IT Risks for Higher Ed: What’s the Worst That Could Happen?

The increase in ransomware attacks this year reminds me of a side of information technology that we don’t often talk about. Our excitement around innovation and transformation within teaching and learning, research, and other aspects of the university mission is both understandable and justified. Yet there is exceptional risk when things go wrong — sometimes terribly wrong.

A common adage is that the successful IT organization “needs to keep the trains running on time.” And this is an important insight. Without a strong foundation of reliable and secure services, our IT leaders and organizations won’t be effective partners on higher-level strategic initiatives. But there is always the risk of a rare and catastrophic event — something far worse than a frustrating experience with usability or response times.

I mentioned ransomware as one example. Other major incidents may include a significant security breach exposing sensitive and private data, causing a high-impact downtime in local or cloud services that takes days or even longer to resolve. A natural disaster such as an earthquake or hurricane could impact your IT staff and facilities beyond your disaster recovery and business continuity preparations. And perhaps worst of all from an IT perspective, there could be a series of unforeseen events that results in a permanent loss of institutional data.

We’re all aware of this potential downside within the IT leadership community. The important question to consider is, are we truly, adequately prepared? And are we communicating clearly with our executive leaders so they understand and support our risk mitigation efforts? To be more specific, are we all on the same page in how much we’re investing to reduce the chances of a worst-case event during our collective watch?

There is rarely enough funding to cover all the exciting innovation and transformation opportunities that might benefit the institution. It may be tempting over time to move money and positions to those opportunities and away from operational costs such as risk mitigation. Where to draw the line on acceptable levels of risk with IT-related services is a challenging responsibility. Discussions initiated by the CIO with executive leadership, including areas such as university counsel and audit services, are a best practice to facilitate communication and ultimate buy-in for what is needed.

Another suggestion for dealing with this issue: initiate a peer review, or hire a third-party organization that is well-versed in risk mitigation within higher education to assess your operational technology and data risk.

It’s not possible to be 100 percent assured to avoid the unthinkable. Yet it is possible, and advised, to have sometimes-uncomfortable conversations and assessments to ensure everyone understands the risks, acceptable levels of it and mitigation efforts. It’s much better to spend valuable time and resources up front to avoid a catastrophic event than to recover from one.