OU to spend $4M to fix problems with security

An outside audit found a history of paying too little attention to the issue.
ATHENS, Ohio (AP) -- Ohio University's Board of Trustees agreed Friday to spend up to $4 million to bolster the university's computer security after five instances of data theft since March 2005 have put students, alumni and employees at risk for identify theft.
The decision comes after an audit criticized the university's Computer and Network Services division for making security a low priority for more than 10 years, though it had an annual budget averaging $11 million and recent annual surpluses averaging $1.4 million.
The additional money approved Friday is to be used to hire, train and reorganize staff and buy more sophisticated computer equipment and software.
Trustees doubled the audit's recommendation of spending $2 million because of the complex and numerous issues facing the university's computer system, board President R. Gregory Browning said.
"This is just an initial down payment," he said. "We're still in the process of fully understanding the problem."
The data theft has exposed 367,000 files containing personal information such as Social Security numbers, names, medical records and home addresses.
The university announced April 21 it had discovered a computer breach at its training center for fledgling businesses. Since then, electronic break-ins also were reported at the school's alumni office, health center and the department that handles records for businesses the university hires.
Independent report
In May, the university brought in a team of consultants to assess the school's computer problems and make recommendations. A 55-page report was handed to the university earlier this week, details of which were first reported by The Columbus Dispatch on Friday.
The report by Moran Technology Consulting, of Naperville, Ill., found that not enough skilled computer staff and too few resources have hampered the university's ability to fight off hackers. Computer officials also did not "firmly and loudly identify important security problems" and did not demand support to fix those problems, it said.
"Ohio [University] has not taken many of the very basic steps needed to secure its network, systems and data," the report said. "Supporting security was a small issue six to seven years ago. Today, it requires a significant investment in staff and tools just to stay up with the hackers."
The university on Tuesday suspended Tom Reid, the director of Computer and Network Services, and Internet and systems manager Todd Acheson, pending the school's investigation of the breaches. Both men have hired lawyers, Reid said.
"It's going to take a long time to develop a cogent response," Reid said. "I'm eager to have the facts come out."