Campus Security Report Card: C for Effort

Colleges and universities have done little over the last three years to improve information security. Hindered by lack of staff resources and funding, security efforts remain largely unchanged, while incidents of breaches--including the theft of  personal information from within and without--continue to plague campuses. And, what's more, the integration of physical and IT security is still a reality in only a small minority of schools.

For these reasons and more, higher education institutions received, on the whole, a C average in the 2007 CDW-G Higher Education IT Security Report Card, the latest annual study from CDW-G and O'Keeffe & Co., which measures responses from higher education IT professionals to gauge the state of security on college campuses.

Network Infrastructure Security
On the whole, according to the report, IT security is in about the same position it was in last year, although there has been a 10 percent increase in the theft, loss, or exposure of data. Fifty-eight percent reported IT security "incidents," identical to the results from last year's study. But 43 percent reported lost, stolen, or exposed data, up 10 percent. Seventeen percent reported loss or theft of personal information about staff members, up 12 percent from last year; and 16 percent reported loss of theft of personal information about students, up 7 percent from last year.

Yet the vast majority of the IT professionals surveyed (93 percent) said they considered their network infrastructure "very safe," "safe," or "moderately safe." Only 7 percent said their network infrastructures were "not safe" or "fairly vulnerable."

Risks and Barriers to Security
So what do campus IT professionals consider to be the biggest threats to information security? Perhaps unsurprisingly, "sensitive data residing on unprotected or vulnerable computers" ranked No. 1 (with an average risk ranking of 3.68 out of 5). This was followed by (in order):
  • Intruders gaining access to high-profile, highly sensitive information or research results (3.59);
  • Downloading of unauthorized material (3.48);
  • End user sharing of authorized access (3.44);
  • Identity theft of a community user (3.32);
  • Increased use of laptops or other portable networked devices (3.3);
  • Vulnerability of wireless networks (3.16);
  • Malicious use of the network to attack other targets (3.1); and
  • Weak security credential policies (2.99).
What are the barriers to improving security on campuses? IT professionals this year cited the dearth of staff resources as the No. 1 barrier, followed by lack of funding, issues related to the culture of higher education, and the lack of defined security policy.

On the administration side, IT pros cite as significant barriers lack of financial commitment, lack of commitment to policy enforcement, lack of funding for training programs, and lack of awareness.

Said the report, "Campus IT security has not improved in three years, and critical data losses continue to put the entire community at risk.  Administrators bear the responsibility of taking the lead to unify and enforce security policies and procedures across campuses, colleges, and departments."

On the faculty side of things, lack of awareness tops the list of concerns, followed by an expectation on the part of faculty that exceptions will be made for individuals.

And, on the student side, disregard for rules tops the list of concern, followed by lack of awareness and personal devices in use on the network.

"Student and faculty lack of awareness continues to plague IT departments," the report said. "IT security education should be considered a first line of defense to improve campus security--with the funding and administrative support to affect real change."

Security Measures & Convergence
Despite the apparent lack of security improvement over the last three years, IT managers and directors have not been standing still. High percentages of colleges have taken measures to improve information security, as seen in the chart below.

The perception among IT managers, however, is that the administration does not place a high emphasis on data (or physical) security on their campuses. Fifty-six percent said that the administration considers physical security solutions "not important" or only "somewhat important." And 54 percent said the administration considers IT security solutions to be not or only somewhat important. Six percent rank physical security as the No. 1 priority, while 8 percent rank IT security as the No. 1 priority. Thirty-five percent of administrators, according to IT professionals, place both data security and physical security among their top-5 priorities.

As far as physical/data security convergence goes, 52 percent of respondents said they spent the same amount of time or less time (including 20 percent no time at all) integrating physical and information security compared with last year. Thirty-eight percent spent more time this year than last integrating physical and data security. (The remainder did not respond.)

Respondents were offered an opportunity to grade their own infrastructure's ability to support "new IT security and physical technology solutions" (convergence). The plurality gave themselves a B (39 percent). Fifteen percent gave themselves an A. Only 3 percent gave themselves a failing mark, and 10 percent gave themselves a D. Thirty-two percent gave themselves a C.

Only 25 percent rated their campuses as fully or mostly integrated with respect to physical and data security. Fourteen percent reported no integration whatsoever, despite the fact that their campus infrastructures are capable of supporting convergence. Twenty-six percent reported being in the early stages of convergence; and 38 percent said that there was "some" integration between physical and data security solutions on their campuses.

What are the most-used converged security tools?
  • Network authentication software (83 percent);
  • Card access systems (65 percent);
  • Emergency call boxes (58 percent);
  • CCTV (50 percent);
  • IP cameras (49 percent);
  • Electronic key locks (44 percent);
  • E-mail/text alerts (38 percent);
  • Sirens (34 percent); and
  • Loud speakers (19 percent).
The Report Card
The study concluded that higher education is not doing enough in the area of security--that it is not taking advantage of convergence, not seeing any year over year improvement in support from students or faculty, but that it is beginning to see some improvement in support for administration. And so it gives higher ed mostly average (C) marks, with a Santa Claus B in the area of administrative support.

In a final "call to action," the report cited four areas for improvement:
  • Administrative support for unifying and enforcing security policies;
  • Convergence;
  • A "layered" approach to security, including network access, content filtering, end point security, network security, and compliance; and
  • A building of security awareness among students and faculty.
The study was conducted between May 24 and Aug. 2 in person and online with 151 IT directors and managers in higher education, ranging from community colleges to research universities. Forty-three percent had 5,000 or fewer users on their networks; 57 percent had more than 5,000. The results have a margin of error of ±5.5 percent at a 90 percent confidence level.