Although phishing gets a lot of attention, it is not the worst problem universities face when trying to protect confidential and sensitive data.  Three cultural factors also elevate the risk of losing or exposing personal information, research data, legal or financial information, or a host of other bits and bytes about university community members, donors, and partners.  After the CIO for the University of Maryland (UMD) was ousted following a tremendous data loss, he shared insights on the cultural challenges yet to be overcome in universities attempting to guard against a similar breach.  UMD had invested heavily in hardware, software and humanware defenses, and still fell prey to a cyberattack leading to “one of the largest data breaches ever in higher education.”

The three cultural challenges Brian D. Voss identified in his blog post are:

1. A culture of data retention (everybody keeps everything)
2. A culture of frugality in IT (budgets inadequate to follow best practices)
3. A culture of IT subservience (IT may be a customer service organization most of the time, but cannot be customer-service driven when creating and enforcing policies regarding information security).

Changing the culture of a university is no small feat.  The administrators and IT governance groups for each institution in higher education will discuss and take appropriate steps for their own campus. In the mean time, individuals in each institution can mitigate the risk of data loss in their own areas by using university owned or contracted email and storage solutions, secure networks like eduroam or university-controlled networks, and practicing safe computing habits.

For more information on safe computing habits, see Rice’s Information Security training modules: http://infosecurity.rice.edu.

This entry was posted on Tuesday, August 5th, 2014 at 12:53 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.