• by Ray Schultz , Columnist, February 21, 2017

You can argue all day about technology to protect data. But it may have to do more with your mindset than the systems you put in in place. Take the case of Harvard University. Over 1.4 million emails -- some containing the grades and financial aid information of students -- were open to the public until Monday of this week, The Harvard Crimsonreports.

It’s not clear that any harm resulted. But teaching fellows used the emails at times to discuss student grades, potentially putting them in violation of the Family Rights and Privacy Act, the Crimson adds. In addition, emails sent to the Harvard Computer Society (HSC) lists “contained the membership of certain BGLTQ undergraduate groups, bank account numbers for some student organizations, advance copies of a final exam, and answer keys to problem sets,” the Crimson states.

Only affiliates could access the HSC directory of lists, but the emails were open to the public.

“Of the roughly 7,000 email lists logged in HCS’s online index, the vast majority — more than 5,500 — had publicly accessible archives, according to a Crimson analysis of the lists,” the article continues. “In an effort to protect students’ privacy, The Crimson delayed publication of this story until HCS gave all list administrators the opportunity to make their archived emails private.”

Didn’t anyone at this great institution know about the lapse? Apparently not. “Over two dozen students who manage HCS lists said they never realized their emails were public,” the Crimson writes. “All College administrators who used the lists — including Dean of the College Rakesh Khurana — were also unaware their messages were public, according to Harvard spokesperson Rachael Dane.”

As you can see, this had little to do with hacking or technology, although cybersecurity has a technical aspect as well and requires investment. But again, it begins with the corporate culture, judging by Protiviti’s 2017 Security and Privacy Survey.

Of the 700 security executives and professionals polled, 33% said they enjoy high engagement and understanding by their boards, up from 28% two years ago, Protiviti reports. And 37% have medium involvement. Only 12% have a low level.

And the results of that intense board engagement? Those companies derive these benefits, Protiviti writes. We quote:

• Management has an excellent understanding of what comprises the ‘the crown jewels’ — 49%
• Organizations that have a clear data classification policy in place that categorizes the organization’s data and information – sensitive, confidential, public, etc. – 85%
• Management does an excellent job of communicating to employees the need to differentiate between public and sensitive data and how each is treated  – 48%

Some data sets are more sensitive than others. But none are more valuable to a business than the email list. Here are Protiviti’s suggestions for maintaining information security:

• Have an engaged board and a comprehensive set of security policies.
• Enhance your data classification management.
• Remember that security effectiveness hinges on “policies as well as people.”
• Know that vendor risk management must mature.
• All that is as true of a university as it is a company.