Tuesday, April 21, 2015

As I See It: #8 on Developing Security Policies, 2015 Educause Top 10 Issues

The Top 10 Issues of 2015 for higher education technology were announced last fall at the Educause conference in Orlando and officially released recently to the public [http://www.educause.edu/research-and-publications/research/top-10-it-issues]. This entry is my eigth in a series of ten as I share my thoughts on each of the issues.

Issue #8: Developing security policies for mobile, cloud and digital resources that work for most of the institutional community.

If this isn't the year of focusing on security for your respective purview, I'm not sure what you're working on. Since the Target breach hit in late December 2013, the media has been a-flurry with fallout, repercussions and a continuous flood of additional breaches - Sony and Anthem to name a most notable couple. Issue #8 as listed above assumes that all security needs are wholly addressed at every basic level besides mobile, cloud and digital. Recent discussions tell me otherwise. Many tech leaders talk a good game and have all the right responses, however it's not unlikely that we might not even have the basics covered security-wise.

The current state of security in our world? More breaches (48% increase), cost-per-breach increase, security budgets decrease. Although there is a focus, there seems to be a smaller investment. Not investing in security can lead to debilitating a business. With cyber-insurance these days, the obvious costs may be offset but the long-term repercussions could be insurmountable in industries with competition. As an example...seemingly to throw a wrench into everything, a report was just released showing that data breaches may cost less than the security measures being implemented to prevent them. What does this mean to me? Not much. And unless you are a retailer of Target's stature primarily concerned with protecting Pii information, it shouldn't mean much to you either. These breaches can likely destroy small- to medium- businesses financially and by reputation. Big-box retail stores have little competition. Higher ed on the other hand is only gaining in competitiveness.  Remember that.

So what to know? A few facts:
  • More than 500 million personal records stolen via data breaches in 2013
  • Average per capita cost for each record lost: $145-$240
  • Average company cost for a single breach: $3.5 million
 Obviously an initial security assessment needs to happen to address system issues. From this assessment a long-term, rolling security and infrastructure should reveal itself. Exorbitant costs can be stomached across multiple years. But here's the biggie: 95% of IT security breaches attributed to human error.

Inadvertent actors are the most dangerous to you. These are DBA's that leave their screens open and go grab a Coke, these are intelligent peers that click on a link in an email that looks so realistic it hurts, these are individuals trusted with credentials to access your most valuable data - this should be your focus point immediately. Train your users. Implement understandable policy and procedure. Develop contacts and liaisons within each department 'train the trainer'-style. If you don't continuously educate, your inadvertent actor pool only increases in risk for you.

Address systems, address process, educate your users. Now what?

No Man is an Island
As recently as yesterday I enjoyed a face-to-face meeting with a peer in the business sector. His company processes data for the healthcare industry and his number one focus and culprit of the occasional sleepless night - not surprisingly - security. I highly recommend using communication and collaboration with peers and colleagues 'on the outside' of higher education to keep you on your toes as it pertains to ideas and actions on how to respond and prepare for the near-inevitable security event. My motto tends to be 'it's not if, it's when' on security events, so the discussions need to be occurring inside and outside your institution to ensure you are ready to respond when security happens.

Security is sensational.
It only takes one click of a button - sometimes less. That said, in higher ed we are all beyond the point of choosing which technology/device to protect. Today you protect all of them. Identify what your campus is using and protect it. Identify, implement, communicate.

And just in case you're interested in more, check out one of my favorite links/sites and prepare to exclaim 'YIKES!'


Worlds Biggest Data Breaches