TRU’s Information Technology Services filters out “hundreds of thousands” of spam messages to administrative, student and faculty accounts on any given day, according to TRU’s Chief Information Officer, Brian Mackay.
Using next-generation firewall and anti-malware technology from software providers like Sophos’ PureMessage, the university’s IT Services hope to prevent breaches that could compromise data and destroy TRU’s reputation.
In January of 2012, a major breach occurred at UVic. Targeting the institution’s payroll department, thieves were able to make off with a number of stolen electronics including an encrypted USB drive with payroll information. Following the incident, four UVic employees had money stolen from their bank accounts. Hugh Burley, TRU’s Information Security Officer, estimated the damage done to UVic to be around $2 million.
Though the incident was an eye-opener for many high education institutions around the province, Mackay said it was a learning experience as well.
“It did help other schools in improving their programs and we learned from that,” Mackay said. “But higher education institutions are some of the softest, easiest and most coveted targets in this information war.”
Because institutions like TRU are committed to the concept of academic freedom, hackers and thieves often target them for their low-risk, high-reward payoff.
“We don’t block things that other organizations would simply shut down,” Burley said. “Most organizations would not allowed BitTorrent in their network or allow Internet browsing the way we do. We basically have no controls on those accesses to the external world.”
Usually the only time that TRU uses automated controls to block sessions around campus is when their software identifies something malicious within the system, such as when an individual tries to access a site containing a virus or spyware.
Despite this ease of access for hackers and other intruders, Mackay and Burley believe TRU’s information to be safe, though keeping information safe is a constant battle, Mackay said.
“The cost for espionage is zero, but our costs keep doubling to protect our constituencies,” Mackay said.
Currently, information security takes up around seven per cent of IT Services’ budget, or approximately $300,000 a year, Burley said. The cost is expected to only grow in the future. For IT departments in many organizations and businesses, information security is the fastest growing budget.
Yet according to Burley, this cost is nothing compared to damage that may be caused in a major breach. While there is minimal cost involved for hackers trying to access the data, each set of email credentials breached could cost the university anywhere between $80 and $200.
But guaranteeing network safety isn’t something that solely rests in the hands of IT Services either. Sometimes it isn’t as simple as being respectful of other users’ accounts and logging them out before you use a computer, or making sure you aren’t downloading malicious software from online torrenting sites.
“Where there are human factors involved, those are really hard to digitally protect,” Mackay said.
Part of protecting students, faculty and staff at TRU is educating them. Currently, all new employees at TRU must undergo mandatory information security training. Burley and his information security team have trained over 2,000 employees at TRU within the last four years.
IT Services also runs three information awareness programs for students every year. Within these programs, applicants are given a basic understanding of the principles and language of information security.
“It is just a chance to engage with students and staff, where we answer their questions,” Mackay said. “This way we at least know they spent a couple of minutes thinking about information security this year.”