A year ago in this space I wrote
about the results of a security survey conducted by CDW-G, which highlighted the concerns of university network administrators. The survey examined the support IT directors received from various campus groups-students, faculty, and administration-to pinpoint causes of resistance to implementing security programs. Chief among them was a lack of funding to adequately secure networks.
Have things changed much in a year? Short answer: no. Longer answer: Security is the top priority for IT administrators, yet their frustrations in safeguarding networks persist.
Security breaches that put valuable data resources and personal identity information at risk are a continuing problem in higher ed institutions, despite increased efforts to combat them. In fact, USA Today reported in August on 109 computer-related breaches at 76 schools in the preceding 18 months. And this year's CDW-G survey, conducted in conjunction with Eduventures, underscores the seriousness of the issue.
According to the survey (available at www.cdwg.com/higheredsecurity), 58 percent of respondents said they experienced one or more security incidents in the last year. Thirty-three percent of that number reported lost, stolen, or exposed data. Moreover, 9 percent reported a loss or theft of student personal information, and 5 percent reported a loss or theft of faculty personal information.
Of those reporting security breaches last year, the greater danger was not from the outside.
Interestingly, the report indicates that, of those reporting security breaches in the last year, the greater danger is not from the outside. "The majority of attacks come from within," says Stan Gatewood, chief information security officer for the University of Georgia.
Eleven percent of those reporting intrusions in the last year say the attacks came from within the institution and resulted in data loss or theft, compared with eight percent who reported data loss or theft from an outside attack.
These inside attacks come from students testing their hacking skills or from computers that have been "owned" (hacker slang for compromised) and which can act as remote launch pads for attacks, Gatewood says.
Just 11 percent of survey respondents say their infrastructures are "very safe" from attack, while more than half (51 percent) believe they are "moderately safe."
Gatewood suspects those numbers don't tell the whole story. He thinks it's likely a segment of those reporting safe networks fall in the category of "saying they're safe because they just don't know whether they've been attacked, or they don't want to report it."
It's not that security isn't an overriding concern of IT administrators; in fact, a significant majority of respondents (84 percent) to the CDW-G survey named it in their top five priorities. But, they claim, their administrations do not necessarily regard network security with the same sense of urgency. Fewer than half of the respondents report that their administrations make IT security a top-five priority. IT directors cite "lack of funding" and "too few staff resources" as the biggest barriers to improving IT security on campus.
Often, the choice comes down to money, Gatewood says. "They have to weigh the options: Do you keep all your services like e-mail, WebCT, Banner, and so on, up and running, or do you give me a million dollars to try and prevent something that may or may not happen?"
Too bad. It shouldn't be a choice anyone has to make.
Write to Tim Goral at firstname.lastname@example.org.