The Privacy Vs. Security Debate Is Alive and Well in Higher Ed

Hackers have it out for higher ed.

In 2015, cybercriminals disabled networks or stole student data at some of the most established institutions in the country, attacking community colleges and Ivy League universities without discrimination. And already this year, major cybersecurity breaches have compromised the names, Social Security numbers and student ID numbers of thousands of higher ed students and staff.

On average, such attacks cost institutions as much as $300 per lost or stolen record, according to a recent IBM data breach study. And when you’re talking about colleges and universities that maintain thousands or even millions of personal records, those costs can really add up.

Higher Ed: A Marked Man

Unfortunately, little can be done to make higher ed institutions less of a target for hackers. Beyond the lure of all that personal information, colleges and universities store vast amounts of valuable research and intellectual property that would warrant a hefty price tag in the event of a ransomware attack. And because campus networks feature an enormous number of access points and end users, vulnerabilities abound. It’s the job of IT personnel to close security gaps before hackers can exploit them. While this task may seem straightforward, it requires that security experts toe a fine line.

An Unexpected Roadblock

Because the higher ed community values transparency and academic freedom above all else, colleges and universities that tighten cybersecurity measures can easily come under fire — even when the changes are warranted.

For instance, one university sparked an uproar among faculty when it quietly installed a new system that would monitor computer networks on all of its campuses, keeping track of users’ emails and browsing history.

Although the move came in response to a series of vicious cyberattacks and fell within the purview of the university’s electronic communications policy, the backlash highlights the challenges institutions face when designing cybersecurity strategies.

Striking the Right Balance

While it’s likely that strict cybersecurity measures will always invite some criticism, colleges and universities can mitigate the problem by meeting with faculty and staff to discuss the details of any new cybersecurity policy. Answering questions and addressing concerns early in the process could prevent later objections surrounding shared governance and transparency.

A careful use of language can also help institutions find a balance between risk mitigation and academic freedom. As an example, one university’s policy clearly states that it’s meant to ensure the campus community “minimizes to the greatest extent practicable the unnecessary creation of cyber risks while also enabling the productive work of all units.”

I also suggest that administrators remain aspirational yet realistic when drafting policy language. Ask: Are students, faculty and staff likely to follow the proposed regulations? If not, what would encourage compliance? A campuswide cybersecurity awareness campaign can help bridge the gaps.

That multifaceted approach also reinforces the truth that cybersecurity is a shared responsibility, and that campus networks will only be safe from hackers when people and policies work together.

This article is part of EdTech: Focus on Higher Education’s UniversITy blog series.