Wednesday, February 01, 2006

NEW YORK - "Passwords are like underwear," reads a poster at the University of Michigan. "Change yours often." "Patches aren't just for pirates anymore," insists another poster at the University of Wisconsin-Madison, "Keep your operating system up-to-date."

Behind the cheeky slogans is a serious attempt on behalf of university information technology departments to get their large, diverse communities more involved in securing their computers and personal information.

"I think that as far as information security is concerned, it may be that a university is the most challenging kind of organization to protect," says Tina Darmohray, information security officer for Stanford University. She says regulations pertinent to universities--from the Health Insurance Portability and Accountability Act to the Gramm-Leach-Bliley act regarding a school's banking functions for student loans--outnumber those applicable to most corporations. "About the only one that didn't apply to higher education is Sarbanes-Oxley because Stanford isn't publicly traded on a stock market," Darmohray says.

Campus security czars can no longer simply slap antivirus software on everyone's computer and call it a day. Today's big threats, such as identity theft, require conscious effort to combat, and many experts say a well-maintained computer and a good password are the first steps.

With organizations as large and complex as universities, there's a lot of communication that needs to happen, says Jim Lowe, chief IT security manager for the University of Wisconsin. His security umbrella covers more than 60,000 users, including everyone from undergrads to administrators to professors.

Universities have joined large corporations and banks as the prime targets for identity thieves who hope to access the personal information of tens of thousands of people with a single hit. Last March, the University of California, Berkeley, reported the theft of a notebook computer containing the names and social security numbers of more than 98,000 people, mostly graduate students and applicants. A few days prior, Northwestern University's Kellogg School of Management reported a security breach on a server containing password-related data for more than 20,000 faculty, staff, students and alumni.

Consequently, University of Wisconsin's Lowe says, communication is essential. "Security is everyone's business," he says, regardless of the assumed value of data on someone's computer. Lowe says the push to educate people about patching their computers was key in protecting the school from recent bugs discovered in Microsoft's (nasdaq: MSFT - news - people ) Windows operating system.

Dorms, packed with students who are eager to experiment with every gimmick the Internet offers, can be especially troublesome. Most universities now employ tech-savvy students to help with technical support, from 11th-hour term paper-printing crises to setting up Wi-Fi on laptops. And to automate protection from the myriad worms and viruses circulating the Internet, many schools spend thousands of dollars every year to license antivirus and anti-spyware software from Symantec (nasdaq: SYMC - news - people ), McAfee (nyse: MFE - news - people ) and other vendors.

But in an increasingly high-tech world, Lowe stresses that one of the easiest ways of protecting personal information is a tool that costs less than $20 from an office-supply store.

"Buy a shredder," he says. "They're inexpensive and they're a good thing to have. Shred anything with personally-identifiable, good information on it.

