You can argue all day about technology to protect data. But it may have to do more with your mindset than the systems you put in in place. Take the case of Harvard University. Over 1.4 million
emails -- some containing the grades and financial aid information of students -- were open to the public until Monday of this week, The Harvard Crimsonreports.
It’s not clear that any harm resulted. But teaching fellows used the emails
at times to discuss student grades, potentially putting them in violation of the Family Rights and Privacy Act, the Crimson adds. In addition, emails sent to the Harvard Computer Society
(HSC) lists “contained the membership of certain BGLTQ undergraduate groups, bank account numbers for some student organizations, advance copies of a final exam, and answer keys to problem
sets,” the Crimson states.
Only affiliates could access the HSC directory of lists, but the emails were open to the public.
“Of the roughly 7,000 email lists
logged in HCS’s online index, the vast majority — more than 5,500 — had publicly accessible archives, according to a Crimson analysis of the lists,” the article continues.
“In an effort to protect students’ privacy, The Crimson delayed publication of this story until HCS gave all list administrators the opportunity to make their archived emails
private.”
Didn’t anyone at this great institution know about the lapse? Apparently not. “Over two dozen students who manage HCS lists said they never realized their emails
were public,” the Crimson writes. “All College administrators who used the lists — including Dean of the College Rakesh Khurana — were also unaware their messages were
public, according to Harvard spokesperson Rachael Dane.”
As you can see, this had little to do with hacking or technology, although cybersecurity has a technical aspect as well and
requires investment. But again, it begins with the corporate culture, judging by Protiviti’s 2017 Security and Privacy
Survey.
Of the 700 security executives and professionals polled, 33% said they enjoy high engagement and understanding by their boards, up from 28% two years ago, Protiviti reports. And
37% have medium involvement. Only 12% have a low level.
And the results of that intense board engagement? Those companies derive these benefits, Protiviti writes. We quote:
- Management has an excellent understanding of what comprises the ‘the crown jewels’ — 49%
- Organizations that have a clear data classification policy in place that
categorizes the organization’s data and information – sensitive, confidential, public, etc. – 85%
- Management does an excellent job of communicating to employees the need to
differentiate between public and sensitive data and how each is treated – 48%
Some data sets are more sensitive than others. But none are more valuable to a business than
the email list. Here are Protiviti’s suggestions for maintaining information security:
- Have an engaged board and a comprehensive set of security policies.
- Enhance your
data classification management.
- Remember that security effectiveness hinges on “policies as well as people.”
- Know that vendor risk management must mature.
- All
that is as true of a university as it is a company.