Big Data and Big Risks: Protecting Higher Education from CyberattackTeju Herath | Associate Professor of Information Systems in the Goodman School of Business, Brock University
Colleges and universities today are collecting and storing huge amounts of data. Leading institutions are also analyzing and leveraging data for all kinds of different purposes, and the number of institutions that will be using the power of Big Data to support strategic and tactical decision making will continue to grow in the coming years. But with Big Data can come Big Risks. Across North America, more and more colleges and universities are finding themselves on the receiving end of cyber-attacks, some for ransom and others for sport. In this interview, Teju Herath shares her thoughts on how higher education institutions can protect themselves from cyber vulnerabilities.
The EvoLLLution (Evo): How have analytics and Big Data become increasingly central to the effective management of colleges and universities?
Teju Herath (TH): Universities have been using data analysis for various purposes, like admissions, capacity planning and scheduling, for a long time. But this use of data for decision making is evolving.
One of the key areas where analytics is proving to be useful is in the admissions process. In addition to relying on traditional evaluation components such as standardized test scores, academic history, grade point averages and extra-curricular activities, universities are considering other demographic and geographic variables in predicting student acceptance and enrollments. Universities are also increasingly engaging in social media—not only to promote the university’s profiles and presence—but for recruitment, just as HR recruitment managers in other sectors use social media to attract talent.
Another important area where analytics can be useful in universities is in improving student retention and student success. For example, it can help provide better targeted support based on student needs, and develop teaching and learning methods. Student retention and student success are beneficial to both students and universities, and are key postsecondary priorities.
Universities can also evaluate various student services for capacity and resource planning, budgeting, and scheduling. For example, facility usage (classrooms, computer labs, and other facilities); library spaces and resources (laptop loans, books, journal articles, etc.); cafeteria and meal services, and so much more. In cases where universities are dealing with budget pressures but need to continue to fulfil consistent levels of service demands, these kinds of evaluations may be very insightful.
Evo: As analytics become central in universities, what new risks are institutions becoming vulnerable to?
TH: As the saying goes, Big Data–Big Security. Or perhaps Big Data—Big Target. The bigger the data, the bigger the target it presents to criminals trying to steal and sell it. We have seen the recent breaches with tens of millions of records stolen from companies as big as Target, Sony and Yahoo. It is easy to see that as the data grows larger, the risks grow proportionally.
Universities collect and use different types of student data: financial information, personal information and academic information. In addition, universities are dealing with teaching and research and all of the technology and data pertaining to it. Many of these pieces of information can be considered sensitive. On top of that, like other sectors, universities are also likely to be affected by many laws and regulations that impact information security, for example privacy regulations.
To add to the complexity, university students, faculty and staff use many different devices to access university resources. The Internet of Things and mobile devices bring additional issues. We have heard an outcry that despite the push towards IoT and smart devices, manufacturers of these technologies have not considered security as a priority in the development process. The difficulties in controlling and managing the usage environment gets even more difficult with technologies that are developed with inherent security vulnerabilities.
Another such example that increases the difficulty in managing digital assets is our need to explore cloud options, which also introduces related risks.
In our current environment, we have brought wireless networks, social media and all sorts of mobile and smart devices into the postsecondary environment. Our technology-use needs and patterns have changed, which adds to the challenges around security.
Evo: How would not addressing these risks impact institutions over the long term?
TH: Similar to the consequences facing other sectors, security breaches are likely to impose both financial and reputational impacts on postsecondary institutions. The ransomware attacks we experienced in Canadian universities in the summer of 2016 not only resulted in ransom payments, but also productivity downtime. They serve as a fresh reminder that having a system not available for use for a period of time can be a disastrous scenario. Data loss would be another example. For instance, losing a researcher’s life work would also be an example of substantial loss.
Evo: What key steps must institutions that collect, store and analyze large amounts of data take in order to protect that information from external (and internal) attacks?
TH: First of all, institutions should have a clear emphasis and clear policies on cybersecurity, which will ensure that important information assets are formally managed throughout the enterprise through appropriate data and IT governance. Having formal processes and structures in place ensures that technology implementation and data collection or its use is not done in an ad-hoc manner, but rather that security and privacy have been given careful consideration before implementation.
Use a comprehensive data security approach. Common wisdom in security implementation is Layered Security, or Defense in Depth. A simple anecdotal example is how we secure our homes using preventative measures (such as locks and gates), detective measures (such as alarms and monitoring), and response measures (such as insurance or police).
We need to think about securing our digital assets using such layered approach, using preventative, detective and response measures, as well as using approaches that are a combination of security technologies, security processes and policies.
Evo: What are a few roadblocks IT leaders can expect to face when trying to take these steps, and how can they be overcome?
TH: One of the largest challenges in security is the general lack of information sharing among organizations. If best practices are shared among industry partners, we can collectively think of better solutions and implement superior mechanisms to reduce such risks.
Author Perspective: Educator