Security lesson

University net execs face variety of security challenges.

Just how seriously universities now take network security can be seen in one small, but telling incident: The CIO of Tulane University wouldn't talk about the subject.

"I have made it a policy to not report publicly about security issues," says John Lawson. One of the reasons for that is the potential divisiveness that security implementations can cause on campuses.

"Education has, at its core, a belief that information is meant to be shared and learned," Lawson says. "So now we have this conflict between the need to protect information because of the increased need to secure the safety of our constituents and the institution [on the one hand] and a fundamental principle...of sharing information to the benefit of all."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Just how seriously universities now take network security can be seen in one small, but telling incident: The CIO of Tulane University wouldn't talk about the subject.

"I have made it a policy to not report publicly about security issues," says John Lawson. One of the reasons for that is the potential divisiveness that security implementations can cause on campuses.

"Education has, at its core, a belief that information is meant to be shared and learned," Lawson says. "So now we have this conflict between the need to protect information because of the increased need to secure the safety of our constituents and the institution [on the one hand] and a fundamental principle...of sharing information to the benefit of all."

His comments reflect a big change in attitudes and actions about network security in academia.

Universities are increasingly aware of their vulnerabilities and the costs associated with successful attacks. A recent Emory University survey of 13 major U.S. universities found that 80% agreed that network security policies are very important, but only half of them are taking steps to combat the growing flood of security breaches. Staffing and budgeting were cited as the main obstacles.

A new worry is the legal liabilities created for a university when someone hijacks a school computer and uses it to launch attacks against networks and computers elsewhere on the Internet.

EDUCAUSE, a nonprofit group focused on advancing higher education through IT, now has a security task force that works with security experts and partners such as Internet2 to coordinate activities to improve information security throughout higher education. 

EDUCATION What else is hot? Higher ed’s higher IT budgets. A 2003 survey of 1,427 colleges and universities found the total budget for IT spending will increase this year by 5% compared with the 2001-2002 academic year, to more than $5.2 billion. But that’s less than the 14% jump in last year’s spending, fueled mainly by increased IT spending by administrative departments. The authors suggested the smaller increase might reflect a return to the historical pattern of higher IT spending by the academic groups. Enrollment Average budget ’02-’03 Under 2,500 $527,800 2,501-10,000 $1.1 million 10,001-25,000 $2.3 million over 25,000 $15.9 million Source: Chronicle of Higher Education; Market Data Retrieval Raising Arizona security. Arizona’s three state universities will publish in August the results of a joint, $100,000 review of their computer network security. The Board of Regents commissioned the study shortly after hackers seized more than 50,000 Social Security numbers from a University of Texas database. The University of Arizona, with more than 30,000 computers, estimates it is hit 200,000 times per day by people searching for weaknesses. University officials said most of these attacks are attempts to access hard drives, which can be used to attack a third party, or to stash copyrighted material.

Click to see:

Squeezed by an economy that's cut into state funding and private donations, universities are improving network security by reallocating funds and shifting priorities, says Rodney Petersen, security task force coordinator for EDUCAUSE. A main priority is hiring IT security officers to pull together school-wide security master plans, Petersen says. Anecdotal evidence suggests that many universities create these key jobs by re-assigning existing staff or re-allocating a vacant job slot for security, he says.