Add as a preferred source on Google


6 Factors Impacting Information Security and Privacy During the COVID-19 Crisis

In these uncertain times, it's important to consider the ways crisis response is influencing the security and privacy of institutional systems and data.

  • By Brian P. Fodrey
  • 05/28/20
laptop with lock symbol on screen

To say the COVID-19 pandemic has been a disruption feels like an understatement. The impact we have seen and experienced in our otherwise everyday lives has been far-reaching, overwhelming, inspiring and without question more often than not, challenging. For those in higher education — faculty, staff, students and their surrounding communities — it's hard to envision a time when traditions of the academy will be restored to a point we all fondly remember.

That said, the herculean efforts put forth by all parties across higher education to meet the challenges presented to us as a result of adapting to the COVID-19 pandemic have been nothing short of impressive and revolutionary. In as little as a few weeks, institutions built on the tradition of face-to-face instruction and campus engagement had their entire world upended by nearly instantly moving to remote instruction, remote working and remote student engagement. While the success stories are limitless and those involved truly haven shown their spirit and commitment to education and student success in ways that will never be fully documented, we have learned a lot too.

The importance of information security and privacy has been a hot topic and growth opportunity for many higher education institutions across the country for years. With the introduction of global influences such as GDPR, national and local legislation, and the general geo-political climate, our efforts in this space are simply no longer a want, but a need. This has never been clearer than in the current environment in which we find ourselves: managing an unprecedented crisis during uncertain times. We all now know, simply trying to conduct business as usual until we return to a more normal or familiar time is no longer an advisable path forward.

During this crisis, over a relatively short amount of time we have learned a lot about our institutions' information security posture, as well as those we support and the data we protect. In otherwise chaotic times, it is important to reflect on where we were (pre-crisis), where we are (managing the crisis), and where we need to be (post-crisis) as it relates to all the services and systems we are responsible for — but especially in response to what the last several weeks have presented. While each institution's experience is likely individualized and hardly standard, as you recount your lessons learned and future planning, consider the following factors influencing security and privacy during this crisis.

1) Expediency of the Migration to Remote

The classic project management philosophy dictates that projects can only be two out of three things: cheap, fast or good. In the current situation, fast was the mandate, so we were left with just two options: 1) Some of the efforts that were put forth came at an expense that will now need to be accounted for in already strapped budgetary times (in other words, good but not cheap), or 2) The quality of the solution might reflect its intention as a temporary option or the solution lacks a sustainable business or support plan beyond the immediate (cheap but not good). It is always worth remembering, while information security is a critical piece to maintaining a reliable and productive enterprise operation, it can sometimes be left behind if you don't already have processes and systems in place that build in those principles in all phases and not as a secondary consideration.

2) Enhanced Vendor Accommodations

The solution and service provider response during this time has been unlike anything I've seen before — and without it, institutions would likely be struggling to offer services and support to a user population that no longer resides or has a presence on campus. In a lot of ways, the licensing and access that has been afforded to us (temporarily) by many of our vendors/partners is likely what we always wished we had or could afford all the time! But this also is a cautionary tale for many because with those looser or more generous access options, you may find yourself in a situation where users are accessing and managing university data and information in ways that you no longer have oversight or visibility into.

3) Supporting a Fully Remote User Population

The proliferation of "free" software and web applications available to the user population is nearly endless right now, and ensuring every solution is vetted or integrated with a single sign-on solution simply isn't feasible. As a result, we may find that many are creating accounts using their university-managed e-mail address (and likely a similar password) on systems with vulnerabilities that, in different times, might have been handled by those responsible for ensuring user security and system safeguards. This abundant access to niche solutions also creates opportunities for users to veer away from enterprise-level supported and licensed software. Now more than ever we should be promoting the tools available to our users, and more importantly how to use them.

4) Shared Access to Technology

The increased demand for technology and internet service is unprecedented. Nearly all populations on campus are looking for ways to ensure they are meeting work-from-home demands, home schooling, etc., often with limited supply of technology means in their homes. It's also not uncommon, understandably so, for many of us to have to be creative with who is using that technology and how. A change in otherwise predictable user behavior is a primer for additional exposure to information security challenges and vulnerabilities. Whether it be ensuring applications are properly logged out, sessions are ended, etc., managing a machine that is shared by many creates vulnerability to the data owner, but also challenges their privacy.

