Keeping your information secure can seem like a constant battle on all sides. Instead of trying to secure everything, I advocate adopting a strategy to allow what activities you can, and defend your most valuable information assets.
Many moons ago, the model for information and digital security was a medieval castle. You kept your information, systems and networks protected like a fortress. Inside your digital fortress was ‘safe’; Out There, online, was ‘dangerous’. The modus operandi was to prevent and protect.
Things have now moved on.
We can no longer try to keep everything ‘in or out’
Sensitive work is now more routine; data security is part and parcel of this. Clients and partner organisations now expect that data security arrangements for sensitive data will be up to date and part of an integrated system of classification and protection. They expect that looking after these sensitive assets is part of the system, not an add-on.
Students and staff now expect to be able to work remotely. In fact, I would go so far as to say that the vast majority of a university’s business should be able to be conducted off-site.
Technology has caught up. Your common or garden laptop or smartphone can now encrypt to industry standards – even when connected to insecure Wi-Fi. Some work still needs better security than this, of course, but the majority of university business is now sufficiently secured by technological defaults.
Universities’ work is broad – and will surely only get broader. The different security requirements of so many various projects and functions demands responsiveness and flexibility in academic systems in a way that most businesses’ portfolios don’t.
Universities have to be good at making their information security flexible. In many ways, most are better at it than business.
Where’s your king?
It makes sense to identify what your most sensitive assets are: where could insecurity most seriously damage the organisation?
That’s likely to depend on the institution’s chosen missions – would the most damaging loss be reputation, partnerships, data, finances, compliance or something else? But each university should be able to identify:
- What information or systems must you protect at all costs?
- How are you going to safeguard this?
Once you’ve identified what your king is, you can choose the right strategy to keep this safe. But in order to play the game, the rest of the pieces have to be able to move.
By definition, the rest of your pieces of data and information are not so sensitive. This means that you can allow more freedom with these systems.
- What can you afford to allow?
- What information can move where, and at what risk?
In these areas, trying to prevent all security breaches isn’t always the most effective approach. Detecting incidents and dealing with them promptly can significantly reduce risk while placing fewer restrictions on how people need to work.
In short, design your responses to be proportional to the risk they represent.
Of course, the next stage is that, once you’ve identified the assets you must fortify and those that can afford less protection, you end up with a ‘federated’ system of security. Each person, department, research team, etc, becomes responsible for information security in their area of work.
The next challenge universities will face is that, as responsibilities become decentralised, people working with data and information will have to make more nuanced decisions about how and when to protect this. Universities will need to support, develop and empower this shift of responsibility.
Further reading and guidance
UCISA’s information security management toolkit is a good place to start to help you protect your data and information in a proportional way.
My previous blog post, It's good to share: breaking down barriers in information, includes more information on sharing information safely and the importance of online collaboration to universities.
I have also recently contributed a chapter to the recently published book, Digital Futures, which brings together a number of expert briefings on digital technologies for education and research.