How Do You Communicate the Value of Security?

The California State University system may well be a fine model for statewide higher education: Its enormous (more than 400,000 students on 23 campuses), affordable ($3,500 will cover your yearly resident tuition/fees in most cases) and highly-regarded in many fields. However, as one might imagine, an organization so large and so diverse has many security risks to manage. If recent news is any indication of information security awareness in the system, improvement must be forthcoming.

In 2004 alone, the Los Angeles Times reports, the personal data of some 580,000 individuals in the Cal State computer system has been compromised. The tally includes 23,500 students, faculty and staff whose information was stored on a hard drive that has gone missing from Cal State San Marcos and another 558,000 students, applicants, staff, faculty and alumni whose information may have been compromised during separate network breaches at UC San Diego (which is part of the University of California system) and San Diego State. By California law, businesses must notify individuals when their information may have been compromised. That could be a long and costly task for Cal State.

Security problems have also dogged the UC system, which includes Berkeley, Davis, UCLA, San Diego and six others. In June, the Times reports, UCLA began to notify 145,000 blood donors who may have had their personal information compromised because of a laptop theft.

For the moment, these events present one big, scary what if, as no cases of fraud have been linked to the lapses. But they are a sobering reminder of how vulnerable institutions of higher learning can be to information theft.

What can be done about it? Certainly, colleges and universities recognize the risks. In the August 2004 issue of CSO, Connie Saddler, IT security director at Brown, said she stresses the value of good infosec practices to the student body, including keeping their machines up-to-date with the latest patches (See “Crash Course.”). Theres also some anecdotal evidence that Social Security numbers, which used to be commonly printed on student ID cards, are being replaced with unique student ID numbers to help prevent identity theft.

Conventional theft is also a serious problem on campuses, and that too could lead to identity fraud. Boston University reports that 50 laptops were stolen on its main campus between Sept. 1, 2003 and Sept. 1, 2004, totaling $78,000 in losses for victims. According to the report, only 28 percent of the laptops stolen were secured in the room or office from which they were taken, via locked door or other security device. The report did not say if there were any cases of identity fraud related to the thefts.

Saddler argues that communication is a key component of her security strategy. What do you think? Can open channels between IT, police, students, faculty and staff help colleges and universities lock down their data? How do you communicate the value of security to those whose possessions and identities you are supposed to secure?