​IT security remains ‘risky business’ at college campuses


A preliminary look at new survey data suggests higher education officials are getting the message about the need to boost information security spending and staffing.

Postsecondary institutions have made significant headway in training faculty and students on the finer points of protecting their information, but are still underinvesting in IT security overall, according to Joanna Grama, who directs cybersecurity programs for EDUCAUSE, a nonprofit group supporting information technology use in higher education.

Budget pressures contributed to private and public institutions devoting just 2 percent of their central IT spending on information security, according to a snapshot report released last month by EDUCAUSE, based on 2015 data.

Sparse spending was also reflected in IT security staffing: Colleges and universities employed just one full-time central IT security employee per 10,000 full-time institutional employees in 2015, according to the report.

The initial results from a 2016 member survey, due to be released this April, however, show signs of improvement, Grama said.

Average spending for information security on college campuses increased from 2 percent of central IT spending in 2015, to 3 percent in 2016, Grama told EdScoop; and the average number of full-time IT security specialists doubled — to two per 10,000 full-time institutional employees — over the same period.

Nevertheless, says Grama,“Institutions are noting that limited resources is making it hard for them to move — they are doing a lot with a little.”

That’s one of the reasons why information security, for the second year in a row, topped EDUCAUSE’s annual top 10 IT issues list confronting higher education officials.

Grama said institutions are focusing their attention on four issues in particular which pose the greatest information security risks on campus:

  • Phishing and social engineering
  • End-user awareness, training and education
  • Limited resources for the information security program
  • Addressing data protection and privacy regulatory requirements

“Presidents and board members are just as vulnerable to social engineering attempts as are students, faculty, and staff,” Grama said in an article she co-authored with Valerie Vogel, EDUCAUSE’s senior manager for cybersecurity programs.

“Over the past two decades, phishing scams have become more sophisticated and harder to detect. Traditional phishing messages sought access to an end user’s institutional access credentials (e.g., username and password). Now ransomware and threats of extortion are common in phishing messages, leaving end users to wonder if they have to actually pay the ransom,” they added.

End-user awareness, training and education remain a vital weapon in combatting persistent threats. Although three-in-four higher education institutions in the United States require information security training for faculty and staff, those programs tend to be leanly staffed with small budgets, according to Grama.

Complicating the work of higher education IT professionals is the need to adhere to a complex patchwork of data protection and privacy laws governing how schools must guard students’ personal, financial, scholastic and health information.

Information security remains a risky business for institutions hoping their IT departments can keep up with the growing threats.

Just last week, a firm specializing in cyberthreat intelligence reported that a hacker called Rasputin had compromised, and was now offering access to databases belonging to two dozen U.S. universities.

EDUCAUSE’s Cybersecurity Initiative hopes that by offering an information security program assessment tool, and sharing benchmarking data and other services, higher education officials will appreciate the challenges their campus IT departments are facing.