This fall, CDW Government, Inc. (CDW-G), conducted its third annual Higher Education IT Security Report Card, surveying 151 higher education IT directors and managers to examine the status of IT security on campuses.
The results are not happy ones. Over half the respondents suffered at least one electronic security breach in the past year. Loss or theft of data is up 10%. Schools lack fully integrated physical and IT security systems, as well as resources and funding. And students and faculty alike aren't aware of security policies and disregard the ones they are aware of.
Maybe you even use a cell phone.
The report's conclusions?
- "Campus IT security has not improved in three years and critical data losses continue to put the entire community at risk. . . .
- "The growing convergence of IT and physical security tools offer institutions a chance to consolidate human and financial resources while strengthening overall campus security.
- "IT security breaches continue to force institutions to balance the free flow of ideas and information with the need to ensure community members' privacy. . . .
- "Student and faculty lack of awareness continues to plague IT departments. IT security education should be considered a first line of defense to improve campus security—with the funding and administrative support to affect (sic) real change."
Julie Smith, CDW-G's director of higher education, agrees that one of the biggest issues—particularly in the case of cyber safety—is awareness. Students in particular, she says, don't see themselves at risk: "They think, 'I'll be fine; it's not going to happen to me.'" Moreover, they don't understand how compromised they might be if, for example, their records were stolen. And finally, many students simply don't care: The Report Card indicates that 69% of IT directors and managers report very high or high student disregard for rules and policies (faculty compliance wasn't much better).
Another problem, Smith points out, is the need to integrate cyber and physical safety strategies. "The structure [of, for example, a university] is decentralized. Many schools look at their physical IT and their network IT separately." The data from the Report Card bear her out: "54% of respondents state that they have the infrastructure to support integration, but only 25% of campuses are 'fully' or 'mostly' integrated."
Perhaps a typical example to illustrate these issues is the University of Washington—40,000 students and an additional 27,000 employees on its Seattle campus. According to UW Chief of Police Vicky Stormo (retiring January 31, 2008), "We're so large, we're fragmented." And fragmented is as much a cultural phenomenon as a physical one. Although Stormo "would like to make all the computers on campus connected to the campus network," the university culture is such that each department wants its own system.
The structure is in place at UW: There's a chief information securities officer, a "Privacy Assurance and Systems Security" council, and numerous groups analyzing issues and making recommendations. But, reflecting the results from the CDW-G Report Card, the university is at the mercy of its budget and its resources. As Stormo plaintively points out: "Here's the reality of it: The focus is on education and research, and that is the number-one priority. Unfortunately, we are not at the top of the priority list. Unfortunately, it takes a tragedy to wake people up."
As a state university, UW needs to apply to the state for funding; it's the legislature that ultimately determines whether there will be enough money, say, to bring cameras to more than the hospitals and the stadium; to provide card access to more than 22 of the 260 buildings on campus; or to integrate all the various strategies to protect the campus from electronic or physical threats. It's another frustration for Stormo, who all along has wanted to be proactive in protecting the campus.
Universities across the nation appear to be in similar straits, and the CDW-G report confirms it. The obstacles to security are budgets, cultures, and lack of knowledge. At least with documents like the IT Security Report Card, the lack of knowledge can be addressed.
Vicky Stormo has her own way of looking at campus security, and it could be considered a rallying cry: "To me, it's an investment. You've got to be able to sell the administration. You've got to be able to get them to pay attention."
"Unfortunately, it takes a tragedy to wake people up."
"A problem in IT security can derail everything else you're trying to do."