Education is showing business the way by using technology to collaborate and share information, and it’s vital that we continue to support this. But how do we do so responsibly and safely?
Andrew Cormack has recently written a chapter, included in the forthcoming book Digital Futures, which brings together a number of expert briefings on digital technologies for education and research. Here, he gives us a sneak preview of his advice.
Education leading the way
People sometimes say to me that I must have a terrible time in my job – because the perception of universities’ networks is that they are wide open and insecure. I always think quite the opposite. Universities can be both open and secure: making sure the right level of security is in place for the information they work with.
I see openness to technology as a positive thing in universities – it’s a great benefit that they are forced to take up on new technologies; we should continue to embrace this fast pace of change as a powerful and necessary enabler to the work we do.
Now and next
Many universities already have well-structured levels of security protection in place, with strong protection around sensitive data or activities but more open access where students and staff just need internet connectivity.
Universities will have their own priorities, according to the kind of focus their work has – those that work with local businesses will have different priorities to those working with health data, for example – and this information is generally protected well and appropriately.
So what do we do next to make that good practice easier to use? I think there are three key areas for development:
Often, information security is seen as a specialism in universities, comprising an ‘add-on’ to central policy. Security often falls to the IT department. We need to move to a model where responsibility for the security of data and information is brought ‘into the fold’ and incorporated into standard policies.
So if a university decides to move into a particular field of research, for example, due consideration should be given to the policy and technological capability that will be needed to support this.
Having appropriate packages of policy, technology and practice lets researchers quickly choose the right one when new opportunities appear
The nature of technology for networking, storing and sharing data is that it is always changing. Many new technologies, such as encryption, cloud computing and secure remote access, are already out there and available. Many of them are cost effective and simple to embed.
Universities now need to choose the best set of solutions for their particular areas of work and development, and benefit from this technological innovation.
Perhaps the most effective way we can improve information security is to change the way we all think about it. Getting users to understand, and recognise the importance of, the security needs of the work they do is ultimately more effective than simply applying restrictions. But it’s also important that universities themselves understand that it’s generally better to support people to do what they need to than try to prevent them from doing what they shouldn’t.
Providing systems that are intuitive, supportive and appropriately secure is the best way to provide for the broad range of work we do in universities.
Where to start?
The starting point for improving information security for us all is to simply be more conscious of the sensitivity of the different work we’re doing, both in our personal lives and at work, and behave appropriately.
Broadly, we say that information falls into three categories. The question we need to ask ourselves is: which category does the work I’m doing fall into?
- Information that is so sensitive you should only be able to access it in a secure location. This covers things like finance and personnel files, or sensitive research.
- Data and information you can access remotely, from ‘outside’ the safe place the information is stored, but shouldn’t carry with you. For example, it may be OK to log in from offsite to check a colleague’s calendar, but not to risk everyone’s holiday plans by carrying them around on your laptop
- Documents and information that aren’t sensitive, that you can take with you. For example, I’d be happy editing this draft blog post on a train
As well as being able to use this as individuals, universities should also start to categorise the work they do and the information they own and manage. Then they need to make it easy for people to use the systems they have in place.
For example, if a draft exam paper must be worked on in a secure location on secure systems, making sure the people working on it aren’t forced to work at home to meet the deadline given.
Better together: taking the next steps
As we start to test different approaches to information security within academia and learning, continuing to learn from others will be the best way for universities to find the right ‘fit’ for them in terms of technology and security. We’re lucky that so many potential solutions are available – now we can start to find the right blend of these for each of the places we work to keep our information as available as possible and secure as necessary.
For more information on putting in place information security in your university why not take a look at UCISA information security management toolkit.
If you’d like to read more of Andrew’s wisdom, Digital Futures is being released today and features briefings from a number of Jisc colleagues.