Universities putting sensitive data at risk via unsecure email

Colleges and universities are putting the financial and personal information of students and parents at risk by allowing them to submit such data to the school in unencrypted email.

That was a finding in a survey released Monday by Halock Security Labs after surveying 162 institutions of higher learning in the United States.

Half the institutions allowed sensitive documents to be sent to them in unencrypted emails, the survey said, while a quarter of the schools actually encouraged such transmissions.

“Typically, they do what they need to do to comply with regulations, but they’re weak on risk management and actively controlling  and managing risk,” Terry Kurzynski, a partner with Halock Security Labs, said in an interview.

Security at larger universities tends to be better than at smaller schools and community colleges, he continued.

“Smaller colleges are breached all the time,” Kurzynski said.”They can’t develop the right level of security until they’ve been breached several times and someone at the president or board of trustee level says, ‘Enough is enough.'”

In addition to budget constraints, culture at universities works against solid security.

“Universities are unique because their purpose is to build and disseminate knowledge which means they must operate in a culture of openness and sharing,” said Rob Reed, worldwide education evangelist for the big data security firm Splunk.

That open culture can work against the kind of centralization needed for good security. Policies can vary from school to school within a university. “It doesn’t make a lot of sense, but a lot of these units strive to maintain a degree of autonomy,” said Larry Ponemon, founder and chairman of the Ponemon Institute.

“Each school or department can be a silo for data,” he said. “So it’s hard from a data protection point of view to have central control over information and as a result, a lot of these universities have data losses.”

[Also see: After 40 years, email security still elusive]

Ponemon has been performing data breach studies for years and he said universities typically place in industry comparisons  as some of the riskiest places for sensitive data.

Even at a schools with university-wide policies requiring encryption of sensitive data, it can be tough to run a secure ship. “You’ve got all sorts of units engaging in all sorts of practices and it’s difficult in a highly distributed environment like that to police all of it,”   Mike Corn, chief privacy and security officer at the University of Illinois, said in an interview.

“It’s a simple thing for someone to say in the interest of customer service, ‘Why don’t you scan that and send it to me,'” Corn added. “It isn’t that anyone is intentionally violating a policy. In an environment where you have a lot of high touch customers, it’s easy to fall back on what works easiest for the customer and not think about security implications.”

Not everyone was worried, however, by Halock’s findings. “I’m not very alarmed by what they found,” Marc Gaffan,

founder of Incapsula, a cloud security company, said in an interview. “Email encryption is overkill.”

He argued that there are practical concerns when considering widespread use of encryption.

“The usability aspects around email encryption are not trivial,” Gaffan said.

Encrypting email is only a small part of the problem, he continued. “The real problem is what happens to that email when it hits the university.”

“It’s like keeping a key in the lock,” Gaffan said. “The fact that the door has a lock on it doesn’t protect it if the key is in the lock and anyone can unlock it.”