6 Factors Impacting Information Security and Privacy During the COVID-19 Crisis

In these uncertain times, it's important to consider the ways crisis response is influencing the security and privacy of institutional systems and data.

• By Brian P. Fodrey
• June 18, 2020

To say the COVID-19 pandemic has been a disruption feels like an understatement. The impact we have seen and experienced in our otherwise everyday lives has been far-reaching, overwhelming, inspiring and without question more often than not, challenging. For those in higher education — faculty, staff, students and their surrounding communities — it's hard to envision a time when traditions of the academy will be restored to a point we all fondly remember.

That said, the herculean efforts put forth by all parties across higher education to meet the challenges presented to us as a result of adapting to the COVID-19 pandemic have been nothing short of impressive and revolutionary. In as little as a few weeks, institutions built on the tradition of face-to-face instruction and campus engagement had their entire world upended by nearly instantly moving to remote instruction, remote working and remote student engagement. While the success stories are limitless and those involved truly haven shown their spirit and commitment to education and student success in ways that will never be fully documented, we have learned a lot too.

The importance of information security and privacy has been a hot topic and growth opportunity for many higher education institutions across the country for years. With the introduction of global influences such as GDPR, national and local legislation, and the general geo-political climate, our efforts in this space are simply no longer a want, but a need. This has never been clearer than in the current environment in which we find ourselves: managing an unprecedented crisis during uncertain times. We all now know, simply trying to conduct business as usual until we return to a more normal or familiar time is no longer an advisable path forward.

During this crisis, over a relatively short amount of time we have learned a lot about our institutions' information security posture, as well as those we support and the data we protect. In otherwise chaotic times, it is important to reflect on where we were (pre-crisis), where we are (managing the crisis), and where we need to be (post-crisis) as it relates to all the services and systems we are responsible for — but especially in response to what the last several weeks have presented. While each institution's experience is likely individualized and hardly standard, as you recount your lessons learned and future planning, consider the following factors influencing security and privacy during this crisis.

1. Expediency of the Migration to Remote
The classic project management philosophy dictates that projects can only be two out of three things: cheap, fast or good. In the current situation, fast was the mandate, so we were left with just two options: 1. Some of the efforts that were put forth came at an expense that will now need to be accounted for in already strapped budgetary times (in other words, good but not cheap), or 2. The quality of the solution might reflect its intention as a temporary option or the solution lacks a sustainable business or support plan beyond the immediate (cheap but not good). It is always worth remembering, while information security is a critical piece to maintaining a reliable and productive enterprise operation, it can sometimes be left behind if you don't already have processes and systems in place that build in those principles in all phases and not as a secondary consideration.

2. Enhanced Vendor Accommodations
The solution and service provider response during this time has been unlike anything I've seen before — and without it, institutions would likely be struggling to offer services and support to a user population that no longer resides or has a presence on campus. In a lot of ways, the licensing and access that has been afforded to us (temporarily) by many of our vendors/partners is likely what we always wished we had or could afford all the time! But this also is a cautionary tale for many because with those looser or more generous access options, you may find yourself in a situation where users are accessing and managing university data and information in ways that you no longer have oversight or visibility into.

3. Supporting a Fully Remote User Population
The proliferation of "free" software and web applications available to the user population is nearly endless right now, and ensuring every solution is vetted or integrated with a single sign-on solution simply isn't feasible. As a result, we may find that many are creating accounts using their university-managed e-mail address (and likely a similar password) on systems with vulnerabilities that, in different times, might have been handled by those responsible for ensuring user security and system safeguards. This abundant access to niche solutions also creates opportunities for users to veer away from enterprise-level supported and licensed software. Now more than ever we should be promoting the tools available to our users, and more importantly how to use them.

4. Shared Access to Technology
The increased demand for technology and internet service is unprecedented. Nearly all populations on campus are looking for ways to ensure they are meeting work-from-home demands, home schooling, etc., often with limited supply of technology means in their homes. It's also not uncommon, understandably so, for many of us to have to be creative with who is using that technology and how. A change in otherwise predictable user behavior is a primer for additional exposure to information security challenges and vulnerabilities. Whether it be ensuring applications are properly logged out, sessions are ended, etc., managing a machine that is shared by many creates vulnerability to the data owner, but also challenges their privacy.

5. Access to the Internet
Similar to the extremely generous and vital offerings of many other solution providers, nearly all local internet service providers (broadband and cellular) are offering drive-up hotspots with free, public WiFi for users who otherwise have limited or no access to the internet. Obviously, this is a critical piece to anyone's success, whether it be someone working remotely or a student completing their studies. The need for high-speed and reliable internet access has never been higher. That said, consider the slightly less obvious risk this may present in protecting one's electronic footprint and data privacy. An open, public WiFi signal is already a vulnerability in any conditions, but the increased demand and propensity for doing more secure activities on that signal makes this an area of concern that should be addressed through promoting VPN use, encryption, etc.

6. Limited Operations and Reduced Funding
Most of us throughout higher education already have felt the struggle and strain of limited budgets, shrinking staffs, etc. But often some of the most inspiring stories reflect the great things many are doing in spite of those conditions. While it's still unknown the level of impact this crisis will have across the higher education landscape long-term, we do know that in the moment many are experiencing hiring freezes and budget cuts or moratoriums. This, of course, affects all aspects of life on campus and beyond, but is most certainly impacting how many are managing, monitoring and remediating increased information security risks. Not to mention handling the increased vulnerabilities associated with further delaying and relying on aging infrastructures and systems that were otherwise due for replacement or upgrade. With these limitations, it is important to ensure you are adapting and prioritizing your information security planning equal to the risk appetite your institution expects.

Looking to the Future
As you reflect on the last few months and look to what lies ahead, it's important to resist the urge to let this crisis control the narrative of what can be accomplished. Consider using this time of uncertainty as a pivot point and a launching pad to re-envision information security at your institution. In short, in the world of information security and privacy, the standard is still the standard. So whether you are determined to:

Revisit old service agreements and contracts to ensure compliance;
Ramp up your user awareness and adopt new policies and procedures; or
Reprioritize your strategic plans based on lessons learned and a new climate …
Don't wait. Soon the technical firefighting spawned from the COVID-19 pandemic will wane, and a new normal will emerge as we return to campus. The sooner we are able to begin adapting from what we have learned, the better our resolve for ensuring we maintain the standard of security those across higher education have come to need and expect.