Recent Wave Of University Hacks Underscores Continued Security Concerns
PR Newswire Association LLC |
Just this year, hackers have been successful in gaining access to over 740,000 student and alumni personal information records, including social security numbers, combined. The breaches occurred at
These recent breaches highlight the reason why universities need to take security seriously and extend their safeguards beyond unsecure email. While HALOCK's investigation highlighted a certain type of security lapse, the recent breaches underscore that universities need to consider security comprehensively.
Why aren't schools and universities taking the necessary steps to safeguard sensitive information? "Universities in general have limited budgets for information security, and therefore struggle to comply with the numerous laws and regulations regarding the data in their custody," says
Universities are overwhelmed by a number of issues:
- Typical university cultures promote open access to information: A core requirement for information security is the classification of information and systems. And because colleges and universities are quasi-public places, they must separate their public network zones from their sensitive network zones and ensure that each are secured according to their risk.
- Transient and inexperienced student workers: After colleges and universities have separated their sensitive systems from their public systems, they can assign student employees with jobs that manage the public systems, leaving sensitive information in the control of properly trained and vetted permanent employees.
- Limited security and compliance budgets: While colleges and universities have lower budgets than some organizations, no organization has enough budget to address all of their security needs. All organizations must prioritize their investments using the risk assessments that are required by law.
- Student hackers have ample time to target the university that is teaching them hacking skills: Especially for colleges and universities that provide information security courses, academic networks can become the "lab" for course homework … in other words, when you teach information security, expect your students to hack your network for practice. Ensure that those who teach the courses collaborate with IT personnel to detect and prevent the activities that are being taught in the classroom.
- Information technology changes are often limited to seasonal university breaks: Major security patches, upgrades, and security tool implementations are often held off until inter-semester periods when the risk of unavailable systems is lower. But this also means that the security risk is at its highest when class is in session. Proper change management processes can reduce your availability risks while making timely security upgrades.
- Difficulty in educating the
Board of Trustees or Regents on security risks: A well-constructed risk assessment will define risks, in part, by their impact to the mission of the institution. Impacts to students, faculty, research funding and the school's reputation and finances should all be considered as factors in risk assessments. A risk statement that reads, "A breach of PHI records from the research database, which foreseeably could happen over the next year, would result in major fines and would compromise our ability to get IRB approval for future research, as occurred atXYZ University Hospital last year," is far more compelling argument than, "Please can we buy the two-factor authentication appliance? It could prevent a breach!"
According to Kurzynski, "Universities need to get serious about securing their environment. They need to be sure that they are following security standards, as well as the laws and regulations that require the protection of personal information." Some find this challenging especially when budgets are tight.
Universities that implement a risk management framework often find it easier to reach compliance. "Under this framework, organizations invest in security so that they manage the likelihood and impact of breaches," says Kurzynski. "Securing information according to risk becomes much more manageable than might have previously been imagined."
About HALOCK www.halock.com:
Founded in 1996,
312.391.8007 Email
847.221.0203 Email
Read more news from HALOCK.
SOURCE HALOCK
Wordcount: | 841 |
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News