With a long history of storing bastions of personal, financial and research data, colleges and universities are no strangers to cybersecurity challenges: Since 2005, educational institutions have reported more than 780 breaches, Privacy Rights Clearinghouse data shows.
Amid that threat landscape, it’s not surprising that security-related concerns jumped from the bottom of EDUCAUSE’s Top 10 IT Issues list in 2015 to the No. 1 spot in both 2016 and 2017. IT leaders surveyed for this year’s list are most concerned with “developing a holistic, agile approach to reduce institutional exposure to information security threats.”
According to Sharon Pitt, CIO at Binghamton University and a member of EDUCAUSE’s Higher Education Information Security Council, the current focus on security stems from two factors: “It’s a combination of the rampant cyberattacks all industries are facing and the types of tools we’re using in higher education right now to help us be better educators and researchers,” she says.
Higher education’s unique culture of openness and transparency also complicates the situation.
“Really, there has always been a balance between academic freedom and data security in higher education,” says Jen Nowell, the national director of state and local government and education for Symantec. “That’s very difficult today.”
Crafting an Information Security Policy That Works for Everyone
Well-designed policies can play an important role addressing the needs and interests of both the academic community and the IT department.
According to Jason Belford, CISO at the University of Virginia, a successful information security policy will neither impede workflow nor encourage work-arounds. Because work-arounds can lead to breaches, prioritizing staff productivity benefits data security too.
Building Training into Information Security Programs
In addition to outlining consequences, some colleges and universities attempt to reduce accidental misbehavior through increased security awareness.
Pitt says that at Binghamton University, staff participate in SANS Institute’s “Securing the Human” program and others like it to learn about data protection. And at three out of four institutions, staff are required to participate in information security training, a 2016 EDUCAUSE report states.
Symantec’s Nowell even notes an increase in purchases of security awareness education materials but warns that, despite the focus on training, human errors are still to be expected.
“The truth is, even with phishing education, we still click the link. It’s our nature,” Nowell says, stressing the importance of implementing additional safeguards and treating cybersecurity as an ongoing process.
“Traditional security in higher education needs to evolve as the institutions are updating their technologies,” she says.