After speaking for the Business Marketing Association in Atlanta (BMA), Kevin Howarth, with the community publishing organization TechLINKS, asked me to write a piece for them. Here it is, as published in 2004:
Student Awareness Strengthens Security
It is said that users are the weakest link in an information security defense. Whether at home, school, or work, computer users often inadvertently compromise the security of critical information and systems simply by neglecting to follow safe computing practices.
Recent virus outbreaks have shown that some users still open attachments from unknown senders, forget to update security software, or procrastinate patching vulnerabilities. All too often, the result is the spread of malicious code that brings down individual systems or entire networks, halts productivity, taxes already overburdened support resources, and puts confidential information at risk.
Corporations are responding by writing and enforcing–or, in some cases, reinforcing–information security policies, spelling out best practices, while also deploying security technologies at gateways, servers, desktops, and mobile devices. In homes across the nation, parents are outfitting their family PCs with a wide variety of security software–from firewalls and antivirus to spam filters and spyware blockers–while also taking a more proactive approach to updating and patching.
But what about Academia–universities, in particular, where maintaining a balance between academic freedom and information security is more challenging? On any given day in virtually any university across the world, students are freely connecting to the Internet and their university networks and downloading files, sharing information, installing and configuring new applications from unknown sources, and more.
In many ways, ensuring the security of such environments makes herding cats look easy â€¦ unless, of course, students first understand the impact unsafe computing practices can have on their own education experience.
At least, that‘s what those of us at Temple University discovered. Temple University, headquartered in Philadelphia, is the 39th largest university in the United States and the largest provider of professional education (law, dentistry, medicine, and podiatric medicine) in the country. Approximately 33,000 students attend Temple and routinely use the University‘s hybrid wired/wireless network.
Like most universities, we take great pains not to monitor students‘ Web use or impose restrictions. In fact, we view the Internet as an extraordinary tool for enhancing education. At the same time, however, the University is charged with ensuring that its resources are not involved in malicious attacks or other harmful online activities and that confidential school records remain protected.
To bridge this perceived gap, we launched a security awareness campaign. However, rather than simply demanding that students comply with another policy in order to protect Temple, we helped students see the connection between safe personal computing and the protection of their own data.
In other words, students weren‘t just told what to do; they were told why it was in their own best interests to follow certain practices. The way we saw it, unless students first understood the reasoning behind a request, they were not likely to comply with it.
The awareness campaign model that we used is one that translates to other universities as well. Even with the limited funding characterized by most university programs, we were able to use a number of low-cost mechanisms to spread the message. Among them were speciality items such as candy dispensers, promotional elements such as posters and flyers, and informational material through newsletters and Web sites–all reinforcing the same security-awareness slogan: "The Bug Stops Here!" We even broadcast information security infomercials on big screen televisions situated in different lobbies and hot-spots around campus.
But that‘s not all. Our group realized that students needed tools to be easily available to make sure their systems were safe. To do that, the IT department started by offering standardized antivirus software. The antivirus software, provided at no charge to the student, was a requirement for every on-campus computer that connected to the University‘s network; in fact, without it, a student couldn’t log on to the network.
And protection didn‘t stop there. The same antivirus was available for off-campus and home use as well, for a very small fee.
Moreover, we made the software easy to get, install, and maintain. The antivirus program was downloadable from the University Web site as well as via CD, available at locations throughout the campus. To ease installation on laptops and notebooks, we also set aside specified days when students could bring in their mobile devices and the University‘s IT staff would install the software for them. Instructions were also provided via the University‘s security newsletter. For maximum hands-free protection, we made sure that the antivirus program we offered also featured automatic updates.
Last but not least, we also introduced non-credit classes covering IT issues, including security. Although interested students had to take the classes on their own time, and some courses extended for a full week, the classes filled up quickly. What‘s more, interest in the courses grew, requiring us to expand our offerings to meet increasing demands.
Thanks to an innovative security awareness campaign, students here at Temple are now actively involved in strengthening the University‘s virtual security chain. By helping students understand that every computer–and computer user–counts, we successfully fortified our security posture, without threatening academic freedom.