Providing proper security at institutions of higher education is a notoriously difficult task. By their nature, colleges and universities are intended to foster the free and open exchange of information – and from whatever devices, students may bring. To learn how one school is dealing with the challenge, I talked with Bill Balint, who serves as CIO for Indiana University of Pennsylvania (IUP), a doctoral-intensive public institution located about 60 miles outside of Pittsburgh in Indiana, Pennsylvania
The Enterprisers Project (TEP): Describe the environment you’re dealing with, regarding the number of students, faculty, staff, locations, and the network.
Balint: We have about 13,000 students and 1,600 employees at our main campus as well as four satellite facilities in Southwestern Pennsylvania. Bandwidth demands have exploded at IUP like most residential higher education institutions. In the past three years, our internet commodity bandwidth has gone from a single 600MB connection to two 10GB connections.
TEP: From an information security perspective, how do you deal with the goal of enabling the free exchange of information while students are using so many different types of devices?
Balint: We work to make our policies, procedures, guidelines and best practices as universal, consistent and user-friendly as possible, regardless of the type of device a user has, whether or not it’s university owned equipment, and whether they’re using a wired or wireless network. For example, we’ve invested in anti-virus, anti-malware and mobile device management software that all faculty, staff, and students can install for both home and campus use. These products are standard and pre-installed on university-owned equipment.
TEP: Without the sorts of cudgels that commercial employers have at their disposal, how do you get students to adhere to security policies?
Balint: The key in our experience has been cybersecurity awareness, which is a critical part of our strategy. We strive to keep our cybersecurity policies simple to understand, to make loads of educational materials readily available and to send consistent, frequent messages to our users about safe computing practices. We also work with faculty to get cybersecurity principles included in introductory courses on technology and information literacy. All of that, combined with the end user software we provide and our battery of investments in back office security tools and training, helps reduce the number of violations. When violations do occur, the University has a protocol for addressing them using a combination of educational disciplinary steps that become increasingly formal for repeat offenders.
TEP: From an organizational standpoint, how do you deal with who has responsibility for what on security?
Balint: IUP has re-prioritized its IT portfolio to enhance greatly the priority placed on cybersecurity. Resources were re-directed to open an IT security office with its executive director, and significant resources are being re-directed for facilities, hardware, software, personnel and professional development, all intended to enhance our security posture. That executive director works with me as CIO to ensure that practical, low-risk investments are made in industry-standard solutions and techniques, so we avoid silos.
But all users must become more cybersecurity aware if we are to remain successful, so part of the goal is for everyone to be responsible for their practices.
A great example is our phishing alert system. Any user who suspects an email message is a phishing attempt can forward the message to our IT Security Office, which examines the message and takes action to combat the threat. The user then receives an acknowledgment from the security professional, which has encouraged participation.
TEP: What do you worry about most about information security?
Balint: My biggest IT security-related concern is that stopping 99.9 percent of all potential incidents may not be good enough. We have added significant components to strengthen our security posture, and are in the process of adding more, but there is always human error to consider, especially in light of both the sophistication and the potential negative impact of a single incident.
TEP: What is the biggest emerging security threat that you see?
Balint: We are seeing threat actors use multiple exploit techniques to gain access to systems. For example, an email phishing message may be used to obtain credentials to a low privilege account. This account will then be used to attempt further exploits. It can be difficult to put all those pieces together to identify the threat.
TEP: What’s the best decision your institution has made on information security?
Balint: To recognize that we needed to improve and that the need to improve was not going to end. We realized early on that cybersecurity needed to be a permanent fixture on our priority list and not just another big project with an end date.