Revenue department hacking spurs investment
USC will spend more than $2 million over the next two years to bolster its cybersecurity with more staff, new technology and updated policies in the wake of last year’s Department of Revenue hacking.
The effort, dubbed Secure Carolina, could more than double the size of the university’s cybersecurity team.
Currently, USC employs six employees and one student worker in the area, and it’s on the verge of posting four job openings with two or three more on the way, said Marcos Vieyra, the chief information security officer.
Vieyra expects the hires will change how his office does business by allowing employees to hone individual specialties, like education and awareness, servers and desktop security.
At present, he said, his employees’ focuses jump around frequently — to deal with issues that arise and carry out ongoing projects, for example.
“Right now, our time is very divided,” Vieyra said. “It’s not possible with the limited resources that I have at the moment to take one of my people and say, ‘Alright, your full-time job is to go out and evangelize our program.’”
Salaries for the new employees will have to be negotiated, but Vieyra said USC’s shooting for state pay grades with midpoints between about $54,000 and $80,000.
Pay for information security experts will likely grow as organizations recognize they need more, Vierya said, so attracting and keeping talent at USC and other state agencies will increasingly become a challenge.
The Secure Carolina has also seen USC buy new security tools, including new anti-virus software and a program that will track data to identify possible breaches, Vieyra said.
USC is also evaluating its privacy and information security policies in an effort to clearly delineate how the university uses its students’ and employees’ information and establish a comprehensive privacy policy.
While such a policy wouldn’t necessarily change much about how USC uses information, it would let community members know what’s going on and let them express their qualms, even though they would not have a way to opt out from them, Vieyra said.
Information technology policies will also be evaluated by the university auditor when departments go up for scheduled reviews. Currently, USC audits focus on their financials, but the auditor’s office is drawing up standards to make sure their security policies are in line, too.
The slate of initiatives that comprise Secure Carolina has been floating around USC for years, Vieyra said, but USC didn’t make much of a concerted effort to beef up its security until the revenue department was hacked last fall and the issue was brought to the fore.
“Obviously, what happened in the Department of Revenue really brought the significance and gravity of the issue to the front of everyone’s consciousness,” Vieyra said. “Without something like the Department of Revenue breach, this may not have become as big of a priority.”
USC hasn’t been immune from such attacks either.
Last June, the university found that as many as 34,000 students and employees in the College of Education had their information, including Social Security numbers, compromised.
And even with a bigger team fighting them, Vieyra said there’s no way USC will be able to keep every hacker out.
“Even if you gave me unlimited resources, I will not be able to risk of compromise down to zero,” he said. “I mean, that’s just not possible.”