Despite efforts by colleges to secure their computer networks, the systems are still vulnerable to attacks by hackers and viruses, according to a study released by Educause, an education-technology consortium.
Students and faculty members are not adequately educated about security threats, the report says, and institutions are struggling to balance network security with an open academic environment.
The report, “Information Technology Security: Governance, Strategy, and Practice in Higher Education,” was released by Educause’s Center for Applied Research. It summarizes the results of a survey of 435 colleges, supplemented by interviews with technology administrators and case studies of four institutions. The report is available only to the center’s subscribers, but a summary can be found online (http://www.educause.edu/ecar).
The survey found that 62 percent of institutions require college-owned computers connected to campus networks to be free of security holes. But only 33 percent of the institutions had security-awareness programs to teach students and faculty members the importance of technology security.
‘Unintended Mistakes’
“IT security, in the end, comes down to people’s behavior,” the report says. “Most hazards facing higher education fall into the gray area of unintended mistakes made by colleagues within our institutional bounds.”
Robert B. Kvavik, former vice provost of the University of Minnesota-Twin Cities, and John Voloudakis, chief technology officer of the technology-consulting company Cap Gemini Ernst & Young, wrote the report.
Awareness programs could go a long way in patching security holes, Mr. Kvavik says, noting that some of the most serious security breaches come from carelessness on the part of technology users. Sometimes people forget to log out of secure networks, he says. Sometimes they even write their passwords on pieces of paper taped to their computer monitors.
“Higher education has been investing a lot, but it’s not enough,” he says. “It’s doing better than some people would purport. But still, it’s not enough.”
Colleges could pick up some techniques from industry, Mr. Kvavik says. For example, many businesses automatically scan every personal computer that is connected to the network. That prevents viruses and other security hazards from slipping past the company fire wall when an employee brings a laptop to work.
He says he was surprised to find that many institutions have no plans for coping with serious problems that affect their computer networks. “Half of the institutions didn’t have a formal disaster-recovery plan, and that struck me as odd,” Mr. Kvavik says. “There are clearly some places that are living on faith.”
Richard N. Katz, vice president of Educause, says some professors worry that tighter network security could interfere with their work and their freedom to share ideas. For example, some fire walls block out electronic transmissions from Asia because that’s where many viruses and worms originate, he says. But if a faculty member has a colleague in Asia who is assisting with a project, the professor can specifically request that the security standards be lowered for that colleague’s transmissions, rather than risk leaving the entire network unprotected.
Preserving Academic Freedom
Rodney J. Petersen, project coordinator for a committee studying online security for Educause and Internet2, the high-speed research network, says tighter security will actually preserve academic freedom by ensuring the reliability of the data that researchers are sharing.
Because the new report follows this past summer’s wave of computer viruses and worms, he expects colleges to take to heart many of the recommendations. “For the first time, it gives institutions a benchmark so they can compare their current practices with what others are doing,” Mr. Petersen says.
It may be difficult to make many of the changes the report calls for, because colleges are hurting for money. But if institutions conducted better risk assessments, he says, they would find that they could save money in the long run by not having to clean up after hacker and virus attacks.
http://chronicle.com Section: Information Technology Volume 50, Issue 12, Page A12