A quick scan of the daily news will tell you that IT security is becoming an increasingly important issue to both the public and private sectors.
But what about academic institutions?
Often publicly funded, and frequent collaborators with both private and public sector research bodies, have universities become a focal point for today’s most innovative – and dangerous – hackers?
Paul Stokes is CIO at the University of Victoria.
“I’m one of the people who thinks we are a target – there’s no question,” he said. “We have risks in two primary areas – administration and research. From the administrative point of view, we hold big data over extended periods of time. With research, we have both research data and intellectual property. Just like any business, hackers are interested in PII [personally identifiable information] and we need to protect those digital assets.”
Similar to other challenges with higher ed IT management, Paul says IT security can be a question of resources.
“Most of us don’t have the funds corporations might have to feed massive security infrastructure – nor can we acquire the same expertise,” he said. “We work hard, but we’re limited by our resources. It’s not a complaint; it’s just not the same scale.”
Mike Langedock is CIO at the University of Manitoba.
“Why are universities being targeted? Because of their openness – it’s a part of our culture,” he said. “From a vulnerability perspective, that is the nature of who we are. We’re mostly government institutions, and with that comes a high expectation of access.”
Mike says that student expectations also make the balancing act between accessibility and security a difficult one.
“Students expect access to their personal records and grades as if they were in a bedroom filing cabinet, so how do we create the expectation of accessibility, with layers of security around it that actually take on personalization? People expect that if you could do it with bricks and mortar, you should be able to do it electronically too.”
Mike says there is a broad spectrum of IT security needs and audiences – from administrative, to student-related, to research. It’s the research world that’s often the most difficult to manage.
“We’re now challenged with how research is exponentially growing in terms of its reliance on IT, and how it is being propelled by IT services. We need to allow them to continue their work without limiting their capacity for storage, emailing, file sharing and so on,” he said. “Plus, through their ambitions to publish papers, researchers don’t always have a high concern for security or confidentiality, as you might learn from an auditor or administrator. Research has become a global enterprise, and you need the ability to connect with those services. You don’t need to build them on campus, but you need to ensure that access to them is secure, and that it’s being done in an identity-verified manner.”
To help address these challenges, both Paul and Mike feel that education and enhanced awareness of the risks – for all users – is fundamental.
“One new approach involves trying to save people from themselves. It’s providing people with the knowledge and tools they need to be mindful of their vulnerabilities as they work with technology. It’s almost like a self-governing model,” Mike said. “Depending on how you reach out to people, it could shift the cost from technical infrastructure to more of an educational piece. That’s innovative.”
“It always comes down to weakest link,” Paul said. “We can actively work on our security processes – data encryption, parameter protection, end-point firewalls, end-point protection, raising awareness and teaching – but typically, the weakest link is the human factor. For example, phishing scams are one of the top security weaknesses. In those cases, the weakest links are the people clicking on those links.”
“We help people make good choices in adopting security best practices for phishing, data storage, data transfer, etc. – it’s all about awareness and education.”
Still, both Paul and Mike agree internal and external audits are crucial components of any IT security strategy.
“Beyond security and privacy, there is the dimension of risk,” Paul said. “Whether from an overall institution or project point of view, we have to have a risk lens on. You need to choose to accept, mitigate or eliminate a risk – risk management is huge. The challenge is to be thinking about all three together, which lots of people don’t get.”
“Get third-party vulnerability tests,” he continued. “Looking at yourself is very different than having someone external look at you.”
The interplay between IT security, privacy and risk will continue to be a prominent discussion item at the next CUCCIO member meeting, February 17-19 in Vancouver. For more information on those meetings, visit the website.