Universities are falling way behind in the race to secure sensitive data from the threat of compromise, and the trend is expected to continue in perpetuity because they lack the financial and technical resources required to safeguard critical systems, according to a recent study.
“HALOCK Security Labs’ 2013 investigation found that 25% of 162 universities sampled were putting student and parent financial data at risk through the use of unsafe unencrypted email practices. This data included W-2’s and tax information transmitted to financial aid offices,” the study’s authors stated.
“Universities continue to be targeted by hackers because they maintain not only a wealth of student and parent financial data, but they are also centers for cutting edge research and intellectual property.”
In just the first quarter of 2014, publicly disclosed breaches at colleges including the University of Maryland, Indiana University. and North Dakota University exposed the records of over 740,000 student and alumni, compromising everything from personal to financial data.
“Universities in general have limited budgets for information security, and therefore struggle to comply with the numerous laws and regulations regarding the data in their custody,” said Terry Kurzynski, Senior Partner at HALOCK.
The study indicates higher education organizations are being plagued by issues that negatively impact security, including:
- Typical university cultures promote open access to information: A core requirement for information security is the classification of information and systems. And because colleges and universities are quasi-public places, they must separate their public network zones from their sensitive network zones and ensure that each are secured according to their risk.
- Transient and inexperienced student workers: After colleges and universities have separated their sensitive systems from their public systems, they can assign student employees with jobs that manage the public systems, leaving sensitive information in the control of properly trained and vetted permanent employees.
- Limited security and compliance budgets: While colleges and universities have lower budgets than some organizations, no organization has enough budget to address all of their security needs. All organizations must prioritize their investments using the risk assessments that are required by law.
- Student hackers have ample time to target the university that is teaching them hacking skills: Especially for colleges and universities that provide information security courses, academic networks can become the “lab” for course homework … in other words, when you teach information security, expect your students to hack your network for practice. Ensure that those who teach the courses collaborate with IT personnel to detect and prevent the activities that are being taught in the classroom.
- Information technology changes are often limited to seasonal university breaks: Major security patches, upgrades, and security tool implementations are often held off until inter-semester periods when the risk of unavailable systems is lower. But this also means that the security risk is at its highest when class is in session. Proper change management processes can reduce your availability risks while making timely security upgrades.
- Difficulty in educating the Board of Trustees or Regents on security risks: A well-constructed risk assessment will define risks, in part, by their impact to the mission of the institution. Impacts to students, faculty, research funding and the school’s reputation and finances should all be considered as factors in risk assessments.
“Universities need to get serious about securing their environment. They need to be sure that they are following security standards, as well as the laws and regulations that require the protection of personal information,” Kurzynski said, though given the obstacles, it seems unlikely we will see any improvement in the near future.
Read More Here…