One of our sister institutions, the University of Iowa, suffered a breach of their book store computer systems last month, potentially exposing the credit card info of 30,000 people. This follows the breach we had at our campus public radio station in March, affecting a smaller group on our own campus. As this article shows, this year, over half a million people have had their credit card numbers, social security numbers, and other personal data potentially stolen from universities with shoddy computer security. Oh, and the year is barely half over.
At this point, you've got to think (and I hope) a Congressional investigation or legislation is coming in the future. Many institutions, including my own, need to change their approach to computer security if they're going to reverse this trend.
One of the problems on many campuses is that the IT staff is distributed, because the IT dollars are distributed. There's usually not a single IT department, there are 50 of them, with varying practices, levels of skill, staffing, and funding. Some campus IT staff don't get near the level of training dollars spent on them that they need to do their jobs properly, due to declining tax revenues in many states. This distributed model also means that an institution's critical information is spread across dozens, if not hundreds, of computers spread throughout the campus network, with greatly varying degrees of security placed upon them. A spreadsheet containing social security numbers or other private information might be on the same computer that a student worker is installing spyware-infested games on to play when they're bored.
A lot of campuses have "open" computer networks, that allow most, if not all types of network traffic to flow to and from their borders, rather than just allowing certain types. This gives students, faculty, and staff the ability to use whatever types of software they like, so it's very flexible, but it also exposes them to a much greater risk.
As the ComputerWorld article says, this philosophy of openness is pervasive:
The most fundamental factor is the openness of the university. The free and open exchange of ideas has long been at the core of the university mission. As a result, the typical campus is physically open to all comers; no identification badge is needed. Its intellectual property is openly aired, and members of the college community interact in public forums online and off-line. Names of professors are public knowledge much more often than their middle-management counterparts in private industry, and rosters of students aren't hard to come by, either. The campus is like this because everyone there, except IT security, wants it that way.
I know it probably seems strange to hope that Congress intervenes in one's own profession, I think it can only improve the situation at this point. While we are working to improve our campus network security, I know it would happen a lot faster if there were tougher laws requiring us to do so...