Research | News

Report: Central Admin Largest Security Risk for Higher Ed

• By Dian Schaffhauser
• 06/18/14

Maintaining security on campus may at times appear to be an intractable problem. In the past 30 days no fewer than six institutions have reported data breaches, including the University of Pittsburgh Medical Center, Arkansas State University's College of Education & Behavioral Science's Department of Childhood Services, the colleges in Riverside City, Norco and Moreno Valley and San Diego State University's Pre-college Institute.

Yet, a recent survey by the security-focused SANS Institute suggests that some schools may be bringing on their own problems. Earlier this year, SANS questioned nearly 300 respondents at colleges and universities — most in the United States and holding IT security job titles — for its first wide-ranging examination of security in higher education. The findings, reported in "Higher Education: Open and Secure?" are in some areas alarming.

For example, respondents reported that their biggest areas of unease from a risk perspective are central administrative systems (chosen by 70 percent), followed by faculty and staff computers and Web applications (which tied at 64 percent), and faculty and staff mobile devices (designated by 60 percent). Yet only 57 percent said they work in environments that bother to classify their sensitive data or provide usage guidelines.

While 76 percent of schools report giving "special attention" to personally identifiable information (such as social security numbers or banking information) and that same number have policies in place to restrict access to personally identifiable information (PII), encryption is lacking. While 54 percent encrypt PII in transit, an even smaller number — 48 percent — encrypt PII "at rest."

The difficulty of protecting PII, the survey reported, increases when data is maintained by systems that could be running on any of several networks — administrative, academic/instructional and research — each with its own set of privacy requirements that could conflict or compete with the others.

While respondents reported that exploits against internal database systems and servers were the "primary attack vector" they were most concerned about protecting against, the sheer number of faculty and staff endpoints in use on a campus also presents a formidable challenge in maintaining security. Each device could be the recipient of malware delivered through Web drive-bys, phishing lures and other software vulnerabilities, the report noted. As one respondent stated, "...We frequently don't know about faculty/staff connecting BYOD devices to sources of sensitive information until after they have done it, when they cry for help."

Fewer than one in two institutions have formal risk assessment and remediation policies. That count goes down even further at campuses with fewer than 2,000 employees.

On top of those areas of concern, IT security on campus is understaffed and under budget. The majority of respondents said they believed that they needed another one to five full-time equivalents of additional staff; an even higher number reported that there was no budget to maintain or increase staffing. The report pointed out that public institutions, particularly, often "find themselves in the cycle of hiring inexperienced analysts, training them and then losing them to higher paying jobs" in private companies that can "offer two to three times the salary they were receiving at the university."

In spite of the many hurdles, "Institutions seem to be mostly successful at preventing attacks from infiltrating their environments," the report concluded.

"Our message from this survey is that you're not alone. All of us share the same problems in creating and maintaining a secure campus," said survey author Randy Marchany, who is the chief information security officer at Virginia Tech University and the director of that school's IT Security Laboratory. "Despite these concerns, institutions are working to provide open and secure educational environment to their clients, the faculty, staff, students, parents and benefactors."

SANS hosted a webcast on the report, which is available in recorded form at sans.org, with registration.