To paraphrase Mark Twain's Comment about the weather, it seems that everyone complains about IT security, but no one does anything about it. A higher education "report card" survey released at the end of October showed that although security was named a top priority among administrators and IT directors, that concern isn't necessarily balanced by policy and resources.
"The good news is that higher education institutions do not have any inherent structural opposition to IT security initiatives," says Daniel Monahan, director of public sector sales for higher education for CDW-G, the technology supplier that conducted the survey (available at www.cdwg.com/educause). "The bad news is that as the academic community increasingly relies on information resources to fulfill their mission, IT staffs are absolutely stretched to the limit to meet the growing needs."
In fact, 66 percent of the respondents said they were able to dedicate less than one-quarter of their time to security.
Encouragingly, a majority of respondents believed their networks were safe or moderately safe from an attack. But the picture that emerged from the survey is one tinged with frustration, says Monahan. With budgets stretched thin, and accountability an issue, institutions more often spend their dollars on things that can show immediate results. Funding goes to tangibles, he says, rather than preparing for something that may--or may not--happen. "It's like the argument against buying insurance: 'Nothing's happened to me yet, so why should I?'"
More than half (55 percent) of the survey respondents said students were not very supportive or not at all supportive of security initiatives. Thirty-six percent said the problem stems from student disregard of rules and policies (while 32 percent added that faculty disregard is also a problem).
According to the survey, many security problems can be traced to students, although Monahan points out, "it's not from maliciousness, but from carelessness."
To no one's surprise, despite repeated warnings, students continue to download and share files from the internet, unaware that they may be corrupted. Chat rooms and IM applications open the door to mal-ware and "phishing" attacks. Laptops computers taken off campus may return infected with dozens of potential threats. And many smaller institutions, such as community colleges, are forced to share network resources with the local community, opening the door to a host of security issues.
But restricting network access defeats the purpose of having networks in the first place--that of being able to openly share information. (And how many institutions make it a point to mention their high-speed internet access as an enticement to prospective students?) So, in an effort to avoid possible network compromises, some schools have taken to hosting chat applications and files such as MP3s on dedicated servers. "They know they won't be able to stop the downloading, so they aren't fighting the idea, but embracing it," says Monahan.
While I think the desire to accommodate the lifestyles and interests of students in this way is a good thing, the solution addresses only part of the problem. If IHEs are truly concerned with IT security, they need to provide the funding and resources to back up that claim. As headlines of recent months attest, we've seen what can happen if we're not ready for the "what-if."
You can reach Tim Goral at firstname.lastname@example.org.