Cybersecurity concerns crop up everywhere you turn lately – around the election, email services, retailers. And academic institutions haven’t been immune to security breaches either. According to a recent report by VMware, almost all universities (87 percent) in the United Kingdom have been the victims of cyber crime. In general, from 2006 to 2013, 550 universities suffered data breaches. When higher ed breaches occur, attackers typically steal student information, intellectual property or research data. Among the criminals behind these attacks are nation-states and organized crime groups motivated by the economic gain.
A common knee-jerk reaction to a cyberattack – wherever it happens – is to clamp down on access and add more security control. For example, in 2005 after a major attack against a credit card processor affected 40 million customers, there were urgent calls for new mandatory encryption standards in the U.S. Senate. As paranoia sets in, a sense of urgency to do something about a possible next attack takes over, just like what happened in the University of California system. After a 2015 hack, the university administration started monitoring user traffic without consulting faculty and students (not to mention receiving their consent), resulting in a huge backlash.
As is so often the case, too much of anything is not good. Cybersecurity is a delicate balancing act between usability and countermeasures designed to reduce or prevent threats. A one-size-fits-all, or Procrustean, approach usually leads to lower productivity and a large group of unhappy users. And it’s particularly tricky to get the balance right in an academic setting.