National Cybersecurity Awareness Month

Taken from: http://www.wellesley.edu/news/2014/10/node/49591%5B/caption%5D

October is “National Cybersecurity Awareness Month” (NCSAM). For details regarding what LTS has planned for this, please refer to the Daily Shot article here.  There are several events and informational messages that being prepared to increase awareness amongst our users. I strongly encourage you to take advantage of as many of these as possible. I would like to highlight the featured event which is being co-sponsored by Babson, Olin and Wellesley Colleges. Here is the description from the Daily Shot article:

“The featured event is a BOW-sponsored presentation and book signing by John Sileo, an award-winning author, trusted advisor, and leading speaker on successfully managing privacy and reputation exposure. He is CEO of The Sileo Group, which advises clients like 60 Minutes, Blue Cross, the FDIC, Homeland Security, the Pentagon, Pfizer, USA Today, and organizations of all sizes on defending privacy, profits, and reputation. His presentation, “Data Spies, Human Hackers & Internet Attackers: Bulletproof Your Privacy & Profits,” highlights current data privacy trends as well as practical, tactical solutions.

His talk will be held on Friday, October 24 from 10 to 11 a.m. at Babson College in the Olin Hall Auditorium, with a book sale and signing immediately following the presentation. Food and beverage will be provided. Transportation from Wellesley to Babson will also be available; shuttle vans will leave the Campus Center beginning at 9:30 a.m., and will return following the presentation at 11, and then again at11:30 for those wishing to stay for the book signing. RSVP: please click here. This event is open to all faculty, staff, and students.”

The sheer number of cyberattacks, the extent of data theft and all the different companies and institutions that are affected is mind boggling. The most popular ones are the compromises at Target, Home Depot and most recently JP Morgan Chase. We also heard about a compromise at Apple’s iCloud through which photos of several celebrities were stolen and leaked. In one of the major data breaches in Higher Ed, data was stolen from University of Maryland. If you want to see a compiled list of breaches, you can see it here (Identity Theft Resource Center).  These are indicative of inferior technologies, information security being treated as an afterthought by the institutions, lack of adequate funding and above all, lack of talent in the information security area.

It is very clear that the advances in technology keeps outpacing a whole set of other dimensions such as funding, policies and cultural implications. The race to be the first is resulting technologies that ignore the additional dimensions, are poorly designed and developed. The mobile apps are good examples of this. There are many apps that we download from the App store  or the Play store where we are warned about the different ways in which the apps access information about us and transmit it elsewhere. Unfortunately, in most cases, you cannot use the app if you don’t agree to this. Why exactly would a note taking application need to know about my location? Apparently, knowing where specifically one took the notes is important! What if I am not interested in this feature? The software generally does not provide such granular control. Of course, this is more of a privacy issue. However, since many apps store our personal information in the cloud, securing that information is their responsibility and very rarely they inform the user as to how they are securing our data and what are their obligations in the event data is lost. Liability for small software companies can be huge.

In small institutions like ours, we face enormous challenges with regard to information security. We support software from many vendors and we trust them for implementing best information security practices. Some of these systems are so complex that one wonders whether they even know what vulnerabilities exist and when they will be exposed. On top of that, the variety of computing devices that we have to support is very high relative to the staff we have. Unlike corporations where there are strict controls on the company provided hardware in terms of software installations and information security, we cannot replicate it in our environment. As a result, we have many more levels of exposure to contend with.

This is where we stress the importance of shared responsibility. We need every one of our users to be knowledgeable about the security best practices and follow them. One should start with the simplest steps of strong passwords (that one should never share with others), not falling victim to phishing, running malware protection programs on their computers, and paying a lot of attention to with who they share their personal information with. We provide several resources that everyone can take advantage of. Most of us forget that we have access to other people’s data (such as student grades), which requires us to be extremely diligent about following the best practices, because when our accounts are compromised it is not just our data that is exposed!

It is also the case that technology professionals or systems alone cannot protect information. It is a shared responsibility that requires that every single user follows the best practices. One slip there and it gives an opening to the hackers and that can potentially open a gaping hole in systems.

So, if you have not already started, do it now and learn about cybersecurity and how to protect information. If you have already started, learn about what more you can do, including helping others!

Leave a Reply