It’s been a little more than a year Western’s server security breach. Has data security on campus improved? Unfortunately, in many ways, not yet:
- Campus wireless networks offer anonymous access to anyone.
- Wired networks distribute IP addresses indiscriminately.
- Plain-text logins abound. (Indeed, telnet to the campus Unix cluster is still supported!)
- Non-encrypted webmail is supported (and will be, apparently, on our new Zimbra installation).
- Some campus webservers still use IIS.
Many of the “University Technology Recommendations” address these issues. (The link is password protected. Security through obscurity? Hrm.) However, Western’s biggest overall problem with technology shows in this document; the proposed changes focus on hardware and software, not end users. There’s only one nod to end-user education–and it’s the last recommendation:
Recommendation 22: Raise security awareness, for example, leaving passwords on post-it notes, remaining logged in while being away from one’s desk, never giving one’s password to anyone, being aware of “phishing” schemes, etc. Recommend development of training and testing that becomes an annual requirement for employment similar to ethics training or sexual harassment training. Requirements: staff time, possible outside resources, $10,000-$20,000.
One of twenty-two isn’t going to cut it. And the ethics training model is NOT the right one; what a disaster that’s been. Given that everyone has a personal stake in data security, forcing compliance is counterproductive. Instead, training should show that following good security practices is best for good student-teacher relationships, ensures compliance with education privacy requirements, and delivers secondary benefits as well (lower likelihood of data loss, for example).
I’m glad to see some strong policy changes which address many of the problems I name above. I hope they will be implemented soon. And I don’t mean to downplay the complexity and difficulty of fixing the problem. Like most things digital, data security is a cultural issue, which means lots of time and energy is required to change behavior, correct existing deficiencies, and prevent future problems. Installing firewalls, replacing hubs with switches, and adding intrusion detection is a good start. But it’s not enough. Leadership, education, good examples, and incentives to improve should be the core of a comprehensive plan to address our data security shortcomings. So far, Western is falling short in all four areas.