“The Social Security numbers of about 30,000 people became vulnerable after malicious software attacked Penn State University computers,” an artidcle announced in December, 2009.
“Other data breaches occurred in January and February and in December 2008. One targeted a single computer; the two others affected hundreds of individuals.”
The problem is lack of funding. Year after year of steep budget cuts in the education sector have left primary, secondary, and university systems more exposed than ever to information security threats.
The vast majority of schools are falling behind in major security areas like security assessments and testing, threat prevention, remediation, training, policies and procedures, regulatory compliance, and current best practices.
“The rapid growth of network and cyber security threats poses a daunting challenge for higher education at a time of tight budgets and cost pressures,” says Michael Menefee, President of WireHead Security, located in North Carolina.
Unless an institution is of a substantial size, these organizations rarely have a designated staff position such as a CIO or CSO, and the responsibility for system integrity is usually dispersed laterally to those who lack the authority to much more than follow procedure.
Mitigation protocols are usually out of date, and keeping pace with dynamic pace of technology and hardware upgrades takes priority over comprehensive vulnerability analysis. The result is patchwork security efforts made in response to data loss events - which is much like continually filling potholes, but never fixing the road.
Data loss events at educational institutions give rise to a particular set of problems regarding remediation efforts.
First of all, many data loss events probably go completely unnoticed. When the stolen data is personally identifiable information, as opposed to thousands of dollars from a bank account, there are few red flags that pop up.
Information like names, social security numbers, dates of birth, and other such information in school records may lay dormant in the hands of a criminal network for years before it is ever utilized. When the impropriety is finally noticed, it may be difficult to trace the origin of the breach due to the elapsed time since the event.
Secondly, higher education students are a particularly vulnerable population when it comes to criminal exploitation. Near the beginning of any school term, college students may receive thousands of dollars in deposits to their bank or university accounts from parents, financial aid, and scholarships.
Theft of these funds could be detrimental to all involved, and leave the student out of school and potentially still on the hook for the loans, as outlined in the promissory note.
Which brings us to the third point: who is responsible when an event does occur? Certainly if a financial loss can be directly linked to data loss at a particular institution, the school will have to pay up to the extent the law allows.
But this is little consolation when considering most educational endeavors are not profit driven, and probably do not set aside a certain percentage of funds yearly to compensate for losses due to fraud, like a credit card company or retail outlet would.
Ant the vast majority of schools are public in nature, which means the taxpayer is ultimately responsible.
The plain truth is security is very real issue for everyone in every sector, and the vested interests must realize that data loss from vulnerable IT systems is the new norm, it is here to stay, and it is a pay now or pay later proposition.