Detailed report on campus security issues (3 year trend data)

CDW Government released the results of its third annual Higher Education IT Security Report Card, a national survey that asks higher education IT directors and managers to rate the state of IT security and the support they receive from constituents on their campuses. The 2007 report provides three-year trend data along with additional insights on increasingly complex campus security issues such as converged IT and physical security solutions.

According to the Privacy Rights Clearinghouse, there have been 148 publicly-disclosed data breaches at colleges and universities since 2005. While some incidents are unintentional, such as a data file posted to a public Web site, hacker activity and malicious attacks account for much of the data loss.

The 2007 CDW-G Higher Education IT Security Report Card reveals that despite increased attention to the need for better higher education IT security, there has been little progress toward improving IT security in higher education. Key findings from the study include:

• Fewer than half of campus networks are safe from attack; 58 percent report at least one security breach in the last year
• Data loss or theft has increased 10 percent in the last year, up to 43 percent, including the loss or theft of staff and student personal information
• Increased attention to the convergence of IT and physical security solutions, but slow adoption of these tools
• Lack of staff resources is the biggest barrier to improving campus IT security

While eight percent of respondents report that their network is “very secure” from attack, 47 percent report their network is “moderately secure but requires some improvements.” Not surprisingly, IT directors ranked issues regarding data protection as number three of the top five IT security risks on their campuses, with “sensitive data residing on unprotected machines” and “intruders gaining access to high-profile material” topping the list. This year’s study also points to an alarming rise in data loss or theft compared to the previous year, especially staff personal information (17 percent) and student personal information (16 percent).

For the first time in the study’s history, IT directors cite “lack of staff resources” as the biggest barrier to improving IT security. “IT managers’ responsibilities are growing at a rapid pace, consuming a greater amount of time than ever,” Smith noted. “The use of security information management tools can consolidate services and free IT staff to work on higher priority projects.”

This year, CDW-G asked IT directors about the convergence of IT and physical security programs, such as network access control, card access systems and mass notification systems. Respondents report that convergence is becoming a higher priority than in previous years, with 38 percent spending more time on it than the year before.

Eighty-six percent of respondents noted that their campus has the network infrastructure to support converged solutions, but only six percent have fully converged IT and physical security solutions. According to the EDUCAUSE 2007 Current Issues Report (May 2007), IT security is a top five priority among higher education administrators, but Report Card respondents note that convergence is not yet a top-five priority.

The Report Card

IT directors/managers were asked to rate the support for IT security that they receive from their executive administration, faculty and students:

• Administration earns a “B”: Respondents cite administrators’ “lack of financial commitment” as the biggest barrier to implementing better IT security and policies on their campuses. Respondents also note a need for administrators to commit to enforcing IT policies
• Faculty earns a “C”: The higher education culture continues to plague faculty grades. Respondents say that “lack of awareness” and the “expectation that exceptions will be made for individuals” are the biggest challenges. Using solutions such as network access control increases awareness of security protocols by ensuring that only machines updated with the latest software access the system
• Students earn a “C”: Respondents cite a “disregard of rules/policies” and “lack of awareness” as the major roadblocks with students. Many campuses are using education as a means to improve students’ understanding of IT policies, with required tutorial sessions or classes that engage students to be a part of the security solution