently discovered and targeted by attackers. Development systems used to test new versions of software can contain the same data as their production counterparts, but often do not have the same level of security. Occasionally, administrators implement quick, temporary fixes while installing a system or resolving an issue, but they are often left in place and forgotten, only to be found and utilized by attackers.
The lack of audit procedures in many organizations can give a false sense of security. Even when servers and networking equipment are securely installed and configured, they can become vulnerable if they don't undergo at least periodic audits. Lack of change management procedures on public systems can create gaps in how systems are configured and secured, leaving them open to attack.
Here are some suggestions for preventing a data loss disaster:
1. Revisit data management.
As the work performed by traditional endpoints such as desktops and notebooks is augmented by tablets and smartphones, data management strategies should be revisited. Ensure that data owners and stewards understand their obligations to protect the data.
2. Employ prevention tools.
Investigate the use of data loss prevention tools at network gateways, as well as on client systems in departments that manage confidential and sensitive information. Mobile phones should have the same security requirements as notebooks. Require encryption, passcodes, anti-malware (as available) and screen locking on all portable devices.
3. Boost awareness and provide training.
As with any information security initiative, it's people who make or break a successful program. Technology can only assist in backing up good practices and procedures. Develop and publish a campuswide security awareness program that addresses risks identified by the organization. Train the support providers, both in central IT and other support organizations, on how to secure their systems and network infrastructure.
4. Conduct audits.
Audit existing systems and services to confirm that they continue to maintain their secure configurations. Decommission legacy systems when they are replaced. Ensure that development systems maintain the same security configurations as their production peers. Maintain a change management procedure to document and review changes before and after implementation.
5. Publicize procedures.
Again, users are generally where IT security programs fail. Many do not understand their obligations to protect confidential information. Document expectations through policies and procedures and engage the campus with reminders and training sessions.
Rice has made security and data protection a major priority through the provision of essential tools to protect data and to provide redundancy and failover where applicable. Communication and education within the campus community yields the highest security dividends at any institution. Informing individuals on precisely how to keep data secure is work that must continue as threats grow. Understanding the institutional IT environment, with special focus on security, will go a long way in deflecting disasters.
And Now, BYOD: A Guide to Preventing Data Loss
Still more, newer threats are forming as the number of devices each person brings to campus increases dramatically in the BYOD era.
Many vendors that used to provide locally installed options now offer only cloud-based services. Industry and legal regulations continue to evolve with the goal of protecting confidential information.
Becoming, and remaining, compliant in a complicated university environment is very difficult. Additional steps must be taken to ensure data loss prevention in a BYOD environment.
Improve awareness. Small institutions are not immune from constant attack, which we address through awareness and training programs and adoption of sound policies and procedures, supplemented with tools and technology. For security awareness, we worked with other campus computing support organizations to write and publish online training that covers the items determined to be the greatest risks. We can update that outreach on a schedule or as needed.
Draft and review policies annually. Security guidelines and procedures address new concerns and are backed by policies. Strategies are reviewed at least annually and updated as needed.
Provide (more) training. All new IT employees go through basic security training. The IT Security Office's instruction for all campus computing support providers covers policies and procedures, security tool demos, predeployment testing and installation of virtual systems and software, along with proper use of secure systems and devices.
Lock down data. We've added tools to check for information we do not want leaving the university, and provide tools that allow departments to manage their systems' information. We meet with departments that handle sensitive data and provide full-spectrum security guidance.