National Cyber Security Awareness Month (NCSAM) always brings fresh attention and perspective to risks inherent in our connected lives — and, more importantly, to safeguards to help reduce those risks. While 2015 hasn’t seen the same number of high-profile data breaches, nor the number of vulnerabilities on highly utilized technologies as previous years, October still provides those engaged in the field of cybersecurity a chance to talk to and hear from others about the importance of security safeguards, a chance to reengage and double-down in their efforts.
It is with NCSAM in mind that we consider the state of cybersecurity in the higher education landscape.
Things Are Not Always What They Seem
What would the popular media have us believe about the state of cybersecurity in higher education?
- Every higher education breach reported is a “wake-up call.”1
- Education is “a near pervasive leader” in infections.2
- Our “highly regulated industry” has a price tag of almost $300 per record per data breach.3
- We implement fewer controls in our IT environments.4
- Institutions are unwitting hosts of malicious activity.5
We believe the education industry’s poor security reputation is undeserved and merits a closer look. The Verizon 2015 Data Breaches Investigation Report shows the education sector (which includes higher education as well as K–12) is the 11th highest sector in reported total security incidents and the 9th highest sector for reported security incidents with confirmed data loss.6 The 65 confirmed incidents of data loss reported in the education sector is far less than half of the top three industries: public (303), financial services (277), and manufacturing (235); see figure 1.
About the authors
Kim Milford, JD, serves as the executive director for the Research and Education Networking Information Sharing and Analysis Center, REN-ISAC. In this role, she participates in the National Council of ISACs on behalf of the research and education networking community. Prior to this role, Milford was chief privacy officer at Indiana University, information security officer at the University of Rochester and information security manager at the University of Wisconsin, leading initiatives such as disaster recovery planning, identity management, incident response, and user awareness. Milford graduated from Saint Louis University with a BS in Accounting and earned her JD at John Marshall Law School.
Joanna Lyn Grama, JD, CISSP, CIPP/IT, CRISC, directs the EDUCAUSE Cybersecurity Initiative and the IT GRC (governance, risk, and compliance) program. She has expertise in IT security policy, compliance, and governance activities, as well as data privacy. She is a frequent speaker on a variety of IT security topics and is also the author of the textbook Legal Issues in Information Security (2nd ed., 2014). Grama graduated from the University of Illinois College of Law with honors.