On October 11, 2019, we attended the Information Security Summit at Worcester Polytechnic Institute (WPI). Hosted by Springer Nature, WPI Gordon Library, and the Boston Library Consortium, the event focused on how cybersecurity threats impact academic research institutions.
It was an eye-opening event, to say the least! There’s not enough room in a single blog post to cover everything we learned, so this post will share some key takeaways. But before we do, here’s a definition of “cybersecurity” to get us all on the same page:
‘Cybersecurity’ is the practice of protecting systems, networks, and programs from digital attacks.
Perhaps the most important thing research librarians should know is that the information contained in campus networks are under the constant threat of being accessed illicitly. That includes e-resources, as well as sensitive personal and student information. Here are some stats that may shock you:
- Hackers attack every 39 seconds
- Student education records are worth more than credit card numbers on the black market.
- A breach can cost organizations an average of $150 million
- In 2018, more than 500 million records were stolen
- Most companies take months before they even detect a breach has happened
- Education (and healthcare) records can fetch more than credit card numbers on the black market.
Thankfully, the event wasn't all gloom and doom.
The keynote speaker was David L. Schwed, J.D., Director of MS in Cybersecurity at Yeshiva University. In his presentation, he explained that 95% of cybersecurity breaches are due to human error: people make mistakes or are tricked into giving away data and information to hackers.
That’s good news, relatively speaking, because it means that many of today's cyber attacks and hacking scams are within our control and can be avoided.
Proper Training is Essential
Schwed stressed the importance of proper training, explaining that your institution can have all the right security technology in place, but if you don’t train your people, none of that will matter.
Because hackers have a wide variety of tactics for stealing information (e.g. email attachments and links, wireless hotspots, USB drives, websites, social media), comprehensive training is critical. In addition to security awareness training, it’s a good idea to conduct "social engineering testing” – to ensure employees, vendors, and other stakeholders know how to avoid everything from spear phishing to telephone and in-person hacking tactics.
Regulation is Not Enough
Unfortunately, government security regulations only do the bare minimum and shouldn’t be relied on. Organizations should always do more than is required to protect their network information. Here’s a fact that was shared during one of the speaker presentations:
"The U.S. Department of Education failed to conduct timely, effective investigations of potential violations of the nation's main student-data privacy law, allowing a years-long backlog of unresolved cases to pile up without any mechanism for effectively tracking the number or status of the complaints it received."
A Publisher’s Point of View
During our lunch break at the Summit, we had the opportunity to chat with Bob Boissy, Director of Account Development at Springer Nature, to get his perspective and insights on information security in the academic research setting. Here are some highlights from our conversation:
Q: What are some recent forms or examples of cyberthreats research librarians should be aware of?
"90% of stolen material is stolen via campuses in English speaking locations (US/UK/Australia). Many campuses that are targeted by phishing and spear phishing through campus servers, through the library proxy server."
Q: What are the impacts or implications of these threats at both the individual and organizational level? Any specific cases that come to mind?
"Sci-Hub has a large base of students, and faculty have become apathetic to where they get information from—and uncaring of the source. Sci-Hub has taken on the mantle of the Robin Hood of the industry, but there is no way to regulate or verify their info. If smaller publishers are hurt and go out of business, where will the research come from?"
Q: What are strategies and solutions being discussed to combat this issue?
"The STM association has developed a list of blacklisted IPs [Internet Protocols] and makes that list available to universities and colleges for free. Also, university relations with events like this, which provide an open forum to talk about issues and legality between campus and publishers. We have sought to bring the topic on the radar in the academic library community with events like this one, the Charleston Library Conference, and via websites like the Scholarly Kitchen. The main thing is to get awareness out there to the community and hope they will respond."
When asked what he believes individuals, information managers, and organizations can do to secure themselves and minimize risk, Boissy offered the following advice:
- Develop a checklist on recommendations
- Treat Sci-Hub as a threat to your campus*
- Consider joining REN-ISAC if your school isn’t already a member
- Schedule a talk with your local network security
- Recognize the threats from other avenues like open source sites and torrents
*Sci-Hub, which provides free yet illicit access to paywalled articles, is a key player in the ongoing debate over piracy versus universal access to research. To learn more about paywalls, Open Access, and the cost associated with scholarly content, check out some of our previous posts here, here, and here.