Assessing School Security
If you attend Louisiana State University at Baton Rouge, you're no doubt familiar with its "Don't be a Tad' campaign—a series of amusing, illustrated episodes about "Tad Ramey" that appear on the university's website, e.g.:
Tad Ramey does not think twice about replying to an e-mail from his bank with personal information.
Unfortunately for him, it is a phishing scam.
Tad may as well have shouted his personal information to the world.
Tad is trapped in the phishing scam.
His identity is stolen.
When he is alone, Tad knows it is OK to cry.
The "Don't be a Tad" campaign is one way that LSU tries to keep its community informed and prepared for IT theft. Chief Information Officer Brian Voss says, "We've been trying to change the culture to one that is more concerned about IT security." Along with his Chief IT Security and Policy Officer, Brian Nichols, they've done more than change the culture: They've implemented new anti-virus programs, required longer and stronger passwords, substituted university IDs for social security numbers, and even provided free credit monitoring for the university's 30,000 students and faculty (through an arrangement with Equifax). After all, says Voss, "A problem in IT security can derail everything else you're trying to do."
A red alert to all institutions of higher education came last fall in the form of CDW Government, Inc.'s third annual Higher Education IT Security Report Card, surveying 151 higher education IT directors and managers to examine the status of IT security on campuses. The report found that institutions continue to be at risk—because of inadequate electronic safeguards and even more because of inadequate training, funding, and support.
Voss says, logically, that "In order to have effective enforcement, you have to have effective policy." Nonetheless, he also realizes that implementing an effective policy depends on a number of factors that aren't always under his control—budget, training, and even attitude. As he says, "Security and customer flexibility are on opposite ends of the continuum." Students and faculty who have to change their passwords to make them more resistant to tampering or who have to use cards instead of keys to get into their dorm or office may not appreciate the enhanced security.
Kirk Bailey, the chief information security officer at the University of Washington, is well aware of the challenges. He cites the "CIA" of cyber protection—confidentiality, integrity, and availability—and ruefully suggests that he and others in his profession are portrayed as "curmudgeon naysayers," because they're always pointing out the unintended consequences and potentially negative aspects of technology. Still, his analysis shows that the underlying theme of the new threats is that hackers are no longer the stereotypical geeks: "It"s now clearly involving well-organized, well-funded, dedicated criminals."
What are they after? According to Bailey, it's "bandwidth storage, CPU cycles, and data"—particularly personal data. He's continually trying to establish awareness of security threats for students and faculty. "This is a very difficult challenge," he says, mainly because on a big campus like the University of Washington, "there are few touch points for students."
LSU's Voss is perfectly comfortable addressing IT security, and he's been successful at it (Just last year, the student government put forth a resolution commending his department for their work); he also wants to be sure that merging physical security with IT security is efficient, that it's a benefit to his department. CDW-G can assure him; it believes that "increased IT and physical security convergence offer campuses the ability to streamline and improve campus security," e.g., using digital cameras that connect to the campus network. Collaboration is the goal, and CDW-G sees that this collaboration would make things easier for all concerned.
In a way, collaboration should come naturally, because, whatever else school security is about, it's about people at least as much as technology. Everyone associated with keeping campuses safe emphasizes the human factor: Both Brian Voss and Kirk Bailey are trying to make students more aware that they're vulnerable and, even more important, that they can do things to mitigate their vulnerability. The watchword is clearly vigilance, especially with increased access and increased use. As Bailey says, "You need to be aware that you're linking to tools and services that are nested in a broader connectivity. . . . We're all network neighbors now."
"Unfortunately, it takes a tragedy to wake people up."
"A problem in IT security can derail everything else you're trying to do."