Jayson Steet tweeted a link to a Computer World article about the recent rash of security breaches in the academic environment. (Aside: Follow Jayson as he will soon be releasing a book called F0rb1dd3n that looks awesome!). There are a few interesting tidbits in this article and definitely worth the read if you work in academia.
I think the author might be too bold by saying that during the last few weeks of the semesters that breaches occur more often due to students being under duress. I think pretty much everyone is under some sort of duress during these important final weeks of the semester. From the faculty designing finals and grading, to the staff having to put up with the faculty, to the IT staff having to make sure everything is working . Perhaps it is people trying to take shortcuts (such as taking PII home on their laptop, which then gets stolen) to get work done quickly in situations where time is limited, but I think you can hardly pin it just on the students.
Computer World also talks with the author of “Breaches in the Academia Sector“, John Correlli, who adds a spot on statement of “Privacy governance in academia is far too frequently thrown into the laps of the IT folks, who are then told, implicitly or explicitly, that privacy isn’t a priority until it’s a problem.“ When is it considered a problem? When you (being the college, unit, dean) need to spend money to notify victims of a breach? When you suffer embarrassment due to a breach? I think the ‘it can’t happen to us‘ way of thinking no longer applies as breaches have struck all areas of academia. So why not take the steps to be proactive beforehand so you don’t have to pay for notifications or you don’t have to suffer the embarrassment? Simple, people hate, fear, and resist change. Unfortunately, the open environment of academia hinders change and is typically used as an excuse to resist it.
John also says that the academia is prone to these threats due to “A customer user population that is relatively low paid, lives “on site” and experiences high turnover.” I agree with this and not only in the customer user space, but in the IT Staff space. Typically lower end IT Support/Sys Admin jobs are stepping stones for people to move onto better positions and typically on the lower end of the pay scale. Although I don’t have any numbers (but would love to find some) on the pay differences between academia and business, I would say that academia IT is on the lower end of the pay scale compared the same position in the commercial sector. Then a new person has to come in, make heads or tails of what the last person did (You mean every IT person does not document what they did?!?), and go on with their everyday job. So then it comes to how do you keep talented young IT staff who can go work somewhere else for plenty more money, and most times much less grief.
So, the million dollar question is, how do we secure data and promote the open environment of academia? I think Michael Santarcangelo has some great ideas in his book ‘Into the Breach‘ such as holding people accountable for their actions and engage the people whose data you are trying to protect. Would love to hear how other people are doing it.
