Data security above average at University

Though 22 breaches were reported last year, admins say they were accidents.

Brian Edwards

The University of Minnesota protects its data better than most other colleges and universities across the country.
 
After a slew of nationwide cyberattacks and data breaches in recent years that caused organizations to reassess their data security practices, the University decided to assess its privacy measures and what could be done to boost its ranking through a series of three presentations that wrapped up at Friday’s Board of Regents meeting.
 
Although the University experienced 22 breaches over last year — which resulted in the exposure of more than 4,500 records — an independent consultant found that the University ranks above average when it comes to the security of its data.
 
The outside consultant, which presented its findings to the board Friday, rated the school in 12 different areas, including risk management, access control and compliance. 
 
The school scored 2.4 on a “maturity” scale of five. Higher education institutions typically score between 1.6 and 2.1, according to the presentation.
 
Brian Dahlin, the University’s chief information security officer, said none of the breaches were major or malicious hacking attempts. He said all of the breaches were accidents like sending emails with sensitive information to the wrong person or someone posting a document without the correct security restrictions.
 
A number of faculty in the University’s sociology department reported potential breaches earlier this year after they were unable to file tax returns, Dahlin said at the meeting, though the school couldn’t determine whether the information was stolen from the University because tax information can be found in many places. 
 
“A ranking of two means that things are planned,” said interim Vice President and chief information officer Bernard Gulachek at the meeting. “There needs to be organization-wide adoption to advance along this scale.”
 
A boost from two to three would be substantial, and jumping to maturity level four or five may not be worth the return on investment depending on University goals, he said at the meeting.
 
Administrators will decide which security level is appropriate for the University as they continue to discuss data security, Gulachek said at the meeting.
 
Regent Michael Hsu said he wants to know more about the types of data that hackers are interested in, even though the University might not be a huge target. 
 
The school holds much less financial data than do businesses like retailers and other corporations. 
 
Still, he and other regents said they were concerned that University research could be an appealing target for hackers. 
 
“I have to fully understand exactly what we’re talking about in terms of the wide range of data in our enterprise, and then we have to determine if we are spending enough money to protect it,” Hsu said. 
 
The decentralized nature of information technologies at the University creates issues with establishing uniform data security protocols, Regent Patricia Simmons said at 
Friday’s meeting.
 
“Our policies, our controls are only as good as compliance is,” she said at the meeting. “You don’t have to sit along on the audit and compliance committee to recognize that we have some issues with compliance.”