Paul Horner, Duke's chief security officer for information technology

Durham, NC - Today's fast wireless networks and ubiquitous mobile devices help keep Duke staff and faculty connected with e-mail and the Web -- anytime, anywhere. But they also pose an increasing risk: those devices, which are easily lost or stolen, may store passwords to access the Duke network and confidential data.

Duke is strengthening information security with a pilot data encryption project this fall for mobile devices used by staff and faculty who have access to personal health information. Encryption programs enable files to be encoded so they can only be read using a special "key."

In addition, Duke's IT Security Office is expanding its methods and tools, with frequent tests of network security and user password strength. The Duke Health Technology Services Security Office performs similar tests for the School of Medicine and health system.

"There's data at rest on a device and data in motion, which is the network," said Paul Horner, the university's chief information security officer. "We have to protect both. The network truly is only as strong as its weakest link. If a threat can penetrate one machine, it can get behind our defenses, and we all live in fear of this."

Efforts to strengthen security will be invisible for most employees, Horner said.

"Not everybody works with confidential data," he said. "The technology is adaptable enough that we can make most security and privacy controls invisible to users, while still providing more secure handling of data that's important for our students, patients and researchers who may have a lifetime's worth of work wrapped up in their data."

Horner and his counterpart in health technology services, Robert Adams, also are meeting with faculty across Duke this fall to review an updated computing and networking acceptable use policy -- part of an overall effort to refine information security governance at Duke, led by Duke's Information Security Steering Committee.

"It's more of a reminder of the common-sense practices many people already employ automatically," he said.

As part of National Cyber Security Awareness Month in October, analysts in Duke's IT Security Office are reminding employees and students to do their part, too. Users should choose strong passwords, and change them regularly; install and update anti-virus software; and not click on links in e-mails that ask for personal information.

"The threats are omnipresent," Horner said. "A big part of our job is to think the ugly thoughts, to think like the perpetrators do, so we can give people the tools, the awareness and maybe the reminders to protect themselves."