Sanjeev Sah, CISO of UNC-Charlotte, is getting a lesson in the unique security challenges facing universities. Dan Kaplan reports.
It didn't take long for Sanjeev Sah, who was hired last fall as CISO of the University of North Carolina at Charlotte, to feel like a freshman again.
Last February, only four months on the job after serving for more than a decade in the automotive and health care industries, Sah found himself immersed in a breach that would have been considerably less likely to happen in the corporate world, where IT generally is more centralized and controlled.
In May, the 50-year-old university provided the unsavory details of what happened: The Social Security numbers of 350,000 students and faculty were found to be publicly available on the internet due to “system misconfiguration and incorrect access settings.” While school officials said they didn't believe any of the information actually was inappropriately viewed or used to conduct fraud, the breach underscored many of the security impediments that higher-education institutions face.
For Sah, his role at UNC-Charlotte is his first time working in such a distributed IT environment, where schools generally lack mature data handling, incident response and governance programs. But the security stance of many colleges is less established for a reason: The computing paradigm of academia demands openness, autonomy and leniency. It's a challenge Sah knew he would face.
BAD GRADE: BREACHES
Here's a smattering of some recent data-loss incidents that have occurred over the past few months, in what is shaping up to be a monster year for breaches in the academic space.
University of Rhode Island
Records exposed: 1,000 current and former URI faculty members.
What happened? Personal information, which was not intended to be stored on the business college server, was placed there.
“My approach is to understand what is critical for our institutions to be successful and temper the information security program response accordingly,” he says. “You have to allow an open environment to support faculty and students, but at the same time address the security challenges.”
Breaches across higher education have been happening more frequently. From lost laptops and memory sticks to misconfigured or unpatched servers to actual hacks, there has been a steady stream of reported data-loss incidents this year, according to Privacy Rights Clearinghouse, a San Diego-based breach repository.
Already in 2012, through mid-September, colleges and universities have reported 66 breaches impacting 1.26 million records. That easily trumps 2011's total of 63 cases involving 573,000 records. Experts are unsure if the rise is due to increased reporting or an actual jump in cases, or if this trend will in fact continue (years' past had higher numbers). But one thing is for sure: As data proliferates and endpoints expand, the possibility for exposure will also rise.
“The education sector is vulnerable to data breaches for a number of reasons,” says Beth Givens, director of Privacy Rights Clearinghouse. “First, higher education has many moving parts, in a relatively ‘open' environment. This means that databases containing personal information are numerous and decentralized, in general. These factors spell increased vulnerability to breaches relative to other sectors of the economy.”