5) Access to the Internet

Similar to the extremely generous and vital offerings of many other solution providers, nearly all local internet service providers (broadband and cellular) are offering drive-up hotspots with free, public WiFi for users who otherwise have limited or no access to the internet. Obviously, this is a critical piece to anyone's success, whether it be someone working remotely or a student completing their studies. The need for high-speed and reliable internet access has never been higher. That said, consider the slightly less obvious risk this may present in protecting one's electronic footprint and data privacy. An open, public WiFi signal is already a vulnerability in any conditions, but the increased demand and propensity for doing more secure activities on that signal makes this an area of concern that should be addressed through promoting VPN use, encryption, etc.

6) Limited Operations and Reduced Funding

Most of us throughout higher education already have felt the struggle and strain of limited budgets, shrinking staffs, etc. But often some of the most inspiring stories reflect the great things many are doing in spite of those conditions. While it's still unknown the level of impact this crisis will have across the higher education landscape long-term, we do know that in the moment many are experiencing hiring freezes and budget cuts or moratoriums. This, of course, affects all aspects of life on campus and beyond, but is most certainly impacting how many are managing, monitoring and remediating increased information security risks. Not to mention handling the increased vulnerabilities associated with further delaying and relying on aging infrastructures and systems that were otherwise due for replacement or upgrade. With these limitations, it is important to ensure you are adapting and prioritizing your information security planning equal to the risk appetite your institution expects.

Looking to the Future

As you reflect on the last few months and look to what lies ahead, it's important to resist the urge to let this crisis control the narrative of what can be accomplished. Consider using this time of uncertainty as a pivot point and a launching pad to re-envision information security at your institution. In short, in the world of information security and privacy, the standard is still the standard. So whether you are determined to:

  • Revisit old service agreements and contracts to ensure compliance;
  • Ramp up your user awareness and adopt new policies and procedures; or
  • Reprioritize your strategic plans based on lessons learned and a new climate …

Don't wait. Soon the technical firefighting spawned from the COVID-19 pandemic will wane, and a new normal will emerge as we return to campus. The sooner we are able to begin adapting from what we have learned, the better our resolve for ensuring we maintain the standard of security those across higher education have come to need and expect.

Featured

  • InCommon Academy in action with an Advance CAMP unconference activity at the Internet2 Technology Exchange

    Community-Driven IAM Learning with Internet2's InCommon Academy

    Internet2's InCommon Academy Director Jean Chorazyczewski examines how the academy's community-driven identity and access management learning opportunities support CIOs, IT leaders, and their IAM teams in R&E.

  • businessman juggling cubes

    Anthology Restructures, Focuses on Teaching and Learning Business

    Anthology has announced a strategic restructuring, divesting its Enterprise Operations, Lifecycle Engagement, and Student Success businesses and filing for Chapter 11 bankruptcy in an effort to right-size its finances and focus on its core teaching and learning products.

  • Jasper Halekas, instrument lead for the Analyzer for Cusp Electrons (ACE), checks final calibration. ACE was designed and built at the University of Iowa for the TRACERS mission.

    TRACERS: The University of Iowa Leads NASA-Funded Space Weather Research with Twin Satellites

    Working in tandem, the recently launched TRACERS satellites enable new measurement strategies that will produce significant data for the study of space weather. And as lead institution for the mission, the University of Iowa upholds its long-held value of bringing research collaborations together with academics.

  • Hand holding a stylus over a tablet with futuristic risk management icons

    Why Universities Are Ransomware's Easy Target: Lessons from the 23% Surge

    Academic environments face heightened risk because their collaboration-driven environments are inherently open, making them more susceptible to attack, while the high-value research data they hold makes them an especially attractive target. The question is not if this data will be targeted, but whether universities can defend it swiftly enough against increasingly AI-powered threats.