Data security, one year later

It’s been a little more than a year Western’s server security breach. Has data security on campus improved? Unfortunately, in many ways, not yet:

  • Campus wireless networks offer anonymous access to anyone.
  • Wired networks distribute IP addresses indiscriminately.
  • Plain-text logins abound. (Indeed, telnet to the campus Unix cluster is still supported!)
  • Non-encrypted webmail is supported (and will be, apparently, on our new Zimbra installation).
  • Some campus webservers still use IIS.

Many of the “University Technology Recommendations” address these issues. (The link is password protected. Security through obscurity? Hrm.) However, Western’s biggest overall problem with technology shows in this document; the proposed changes focus on hardware and software, not end users. There’s only one nod to end-user education–and it’s the last recommendation:

Recommendation 22: Raise security awareness, for example, leaving passwords on post-it notes, remaining logged in while being away from one’s desk, never giving one’s password to anyone, being aware of “phishing” schemes, etc. Recommend development of training and testing that becomes an annual requirement for employment similar to ethics training or sexual harassment training. Requirements: staff time, possible outside resources, $10,000-$20,000.

One of twenty-two isn’t going to cut it. And the ethics training model is NOT the right one; what a disaster that’s been. Given that everyone has a personal stake in data security, forcing compliance is counterproductive. Instead, training should show that following good security practices is best for good student-teacher relationships, ensures compliance with education privacy requirements, and delivers secondary benefits as well (lower likelihood of data loss, for example).

I’m glad to see some strong policy changes which address many of the problems I name above. I hope they will be implemented soon. And I don’t mean to downplay the complexity and difficulty of fixing the problem. Like most things digital, data security is a cultural issue, which means lots of time and energy is required to change behavior, correct existing deficiencies, and prevent future problems. Installing firewalls, replacing hubs with switches, and adding intrusion detection is a good start. But it’s not enough. Leadership, education, good examples, and incentives to improve should be the core of a comprehensive plan to address our data security shortcomings. So far, Western is falling short in all four areas.

This entry was posted in Nerdliness. Bookmark the permalink.

4 Responses to Data security, one year later

  1. WIU MBA says:

    I hear that the university technology reorganization is to be announced September 24. I wonder if the changes will be effective or if it is a temporary patch?

  2. cbd says:

    Announced, of course, not “presented for review by the university community.”

  3. WIU MBA says:

    Yeah. I’m afraid that we will be presented with a slightly modified status quo. End users are out of the loop, as are the technology people behind the scenes. I heard of an assistant director who was refused a look at his area’s budget, and how a supervisor referred to his staff as “incompetent” when speaking to the university administration (Dr. Rallo, Dr. Goldfarb, and Dr. Rives). It’s time for the Narcissism to be terminated. Especially when it is used to belittle a supervisor’s own staff.

  4. cbd says:

    Sounds like it’s time to get on the faculty senate meeting agenda again.

Comments are closed.