In case you haven't heard (perhaps you've been working remotely on the moon), cybersecurity has become a huge issue for all of us. The security professionals tasked with keeping institutional networks safe (they're called information security professionals, or infosecs) are struggling to keep up with the pace of data breaches and respond to the variety of attacks that are taking place 24/7/365. Stoic in their commitment to "handle it," most information security departments are only now getting around to letting the average nontechnical team member know that there are a lot of ways we can help keep our networks — and ourselves — safer. In the next few paragraphs I'm going to explain what security awareness is and how we — the non-geeks — fit into the puzzle.
First, What Is Security Awareness?
Wikipedia provides a good place to start: Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the. . .informational assets of that organization. Or, as an infosec explained to me recently, "There's no patch for a stupid user." Ouch! Do those tech wizards really think of us like that? No, not really. They say things like that to make a point: No amount of technology can overcome the fact that people make mistakes. Especially when no one takes the time to explain the right and the wrong way to do things. Here's a simple analogy to make my point: Your local bank branch might have an amazing, state-of-the-art alarm system and vault, but if the bank manager forgets to lock the door or set the alarm, these security steps are useless. This example seems almost silly, doesn't it? That's because we're all familiar with things like door locks, alarms, and piles of hard cash. We're living in a new age, where the line between "secure" and "unsecure" is much more difficult to define. We all have a responsibility to educate ourselves.
I'm Not in IT or Information Security, so What's My Piece of the Puzzle?
Like the bank manager in the earlier analogy, you probably aren't responsible for designing and implementing cybersecurity measures any more than you provide for the physical security of your office. But I'll bet you have a key or key card to get in the front door of your office and understand that if you're the last one to leave, you need to lock the door behind you. Cybersecurity awareness isn't any different: you're responsible for making sure your digital activities don't lead a hacker to the inner vault of your institution's data.
What Are Hackers Looking for, Anyway?
In most cases, easy money! Just like a burglar looks for things that are easy to steal and sell, like jewelry or electronics, in a data breach most of the time hackers want data that's easy to sell on the dark web. That's primarily payment data like credit card numbers or bank account information and personally identifiable information like social security numbers and dates of birth. These items have a market value on the dark web the same way a diamond ring does at a pawn shop. And for those who work in key industries like healthcare or finance, or your institution has valuable intellectual property, there are many other types of data a thief could be after, too.
Why Would They Be Looking on My Devices?
Usually, if a hacker's been in your system, it's because yours was the easiest to get into. Like a petty crook walking down the street trying every car door as he goes, hackers will "take it where they can get it" most easily. Once hackers have access to your digital identity, they can use your device as a "pivot point" to access more systems. Here's a scenario to paint the picture: Imagine if a hacker managed to breach the computer of your institution's lowliest, newest staff member. There's probably not a lot to steal (maybe — read the next section to see why), but there's plenty of opportunity to use the newbie's digital identity to break into other users' systems. For example, the hacker who has his foot in the door could send a campus-wide e-mail along the lines of, "Thanks for a great semester! Check out the attached zip file to see pics of me with everybody!" How many of your co-workers might open that ZIP file before it dawns on them that they haven't even met the newbie yet?
Wow, Is There Anything Else I Should Know?
Well, yeah, actually: besides providing a potential "pivot point" (a device used to gain access to a more valuable one), depending on your role, your device might actually be full of data that hackers would want to steal. Ultimately you need to proactively scan your devices for this stuff — because I can't cover every scenario in a blog post! — but keep an eye out for types of data you might have and where it might lurk, even though you've done your best to be digitally safe and tidy.
Data Types
Payment Data
- Credit card numbers
- Bank account information
- PayPal/e-commerce/account logins
Personally Identifiable Information
- Driver's license
- Social Security Number
- Passport
- Date of birth
Protected Health Information
- Policy information
- Dates of service
- Diagnosis codes
- Account numbers
- Photos
Where the Data's At
Stored on Your Drives
- Documents folder
- Downloads folder
- Dropbox/iCloud/OneDrive
Local Files
- Spreadsheets
- Word documents
- E-mail files
System Files
- E-mail archives
- Temp folders
- System backups
Unless you've proactively looked for these types of data on your system, you shouldn't assume that your computer, laptop, tablet, or phone isn't hiding this stuff in plain sight, just waiting for someone to come along and take it.
And This Is a Big Deal?
This is a huge deal. It's bad enough if somebody pilfers your own valuable data, but if you're storing student, faculty, staff, alumni, and donor data and that is breached, you're looking at a very embarrassing, costly, and time-consuming process to "make it right." Believe it or not, those records cost about $150 each on average. So if you've got sensitive data on a few dozen people, your machine could cost your organization $10,000 or more. Multiply that by all employees, and it becomes easy to see why Kaspersky Lab reports that businesses pay an average of $551,000 after a breach. And that's not counting all the other stakeholders a breach might affect!
Here's a quick list of some consequences if your institution is breached:
- Damaged reputation and loss of trust
- Prospective student, alumni, and donor impact, plus event attendees
- Stakeholder notification costs
- Security fixes for the data breach
- Credit monitoring and identity theft services for stakeholders
- Regulatory fines (especially HIPAA and FERPA)
- Threat of litigation
So that's the short(ish) explanation of why your institution is so hot to get you security aware, and why you need to know that you have a direct impact on its risk posture (how ready you are to thwart a hacker). You really are an important piece of the puzzle! Luckily, there are a lot of resources out there to help you take your awareness to the next level, and the month of October and staysafeonline.org are the right time and place to do it! Just remember that, when in doubt, asking a few extra questions of the people you know you can trust can save you and everyone you work with a lot of expensive, embarrassing, frustrating headaches down the road!
Ben Redfield is the marketing manager at iScanOnline.com, a company offering a simple, turnkey data breach risk intelligence report to calculate cybersecurity threats in dollars so that technical and nontechnical stakeholders alike can better prioritize risks. He holds a BA in English and Religious Studies from the University of Iowa and an MA in Communication, Culture, and Technology from Georgetown University. While his current work focuses on a lot of different industries, he has a soft spot in his heart for higher education.
© 2015 Benjamin Redfield. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.