In information security (InfoSec), there are two schools of thought.
You can take a defensive posture, which includes configuring firewalls, coding to standards and implementing software that you “set and forget” such as anti-viruses or software to ensure password strength is up to par – in essence, checking the boxes.
Or, you can think like hackers.
After checking those boxes, you try to break into your own system. You find out how people have been hacking into similar systems and try the technique on your own environment – in essence, taking a clear box approach, looking at how a system is built and where it is served and then trying to exploit its vulnerabilities.
Which describes your organization? If, like many higher education professionals, you have no idea, you are not alone.
But I assure you, in higher education, you need to be the latter. Your students and alumni deserve it.
It is imperative to take that next step if you are going to protect their personal information and keep data secure.
Knowledge is Power
Educate yourself. Here are the first few items on your technology to do list:
o Know where all your data is
o Identify who has access to it
o Classify your data as high risk (or not)
o Bring in an outside firm to understand your system inside and out
o Then, create a plan and a specific scope of work so you know what technology partners you need (and don’t need)
With these small steps, you won’t be the company that stored 500,000 customer emails and passwords in plain text on its server. That’s a start. The next step, while not simple, is something you’ll certainly understand from academia.