Issue link: http://www.e-digitaleditions.com/i/59881
Arsneault expects corporations to adopt such measures Others go on an all-out campaign. For instance, Temple instituted an awareness crusade that makes it clear to students and faculty how important it is for them to join in the effort to safeguard data. Writing in the Educause Quarterly, Silverstone describes the school's efforts. "The awareness campaign is disseminated through candy dispensers, posters and fliers, and newsletters and Web sites—all carrying the security-awareness slogan: 'The Bug Stops Here!' We even broadcast information security infomercials on big-screen tel- evisions situated in different lobbies and hot spots around campus," he says. "We also introduced noncredit classes cov- ering IT issues, including security. Although interested stu- dents had to take the classes on their own time, and some courses extended for a full week, the classes filled up quickly." Even so, sometimes students continue to be cavalier about taking simple safety precautions. That's when IT departments must take precautions for them. For instance, Baruch encour- ages students to change the default passwords they are issued when they enroll. Last summer, a check revealed that 89 per- cent of the students had not done so. Since the default pass- words are generally crafted of readily available student infor- mation—such as the last digits from their ID cards—they're easy to steal. "Not only can someone else get into a student's account and get access to all his personal information, but he can act on that student's behalf," says Downing. Among other things, one student can de-register another from a full class to make room to register himself. Therefore, over the summer, Baruch changed all the student passwords. "The school news- paper contacted us to say it was disruptive. But we viewed it as an opportunity to educate students on the importance of protecting their information," Downing says. Girding Up for the Battle Ahead It seems that universities' attitude toward cybersecurity can only go in one direction—toward more controls and tighter access. Many school administrators are closely watching the development of new products that will require authentication before students are allowed to log onto the network or that will quarantine computers that don't have the right updates. before schools do and notes that it will be harder for schools to implement systems that will abruptly deny students access. "Especially if you don't have tech support 24/7, you don't want to be knocking people off the network," he says. "If a student has an assignment due at 6 p.m. and he can't get on the network and there's no one to help him till the next morning, that's not good." What the future really holds might be a higher degree of caution from human users, says Rodney J. Petersen, policy analyst and security task force coordinator for Educause, a nonprofit association geared toward advancing higher educa- tion through information technology. For instance, Petersen expects to see more data encryption, which will keep informa- tion safe even if someone hacks into a file or steals a laptop. Encryption techniques exist already, of course, but average computer users don't bother to learn them. "The technology needs to be transparent and easy to use," Petersen says. He also predicts that there will be fewer multiple reposito- ries of data, with files of personal information being kept at the library, the registrar, the HR department, the recreation center, and so on. Instead, he expects there will be one cen- tral repository of data that is checked by other entities that need to authenticate a person's identity. Downing believes human, not technological, improve- ments will be necessary to make schools more secure. He says that administrators need to do a thorough self-assessment before trouble actually hits to determine what their policies should be and what they can afford to implement. "How much are they willing to invest for peace of mind? That's an institutional decision that goes beyond the IT department," says Downing. "When there is a situation like a power blackout, do they want us to evacuate the computing center, or should we stay to make sure all the data is secure? Those decisions need to be made in advance and implement- ed campuswide." Finally, everyone involved in cybersecurity needs to real- ize that their jobs are never over. "This is an endless game, unfortunately," says Arsneault. "We've made monumental progress in the last couple of years, but there's always some- thing more coming." In another decade, the preventative measures put in place right now might appear to be curiously medieval, while the weapons used against them might seem equally quaint. But for today, the attacks launched against a university's cyber fortress must be viewed as state-of-the-art, designed to bring down the ivory tower. The war is real, the enemy is armed, and the academic defenders simply can't afford to lose. ■ z BizEd JANUARY/FEBRUARY 2005 29