The 2015 Higher Education Security Report from SecurityScorecard, a cloud-based security provider, ranks the top 10 institutions with the best "security posture," along with the 10 with the worst.
The results of the report are based on surveys of the networks of 485 colleges and universities with at least 1,000 public-facing IP addresses — the means for the security tests. Each institution's online security was tested across 10 categories, receiving a letter grade for overall performance.
The 10 the institutions at the bottom of the SecurityScorecard list had one common weakness: Password exposure.
“The prolific amount of leaked data that has surfaced in the underground throughout the last several years has caused a significant drop in Password Exposure scores for many organizations,” SecurityScorecard Chief of Research Alex Heid said in the report. “It is difficult to find a person in the modern era who has not been the victim of a password theft, or been the recipient of a communication from a friend’s compromised account.”
However, the report has been criticized for being "limited in its depth," according to The Atlantic, which spoke with Mitch Parks, director of information technology at the University of Idaho, which is ranked eighth in the 2015 report.
"I wouldn’t really consider us that much more secure than a number of other institutions of higher education," Parks told The Atlantic. "We've probably been more lucky than skilled."
The Atlantic also raised the issue of disparity between security standards in for-profit businesses and higher education institutions.
A business manages and protects its data differently from a university because a business is focused on proprietary matters, whereas data management at a university is often structured around the exchange of information and ideas.
Jim Waldo, a computer science professor and the chief technology officer at Harvard, told The Atlantic that because of that fundamental difference, security will naturally be handled differently.
“The whole notion of a university is that it thrives on collaboration and exchange of scholarship and ideas, both with people inside the university and outside the university,” Waldo said. “Building an infrastructure for IT that is based around those assumptions is pretty different from the kind of things that can be done in a corporation where you can dictate to your customer base what they can and can’t do, and where you really want to keep the outside out and the inside under control—we can’t do either of those things.”
A 2014 survey from EDUCAUSE's Higher Education Security Council also touched on this issue, suggesting that higher education institutions are singled out for having a large number of security breaches but that that may reflect the culture of transparency fostered by education. A publicly held company has much less incentive to disclose a breach.
"This culture does not exist in other industry sectors, where breach reporting could damage an organization’s ability to be competitive in that industry," the report states.