As mobile devices become an essential tool on the higher education campus, the battle to keep them secure can be daunting. The wrinkle, of course, is that IT professionals cannot eliminate risk entirely without severe ramifications to the environment. Security is not simply about locking down access and information, but instead striking a balance that lets the educational community reach its goals while still protecting institutional data.
The following best practices can help IT leaders prepare a strategy around mobile device security that achieves both of these aims.
In 2010, researchers Brechbuhl, Bruce, Dynes and Johnson noted that “if you are on the network, you are available to everyone else on the network. A key consequence is that security is not the concern of someone else; of necessity it is the concern of everyone.”
Accordingly, communication with the campus community is critical to the success of any security initiative. IT must partner with staff and faculty early and often. Who owns the risk? Everyone. Security initiatives are more effective when institutions dedicate time and resources to convey to all their constituents that security is important to everyone.
Institutions are familiar with marketing services to prospective students, but it can be challenging to think about having to “sell” security services and information to internal faculty and staff. Yet that’s exactly what must be done. End users are the biggest risk and they are often unaware of security requirements — a dangerous combination. If end users don’t understand why they should care about security, they will continue insecure habits and practices, further exacerbating the risks for an institution. Remember: communicate, communicate, communicate.
Standards created for the private sector don’t unilaterally apply to higher education institutions, where access and flexibility are often more critical. Many faculty and staff need to research and teach as they choose, and any action they perceive as threatening academic freedom will create unnecessary pushback. IT’s goal is to create a balance between security and access that protects and mitigates risk, while still supporting the institution’s academic mission.
One strategy is a cloud-based email solution (Google and Microsoft Office 365 are two of the most popular) as a “light” version of a mobile device management system. This solves two problems: a lack of funding and a need to impose minimal controls so as not to aggravate the community or hinder academic research. Such systems give IT control to enforce passcodes, encrypt devices and remotely wipe lost or stolen devices, while still letting faculty and students control their devices and software choices.
As institutions consider systems that could impede access, such as policies and firewalls, they should weigh the costs of implementing these countermeasures against the access that will be restricted. Communicating with stakeholders will help determine which solutions have the right mix of usability and security to enable the institution to successfully meet its mission.
Devices are becoming interchangeable, so make this the mantra of the IT department. Locating and restricting all mobile devices is an insurmountable task, especially when new devices enter and leave the environment daily.
So how do we protect the data? That’s a complex question and depends on each institution’s unique systems. IT has various tools at its disposal, including two-factor authentication; registering devices before granting access to systems with confidential information; and restricting certain data to be accessed only from the on-campus network. Each institution should evaluate its situation to determine the most suitable methods of protecting the data, regardless of where it resides.
An important part of securing mobile devices is helping end users understand what they can safely do — and not do — with those devices. What data can they download? What systems can they log in to?
A data classification guideline categorizes data as, for example, Public, Private, Confidential and Restricted. Once IT identifies the types of data it is dealing with, it can educate users on acceptable practices for each category, including which ones they can access from a mobile device. Such policies create a framework that guides institutions on what data they do or do not need to protect.
To grow security awareness around mobile devices, start small with password education or another simple topic, and get the campus community involved. Then build off early successes and momentum. Although the content may change, an awareness program should be a permanent part of the environment. Successful programs are well-planned, consistent and positive in tone. They also include measurable goals and integrate into an overarching IT security awareness plan.
Too often, security conversations happen within IT, but nowhere else in the institution. The conversation needs to transcend the technical details and be tailored to what administrators, in particular, need to know. The provost, deans, student affairs staff and many others should contribute to the effort to create the right balance of security and access to data and systems. In-depth risk conversations can still happen within IT, but the information that flows to senior leaders should be brief and clear to ensure the management team can easily understand, give feedback on, and make decisions about security initiatives.
The task of balancing risk and access is a growing challenge for institutions, and mobile devices haven’t made this any easier. IT security cannot be a one-person job, even at small institutions. Security is everyone’s business.