Thwarting ID Thieves: What Most Colleges and Universities Aren't Doing to Avoid Identity Theft and Fraud-But Should Be

Article excerpt

AMERICAN COLLEGES AND UNIVERSITIES ARE BREEDING GROUNDS for innovative ideas and open information sharing. Pair that with a large number of systems on a given network and a vulnerable student population with flesh credit and you've got an appealing target for identity thieves.

"In my opinion, the college and university crowd is probably at the highest risk of any age population," says John Sileo, an identity theft expert and speaker and founder of The Sileo Group. His reasoning? Students are just coming into their own in terms of having credit, and colleges and universities host "incredibly private" information, like social security numbers and financial records.

Despite the need for awareness, Sileo says, institutions of higher education are generally not his main audience because, "unfortunately, a lot of the universities aren't there yet. The progressive universities are there; they understand that information is power and that these students are being raised in a world where the main currency now is information. So it's relatively easy to work for those types of universities that get that. It's more difficult to get engagements with universities who still sort of have their heads in the sand."

In 2010, 8.1 million U.S. adults were victims of identity fraud, according to the Javelin Strategy & Research 2011 Identity Fraud Survey Report. That's 3.5 percent of the U.S. population losing an average of $4.607 and 33 valuable hours.

The EDUCAUSE Higher Education Information Security Council (HEISC) is one resource that aims to get college and university leaders paying attention to the threats. David G. Swartz is an HEISC co-chair and assistant VP and CIO at American University (D.C.). Formed in July 2000, the HEISC helps 2,000 CIOs and information security managers, primarily in North America, address their security concerns, explains Swartz, pointing out that colleges and universities are more difficult to protect than, say, a corporation.

"We have a very open kind of climate," says Swartz. "One of the challenges is, how do you balance the kind of openness you want with the type of controls you have to put in place to protect your information and your community? It's a very difficult balancing act."

[ILLUSTRATION OMITTED]

It's also difficult to balance new technologies--which come with new threats--with security. Gone are the days when hackers were "teenagers or smart computer types" breaking into a system to post a pornographic image on an institution's Blackboard or registration site, quips Larry Conrad, vice chancellor for information technology and chief information officer at The University of North Carolina at Chapel Hill and HEISC co-chair. "The hackers are smart, they're capable, they're experienced, they're automated, they're worldwide, they're persistent, and they're creative," he says.

And Swartz and Conrad have enough experience fending off these hackers at their own institutions. UNC-Chapel Hill has 60,000 separate IP addresses connected to its campus networks, and wards off 30,000 hacking attempts per day, every day. Swarm says he fends off thousands of attackers per month at American U.

With numbers like that, it's important to start paying attention, identify where your institution's risks lie, and learn how to protect against identity theft and fraud.

EVALUATE WHERE YOU'RE SENSITIVE

To start, officials must "understand what type of data they're actually storing as an organization," says Josh Abraham, senior security consultant and security researcher with Rapid7, a company that provides vulnerability management, compliance, and penetration testing solutions for web application, network, and database security.

By taking the perspective of a potential attacker, such as an internal user to an institution, for example, Abraham helps their officials understand where sensitive materials are stored. …