Security | Feature
Stepping Into the Breach
Data breaches are going to happen, regardless of what an institution does. How effectively a school responds may be a more telling indicator of its preparedness.
- By Sue Marquette Poremba
If you think your institution is immune to a security breach, perhaps you should have a chat with Brian Rust at the University of Wisconsin-Madison. When asked about data breaches on his campus, the communications director in the Office of the Chief Information Officer answers with the hint of a sigh: "Let me tell you about the most recent one."
This particular breach involved the Wiscard, a student ID that doubles as a debit card. "There were records kept on a server that wasn't as secure as it should have been," Rust explains. But he's quick to point out UW-Madison is no more or less vulnerable than any other university. In fact, he believes that almost every school has suffered a breach or an exposure at some point.
It's a view shared by Matt Morton, director of information services at Buena Vista University (IA), which suffered a security breach in 2010 (the case is currently working its way through the court system). Morton feels that breaches are not only inevitable but will occur more than once.
Obviously, schools should do whatever they can to secure their networks, but Rust and Morton have learned that institutions must also have a plan in place to deal with the aftermath of a breach. Critical components of a plan include alerting potential victims that their information may have been compromised, explaining the situation to the public, and internal steps for identifying and analyzing the damage and re-establishing a secure system.
The first step, though, is to come clean. The knee-jerk reaction for many administrators is to keep news of the breach quiet. That's a mistake. "If you let the media control the message, it is going to be a painful experience," says Jeremiah Grossman, chief technology officer with WhiteHat Security. "It has to be all about honesty and transparency to make sure there remains a level of trust in the institution."
One strategy is to give the communications departments a prepared script about the breach. "Have a three-sentence statement that allows people to summarize what happened," says Cathy Hubbs, chief information security officer at American University (DC). This can keep reporters at bay and let the investigators do their job.