October — also known as National Cybersecurity Awareness Month (NCSAM) — gives all of us an opportunity to share tips, tricks, and techniques to keep our organizations, employees, neighbors, and selves safe online.
We've seen many changes over the last 13 years since NCSAM was established. Most of us now live in the cloud with the Internet of Things (IoT) all around us. We repeatedly hear "there's an app for that." Everything is "smart": smart phones, smart homes, smart cars. But are we really smarter about how to keep these devices and our information stored on them safe? How do we help people remain vigilant about protecting their data and themselves when it's easy to assume that these smart gadgets will take care of everything?
The rules of security, safety, and privacy stay the same regardless of the technology. Cybersecurity is fundamental to realizing the promise of new and expanded technologies. This blog checks your cybersecurity "apptitude." How well are you and your institution doing in these areas?
Universal Participation
Security is everyone's business. One weak link in the security chain, whether technology or people, can cause headaches for all. It only takes one insecure system, application, or user. You need universal participation in the security solution.
- Up-to-date systems. Anything on the network needs to have the most current patches and updates. This includes servers, PCs, laptops, mobile devices, network devices, and applications. Automate this as much as possible to reduce the reliance on humans.
- Trusted applications. Use only applications that are trusted and vetted. End users shouldn't be allowed to download and install their own applications. While this can be tricky for campuses due to academic freedom, it's really to protect the users from themselves, unknown apps, and current Internet threats.
- Security awareness for all. Everyone needs to receive security awareness training at least annually. This is a great time to remind users to stop and think before they click. It's easy with the free NCSAM materials provided by StaySafeOnline.org.
Plugging Information Leaks
"Leaky" information happens in a variety of ways: accidental disclosure, carelessness in storage and protection, and direct attacks. Many times, it happens because people do not always use care with their personal information. As the cartoon character Pogo said, "We have met the enemy and he is us."
- Do the administrators and professors at your institution know how to guard information in their care? Are restrictions in place to make sure only those people with a need to know can see that information?
- Do you know your info? Is the information you handle sensitive or confidential? What damage would result if it gets out to the public or one of your competitors?
- Do you label sensitive, proprietary, or confidential information? You may know that the information is sensitive, but do your co-workers? (Note: Most institutions have a guide for labeling and protecting sensitive data — e.g., the University of Michigan's Sensitive Data Guide to IT Services.)
- Does your institution protect sensitive, proprietary, or confidential information? Answering this question is a separate article. In general, you can do the following things to move in the right direction:
- Remove any extra copies of sensitive documents. Maintain originals in a secure location and get rid of all other copies. Place documents in a secure location (not a public folder or even a laptop hard drive). If you don't need a copy of a document, then don't keep it.
- Don't send sensitive documents to an outside e-mail address unless absolutely necessary.
- Encrypt your information using tools like Microsoft Bitlocker, Veracrypt, or 7–Zip.
Risky Business
We experience risk simply by living. Eliminating risks isn't feasible; knowing the risks you have and doing something smart about them is. We need to take that approach both in our lives and at our institutions. Security is all about identifying risks and finding appropriate strategies for managing those risks.
As you approach risk management, consider this simple equation: RISK = IMPACT x PROBABILITY weighed against the cost of mitigation. Ideally, you would first handle the risks with the greatest impact and the greatest probability of occurring, and then later handle risks with a lower probability of occurrence or lower loss.
You can use the same risk equation and process for managing any risks or problems. Ask yourself the following:
- What am I trying to protect? That is your asset.
- What bad things can happen to it? These are the threats to your asset.
- How much money could I lose should these bad things happen?
- What weaknesses or vulnerabilities are associated with the asset?
- What am I already doing to reduce the risk?
The first three questions define the impact and the last two define the probability. Together they formulate the overall risk. With this information, you can make smart cybersecurity decisions.
Respond, Don't React
The Internet is the World Wild Web with potential dangers around every corner. You can't protect everything perfectly, so know what to do when something bad happens. By responding thoughtfully to the issue rather than reacting to it, you can better aid your institution.
- Have a plan. Take time to develop a security incident response plan. In it, you should document the who, what, when, where, and how of addressing a real or potential security issue.
- Practice, practice, practice. Periodically test your plan to know where it works and where it needs work.
- If you see something, say something. Often our users first detect a potential problem. Train them to be part of the security solution (see Universal Participation above). Everyone should know to report security issues early.
How would you rate your "apptitude"? Does your institution meet the security goals needed to avoid the effects of "Security Groundhog Day"? Whether your computers are in the cloud or you're part of the Internet of Things, the simple suggestions listed here will help with basic cybersecurity steps to keep your institution, faculty, staff, and students safe and secure.
Ron Woerner, CISSP, CISM, CEH is a professor of cybersecurity studies at Bellevue University. He is the Air Force Association CyberPatriot 2013-2014 Mentor of the Year for his work with high school cybersecurity competitions. Follow @ronw123 on Twitter or read more on Ron's cybersecurity blog.
© 2016 Ron Woerner. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.