A lack of funding and a shortage of staff time are the biggest obstacles to better information technology (IT) security in colleges and universities, according to a survey of higher education officials. Conducted by CDW-Government (CDW-G), a technology solutions provider, the survey also suggests a need for better network-security education for faculty members and students.
The Higher Education Security Report Card, released Oct. 24, was based on an informal survey of more than 100 school IT directors, staff, and executives nationwide. They were asked questions about the degree of computer and network security at their academic institutions, their comfort level with this security, and their perceptions of administrator, faculty, and student attitudes toward IT security.
Only five percent of those surveyed said their network is very safe from attack. Forty-one percent, however, said they have a safe network, and 44 percent reported their networks are moderately secure, but require some improvement. Nine percent said their system is fairly vulnerable to malicious codes, and only one percent of those surveyed said their system is not safe at all.
“Stakeholders do feel secure, but they know they’re vulnerable,” said Dan Monahan, higher-education director for CDW-G.
Christopher Cramer, director of IT security for Duke University, told eSchool News that the complexity of a large educational institution–which must support a number of different platforms and research efforts, transmit large amounts of secure data, and host any number of other activities across its network–makes it impossible to have an institution-wide solution to protect against security threats.
“Duke University is a difficult IT environment,” Cramer said. “It’s not just a business; it’s not just an education place; it is also an ISP [internet service provider] for students. A campus-wide firewall is not feasible. We’ve got 50,000 or 60,000 network pieces here. There is no such thing as a firewall perimeter.”
He added, “Given all these factors, I’d say we’re in a reasonably comfortable place in terms of security. But there’s no such thing as a ‘secure’ network. Applications that are attached to that network need to be secure. My personal philosophy is that all applications should be secure enough to run on a hostile network.”
Sixty-nine percent of those surveyed reported security is a high priority for their school’s administration. But two-thirds of these IT professionals said they are able to dedicate only 25 percent or less of their time to security concerns. Half of the survey’s respondents said a lack of funding is the most significant barrier to improving IT security on campus–and a third said their administrations are not committed to enforcing security policies or funding training programs.
“Technology is evolving so quickly, it is hard [for school administrators] to build policies around it. Nobody is sure how to write policy around IT security,” Monahan said.
“The good news here is that higher education institutions do not have any inherent structural opposition to IT security initiatives, with 73 percent of faculty and 87 percent of administration executives reportedly ‘very supportive’ or ‘supportive’ of cyber security initiatives on campus,” he said. “The bad news is that, as the academic community increasingly relies on information resources to fulfill [its] mission, IT staffs are absolutely stretched to the limit to meet the growing needs. The perception is there is a certain level of security, but no one feels they are at the top level.”
Monahan said he believes higher ed administrators should be concerned with security not only for keeping student data safe, but also for attracting new students.
“From conversations I’ve had around campuses, it appears that students are starting to consider technology and high-speed wireless bandwidth in making [enrollment] decisions,” he said. “And schools known to have non-secure networks should be very concerned about attracting students.”
The survey found a need for greater student education about IT security, noting that 36 percent of those surveyed said students disregard security policies; 25 percent said students lack awareness of these policies. On the other hand, only 14 percent of those surveyed said peer-to-peer file sharing is a significant network threat, and only three percent reported attacks from students are a threat to their network.
“Schools are now embracing some of the very issues they have been fighting over the past few years,” Monahan said. “For instance, many IT officials have figured out that students are going to find a way to download MP3s and shareware [which can be a source of malicious code when downloaded]. So, instead of trying to keep MP3s and shareware off the network, many schools are now hosting–in a cleansed and secure environment–say, the top 20,000 files that students are looking to download.”
Despite the survey’s findings, schools do appear to be taking action to better educate their students and faculty about network security, it was reported.
“This is the second year of our security-awareness campaign,” Cramer said. “We’re still struggling to find out what works and how best to reach students.”