Universities putting sensitive data at risk via unsecure email

Colleges and universities are putting the financial and personal information of students and parents at risk by allowing them to submit such data to the school in unencrypted email.

That was a finding in a survey released Monday by Halock Security Labs after surveying 162 institutions of higher learning in the United States.

Half the institutions allowed sensitive documents to be sent to them in unencrypted emails, the survey said, while a quarter of the schools actually encouraged such transmissions.

"Typically, they do what they need to do to comply with regulations, but they're weak on risk management and actively controllingÃ'Â and managing risk," Terry Kurzynski, a partner with Halock Security Labs, said in an interview.

Security at larger universities tends to be better than at smaller schools and community colleges, he continued.

"Smaller colleges are breached all the time," Kurzynski said."They can't develop the right level of security until they've been breached several times and someone at the president or board of trustee level says, 'Enough is enough.'"

In addition to budget constraints, culture at universities works against solid security.

"Universities are unique because their purpose is to build and disseminate knowledge which means they must operate in a culture of openness and sharing," said Rob Reed, worldwide education evangelist for the big data security firm Splunk.

That open culture can work against the kind of centralization needed for good security. Policies can vary from school to school within a university. "It doesn't make a lot of sense, but a lot of these units strive to maintain a degree of autonomy," said Larry Ponemon, founder and chairman of the Ponemon Institute.

"Each school or department can be a silo for data," he said. "So it's hard from a data protection point of view to have central control over information and as a result, a lot of these universities have data losses."

[Also see: After 40 years, email security still elusive]

Ponemon has been performing data breach studies for years and he said universities typically place in industry comparisonsÃ'Â as some of the riskiest places for sensitive data.

Even at a schools with university-wide policies requiring encryption of sensitive data, it can be tough to run a secure ship. "You've got all sorts of units engaging in all sorts of practices and it's difficult in a highly distributed environment like that to police all of it,"Ã'Â Ã'Â Mike Corn, chief privacy and security officer at the University of Illinois, said in an interview.

"It's a simple thing for someone to say in the interest of customer service, 'Why don't you scan that and send it to me,'" Corn added. "It isn't that anyone is intentionally violating a policy. In an environment where you have a lot of high touch customers, it's easy to fall back on what works easiest for the customer and not think about security implications."

Not everyone was worried, however, by Halock's findings. "I'm not very alarmed by what they found," Marc Gaffan,

founder of Incapsula, a cloud security company, said in an interview. "Email encryption is overkill."

He argued that there are practical concerns when considering widespread use of encryption.

"The usability aspects around email encryption are not trivial," Gaffan said.

Encrypting email is only a small part of the problem, he continued. "The real problem is what happens to that email when it hits the university."

"It's like keeping a key in the lock," Gaffan said. "The fact that the door has a lock on it doesn't protect it if the key is in the lock and anyone can unlock it."Ã'Â

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritysplunksoftwareencryptiondata protectionData Protection | Data Privacysecure email

More about Splunk

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts