College campuses are centers for learning and exploration, where students and faculty develop, exchange, and trade information. More than most other organizations, colleges and universities are in a continuous state of information sharing and data creation, and they rely heavily on the ability to seamlessly share, store, and protect that information within their communities and among their partners.
What’s more, life on a campus is always in flux. Students and faculty come and go, and their need to access certain information, not to mention physical campus locations such as dormitories and labs, is fluid.
As a result, the university setting causes big headaches for chief information officers and other technology professionals who are charged with securing the data that reside on a university’s computer systems—everything from proprietary research to students’ financial and personal data.
Involuntary threats from within
While most CIOs spend their days worrying about the external hacking threats, a university’s greatest vulnerability comes from its own students, faculty, and administrative staff. Across the higher-education field, too many insiders have access to sensitive information that they should not be privy to, and the outcome can be highly disruptive and damaging to a university’s operations and reputation.
Making matters worse, most data security breaches are actually the result of students or faculty unwittingly acting as an accomplice to an internal or external threat.
In fact, in many data-breach cases on college campuses, there is no malicious intent on the part of the insider—even though they are the primary facilitator of the crime. University computer systems are a hotbed for all types of personal information, including names, Social Security information, and addresses—making them especially enticing for identity thieves.
Hackers realize that most computer users lack the sophistication and understanding of computer systems and data-sharing, and they leverage that to its fullest extent. As a result, they create strategies to trick users into sharing private and sensitive information without ever knowing they are doing so.
For example, it’s not uncommon for students to install file-sharing software using university computers connected to the school’s IT systems. The student, in most cases, perceives this to be an innocuous activity. In reality, however, the student’s actions provide an entry point for a hacker to compromise the security of the overall computer network. It is a seemingly innocent step taken by a student or employee that ultimately enables a cybercrime to take place.
Prerequisites for data security
The “unwitting accomplice” poses one of the greatest threats to protecting student and organizational data. There is no silver-bullet solution to this dilemma; IT directors can’t spend their way out of this problem, and they can’t flip a switch that will fully protect the data that reside on the university’s system.
Rather, universities must deploy a layered approach that combines stringent access control with continuous education on data security for all employees and students. From the ground up, a layered approach combines both the cultural and psychological aspect of data security, as much as it does the physical and digital considerations.
With access control, campus technology directors must be meticulous about installing procedures that limit, deny, or allow access to information for all users accessing the network—whether they are students, faculty, staff, or visitors. Ensuring that access to specific data resources is limited to those who require it, enforcing password-management processes, and continually auditing the system will further ensure network security. Access control strategies also must include the ability to efficiently terminate access to the network for former employees or students who no longer work or attend the school.
Finally, colleges and universities must educate their employees and students about data-security and access-control policies, and help them understand how the decisions they make when accessing the network play a critical role in defending the organization from data breaches. These audiences need to understand the penalties and the impact that their computer usage has on the data they expect the university to safeguard.
Today, we are seeing this education in the form of memos, podcasts, regular eMail announcements, and highly visible user policy guides that outline the dangers and consequences of campus network breaches. Since one of the most dangerous activities plaguing higher-education institutions’ systems is peer-to-peer file sharing, many IT directors have made it a requirement for all network users to agree to a university policy prohibiting this behavior when first logging in. Additionally, campus technology staff should provide easy access and instruction on how to properly disable file-sharing mechanisms to further protect the network.
When it comes to preventing data breaches, insiders can be a formidable first line of defense or a major liability. The key is never to assume that users are self-educated on the nuances of protecting the network, and never let down your guard—because the threats to your data evolve at a spellbinding rate of speed.
In the end, university IT directors who embrace these core principles will provide sound data-security practices that will enable their schools to do what they do best: provide a world-class education in a safe and secure environment.
Andrew Sroka is CEO of Fischer International, an identity management security company.