Information Security at Universities
I was sitting comfortably at a conference that I recently attended when someone on a panel announced to the audience that he had talked to someone from a nearby university concerning how well the computers and networks there were secured. This person told him that there was virtually no security. This led the panelist to proclaim that although there is a lot of rhetoric about information security going on at universities, this rhetoric is in essence idle chatter.
Although I concede that I have not exactly always been tactiturn in previous decades of my life, hopefully I have gradually (and painfully) changed into someone who “keeps his cool” far better now. I must admit, however, that this panelist’s minimalization of the state of the practice of information security in universities “lit my fuse.” The fact of the matter is that although it is very likely that this person at best had a minimum college degree, the only time he in all likelihood had ever set foot on any campus after he graduated was when he went to reunions and football games. For better or worse, I have spent quite a few years of my life on university campuses doing teaching and research, and am recently retired from the University of California. As such, I would like to believe that I might have a somewhat more realistic perspective.
What the panelist did not realize when he shared his grossly overgeneralized perception (that in my estimation to some degree comprised an attack against academia in general) is that the climate concerning information security in many universities has substantially changed within the last three or four years. To say that over past decades the majority of academic institutions have lagged in terms of data protection and network security (among other things) is indisputably true. To say that the same currently applies to these institutions is, however, totally specious. For various reasons, many universities and colleges have been forced to drastically improve their defenses against cyberattacks. Reasons include:
Data security breaches have been more costly than university administrators previously realized. Consider, for example, the loss of alumni donations that Ohio University suffered after a massive data security breach involving university donors’ financial information. If nothing else, these breaches produced a negative perception among alumni that substantially reduced donations.
FERPA regulations. These regulations require protection of certain types of student data, such as grades. Violations can spell major trouble for universities.
Security incidents are far more disruptive to universities than university administrators had previously envisioned. Consider, for example, the effects of the not-so-long-ago distributed denial of service attacks that brought computing at the University of Minnesota to a standstill.
Security technology has improved. Universities love technology, and information security-related technology is no exception. Attacks that might have easily succeeded in years past are now not all that feasible if the appropriate kinds of technology are deployed.
Universities are accepting credit card payments for athletic tickets, cultural events, tuition and donations. As such, whether or not they like it, they are now credit card merchants who are subject to PCI-DSS compliance standards.
At the same time, however, despite compelling drivers, many universities have changed their stance concerning information security very little over the years. A more realistic conclusion than the uninformed panelist in question reached, therefore, is that information security in universities varies. Some universities are “clued in,” whereas some are not. But I would be willing to bet that many of those that “are not” will soon come to a rude awakening that will drastically increase their motivation to improve their practice of information security.