Tuesday, February 12, 2008

Adam Dodge's 2007 Higher Education Security Incidents Year in Review

Adam Dodge published his Educational Security Incidents Year in Review for 2007 on Monday. He cites both an increase in the number of incidents and the number of institutions reporting a breach -a trend we have seen in the corporate world as well. In addition, new categories were reported, including "Employee Fraud", which tends to be under the radar in any higher education reports.

I'm intrigued by the increase in reporting - some is obviously driven by legislation and policy requirements, but the overall growth may also indicate a change in general attitudes and policies from internal handling to active reporting. I'm also glad to see the increase in reporting - the openness brings attention to issues that many in education face, and public announcement of events helps increase awareness and often results in further resources being devoted to fixing security issues.

The growth in the unauthorized disclosure and loss categories is particularly interesting when analyzing this trend. The key statistic that isn't analyzed, and that would have a great impact on interpretation of the growth is how many of these would not have been reported as incidents a year ago, or would have been classified as internal incidents. It would be interesting to map state legislation and policy changes at these institutions to the reporting that institutions on those states have done over the past few years. I would expect to see an increase in reporting after laws such as Indiana's SSN disclosure law went into place, then a slow decrease in incidents.

Why a decrease? The institutions will generally begin to shift policies and practices to ensure that further costly and embarassing incidents do not occur, or do not fit the reporting guidelines required by law. Examples of how universities have begun to deal with this can be found in Purdue's SSN disclosure law FAQ and Indiana University's Data Protection Laws site.

Other interesting tidbits include the prevalence of employee related issues. At almost 50% of incidents reported, we see a number isn't far from the 60% rate found in this Dark Reading article. While we can likely presume that more incidents occurred than were reported, if the data is anywhere close to a representative sample, it should help shape higher education security programs and planning to include better training and process to prevent loss and inadvertent exposure.

There are also indicators that reporting still isn't complete - based on personal experience, user ID and password breaches are obviously under-reported. Most incidents involving single system compromises that may have exposed a username or password won't be reported by universities unless those systems contained data that has a reporting requirement. We can expect that this category is not a good reflection of actual compromises. Since day-to-day compromises of workstations that don't contain sensitive data aren't resulting in reporting - since it isn't generally required by current law - this category will likely remain under-reported, particularly in public view.

Take a look at the report - I'd be interested to hear what our readers see when they look at the numbers.

No comments: