Sophie and Jenay talk with guests Jerry Tylutki and Isaac Galvan about 2025 Cybersecurity Awareness Month and how to thoughtfully build cybersecurity awareness programs at higher education institutions.
Takeaways from this episode:
- Building trust through deliberate relationship-building efforts and creating visibility at the institution is crucial to ensuring cybersecurity issues are reported.
- Understanding the unique higher education culture is important to developing effective cybersecurity awareness training that meets stakeholder needs and increases compliance with training.
- Institutions with limited resources can lean on the larger higher education community for support and should continually evaluate risks to stay updated on the latest threats, create layered defenses, and understand how to prioritize resources.
View Transcript
Sophie White: Hey everyone. Welcome to EDUCAUSE Shop Talk, which is a podcast where we talk about big issues in higher education technology. In this episode, we recorded it for 2025 Cybersecurity Awareness Month, but what we talk about in this episode really applies all year long. Keep that in mind as you're listening. We talk in this one with Isaac Galvan and Jerry Tylutki about what higher education institutions can do to support cybersecurity awareness training among stakeholders. It was a really great conversation with a lot of fantastic anecdotes and examples. A couple things I took away from it were really related to building trust across the institutional community by making sure that as cybersecurity professionals you are available to talk and also not necessarily punishing people if they click on a phishing email or do something they shouldn't have. Building that trust so that they can report issues to you to avoid larger cybersecurity problems.
Understanding the unique higher education culture, so how higher education works, the stakeholders that are involved, how a cybersecurity awareness campaign might affect a faculty member or a student differently than it would an industry, for example. And then how institutions with more limited resources can still do effective cybersecurity training through leaning on the larger higher ed community in prioritizing the threats that are most likely to impact the institution. Of course, it's 2025, so we did talk about AI, how AI is changing the game around cybersecurity and what to look out for related to AI and cybersecurity threats. So check it out.
***
Sophie White: Hello everyone and welcome to EDUCAUSE Shop Talk. I'm Sophie White, I'm a content marketing and program manager with EDUCAUSE, and I am a host for today's discussion.
Jenay Robert: My name is Jenay Robert. I'm a senior researcher at EDUCAUSE, and I'm your co-host.
Sophie White: Great. So today we're going to be talking about cybersecurity awareness month and cybersecurity in higher education in general. It is October, so for some folks that might mean Halloween, but for us this means awareness about cybersecurity in higher ed. So I'm thrilled to have two special guests with us today who I will introduce and then we'll dive into it. So first we have Isaac Galvan. Isaac is community program director for cybersecurity and privacy at EDUCAUSE. Isaac leads the strategic development of initiatives and programming that help higher education institutions address emerging cybersecurity and privacy challenges. He works with members to shape widely used resources, including the HECVAT we can talk about what that means in a bit. Cybersecurity and privacy guide and the Cybersecurity and Privacy Professionals conference at EDUCAUSE. He holds the certified Information Systems security professional, CISSP certification, and previously led the University of Illinois cybersecurity training program where he developed innovative approaches for creating security awareness across diverse campus populations. Thanks for being with us, Isaac.
Isaac Galvan: Yeah, thanks. It's nice to be back.
Sophie White: Alright, and next up we have Jerry Tylutki, director of Information Security and Privacy at Hamilton College who leads institutional cybersecurity compliance and risk management programs as a team of one. You're doing a lot as one person, Jerry, relying on cross-campus relationships and innovative approaches to drive strategic conversations on data governance and AI frameworks. He also, he holds the certified information security manager, CISM and certified information privacy manager, CIPM certifications and has led enterprise wide initiatives including multifactor authentication, implementation and identity and access management modernization. Jerry's an active contributor to the higher ed technology community, including serving on EDUCAUSE's cybersecurity and privacy professionals conference program committee, secretary of the board of directors for the Consortium for Liberal Arts Colleges and co-chairing CLAC's information Security and Data Privacy Affinity Group. Thanks so much, Jerry. You are busy. So thanks for spending some time with us today. In addition to leading a team of one, you have all of these other extracurriculars.
Jerry Tylutki: It's my pleasure. And Sophie, I hope you know I'm going to take the recording you gave, I'm going to play it for every meeting that I'm in now. I like that lead it.
Sophie White: Absolutely. I can just be your hype person for all of your future meetings. Perfect.
Jenay Robert: Actually, this is a great idea for Sophie to have a side hustle. Instead of all of us needing walkup music from now on, Sophie can sell us just a little clip of her giving us this incredible introduction. We can use it for everything.
Sophie White: It's like what is that Cameo when you hire celebrities?
Jenay Robert: Yeah.
Jerry Tylutki: If we can add in some copyrighted theme music. I think we're on a gold mine.
Sophie White: Yeah. Yeah, perfect. All right, so let's talk about cybersecurity. I'd love to hear from you all, why is cybersecurity awareness month important? So obviously cybersecurity awareness is important every month, but why do we do this every year that we have this deliberate intentional awareness training and all of the programming that goes with that? Can you talk a little bit about that idea?
Isaac Galvan: Yeah, I can touch base on that. I think it's important that we set aside at least one month each year because every year there's new things to talk about and it's a constantly evolving feel that we always need to touch base with the entire community. So while some of us live and breathe this stuff every day working in the cybersecurity and privacy field, there's a lot of folks who are, that's just a small part of their job, and so we ask everybody to spend some time and we try to build that bridge through Cybersecurity Awareness Month to all functions and roles at higher ed and in our community. So this is a worldwide effort, so it's not just higher education and it's not just EDUCAUSE and our partners. So yeah.
Jerry Tylutki: Yeah, Isaac, I think you're right on just the nature of having a month dedicated to any topic. If it's Cancer Awareness Month or suicide prevention month, putting a highlight on what to recognize and be aware of and having cybersecurity month be in October aligns really well with higher education. Just from our academic calendar, if we kick it off in July or August, we're not going to have as many faculty members or students on campus. They're not going to be focused on it. The fact that they come back at the end of August and into September, they're focused on kicking off their academic fall semester and getting through that, October lines up kind of perfectly for us in higher education where the new semester is kind of settled, everyone's ready to get into the monotony of learning, and now we're into what can we do? What else can we learn about? And that's really what Cybersecurity Awareness month is. It's being focused on learning what you can and can't do and how best we can protect you and help you do what you want to do.
Isaac Galvan: Yeah, there's a lot of new faces on campuses in that time every year. Every year campuses have a lot of turnover in the form of new students and new staff starting and exactly the timeline Jerry mentioned. So we get such a grand opportunity to touch base with folks and share with them some of the best practices that maybe they're familiar with, but maybe they're not. And we do introduce people a lot of times to password best practices and why they shouldn't use passwords between their personal and their work account, why that's a really bad idea to not have a unique password and those sorts of things that can have an effect on an institution and their personal life.
Jerry Tylutki: Absolutely.
Sophie White: Do you want to talk a bit about the individual users and their responsibility? So I'm thinking from the perspective of a student, it's their first year at an institution, they hear that there is a really robust cybersecurity team, so they might think, oh, I don't have to be worried about cybersecurity team. They've got my back. If there's any issue, they'll take care of it. Why is it important for that student to be aware of cybersecurity best practices?
Jerry Tylutki: Yeah, Sophie, I think that's a great question. The most important thing that those new students or any user needs to be aware of is if they see something, we have this kind of going around our campus. If you see something, say something, and we've known about this as a culture, it's kind of been embedded to us from a security standpoint, and we extend it to a cybersecurity standpoint because the last thing we want is, which everyone's very easy to, seems very easy to do, is if they're on their phone or on their laptop and something happens, they click a link and they put in a username and a password and nothing happens. We want them to be aware that that's not right. If it doesn't feel right, you need to tell someone about it. And that's really when new students come in and just like new faculty members, new staff members, as soon as they're hired, one of the most important things that they need to know about is just to tell us about it.
And by us, I mean the help desk, report it to someone, report it to me. I'm a team of one. So for me, the biggest thing I can do is rely on relationships and other people to help me out to help do my job. So if they see something, something feels off, then they need to send a message to let us know. And it's really, I'm happy to have a conversation with those people. I'm not going to, I hate that everyone assumes that a security person is going to slap their hand or shame 'em, make 'em feel like they did something wrong. And it's really like, no, I just need to know. So I will say, thank you for telling me you entered your password. Now I can take the next steps to secure it. And really, time is the most valuable component with any of these. So the sooner I can get a new student or a new employee in to understand that it's okay to make mistakes, we're all human, we all make mistakes, but when you make that mistake, let us know so that we can do whatever we need to protect the college and to really protect themselves.
Sophie White: That seems like such an important point. How do we build trust with the community so that they tell us when they think something might be wrong? Do you all have ideas on maybe why there isn't always that trust among users and kind of how we can work on building that more in higher ed?
Isaac Galvan: Yeah, I think one great strategy is to be visible with your community and to have a conscious effort to have regular communications about cybersecurity and privacy on your campus with the community, with the people who work there and who go to school there. And that is a big part of the goal of cybersecurity awareness. We talk about one month, but really the best programs have a regular schedule of monthly on an interval, whatever. Monthly is probably the best. That works for a lot of people, and that's a newsletter or a column or some consistent connection or that's always on the forefront of people's minds and so that they know what kind of things to look for and who to reach out to when that becomes important. That, as Jerry mentioned, the time is of the essence. So having that persistent and thoughtful communication. Another aspect of that is keeping track of those threats in your environment that you want to share with your community and communicate with them and just making sure they're aware of the issues. Every institution's a little different in their size and in their focus via Academics, research, even well as security teams also think about things like athletic programs and securing infrastructure and things like that. So every program's a little different, so knowing what you're trying to communicate to whom is very a big part of that.
Jenay Robert: I'm glad you talked about building trust with the community because I always come at these conversations from the other side of the equation. I am not a cybersecurity professional, but have worked in higher ed for a long time and multiple institutions and definitely on this side of that relationship, it has always helped me to view not just, I think this applies to other areas as well, but cybersecurity professionals, IRB professionals, procurement professionals, these people that we sometimes unfairly label as roadblocks in certain ways. It's really important for us to reframe that and think of you as our colleagues and people who are supporting our work, not trying to inhibit our work and trying to protect us and trying to protect our students and our institution. But that always starts with that relationship. If I don't know who the person is that I'm talking to or I don't know anything about that unit at the institution, I'm probably less likely to be able to start off with trust. So I love that you talk about being out there in the community
Jerry Tylutki: And a trust is, it's a two-way street. It goes both ways. And I think this is one of the underlying problems to obstacles that we face as security professionals is having the other person on the other side of the desk trying to deliver the academic commission or to take a class to know that we're not trying to stop them from doing that. We're trying to help them protect themselves. But I can recall one of the first security meetings before I came into higher education, I worked in security and industry and when everything was on or off, you were compliant. You were not compliant. There was no compromise. And when I came into higher education, the first meeting I sat in, I sat in the back and I was like, I'm not going to interrupt. I'm just going to listen to what everyone's talking about. And there was a table of eight technology professionals all talking about cybersecurity awareness training and how to get everyone to do it.
And they went on, in my mind, I'm building this out, but it went on for what seemed like 15 minutes of just tossing ideas around before I finally, I rolled my, I remember how this looks in my head. I rolled my chair for it and I was like, just turn their accounts off. And they all did this slow turn right it's October, cybersecurity awareness month, so it was like a Halloween movie. They all did that slow turn. They're all dolls and mannequin heads. And they looked at me like I had my head on backwards. And I think that was the first foray into understanding cybersecurity data privacy and higher education is all about compromise. It's all about understanding. It's all about having that conversation to build that trust. When I led a program to implement MFA here at Hamilton College, and I met with every single academic department, went and had a conversation with each of their academic department meetings because there was such concern that every student was going to have to pull out a cell phone in the middle of class and respond to a MFA prompt.
And it was all about that compromise. So that one, they knew who I was, they had a face, we started that trust relationship. I listened to their concerns and then I was able to tell them, no, that's not what we're doing. These are the reasons that we're implementing. MFA is to protect you. Yes, it means that you're going to have a second step in the login process and it will be a little bit slower, but it also means we can do other things down the line. Change our password policy now. So instead of requiring you to change your password every year, now you don't have to unless it's compromised. Right. So it's a give and take, it's an ebb and flow, and really it all begins and ends trusts.
Jenay Robert: I'm glad you mentioned that Halloween connection because I just got to do Halloween Horror Nights at Universal Studios for the first time this month. And it's for anyone who doesn't know, this is not a commercial, I don't get any kickbacks, but you go through 10 haunted houses and actually as you were talking about people turning their heads, I pictured there's a haunted house with all these scary dolls. And that's exactly what I pictured sitting around like a boardroom table making all those decisions.
Jerry Tylutki: That's what happened. I swear. It was just like that.
Sophie White: I was picturing them looking at you like Jack Skellington or something from Nightmare Before Christmas. But that was a great, I feel like I had a reaction to the story of just that head turn of, you're coming from industry. We can't just shut things off here in higher ed. And that's just such a great illustration of how you have to really understand the environment that you're working in and message things differently. And that trust building exercise too, I think we're doing so much remotely, but just the power of being visible and seen on campus is so effective in that way.
Jenay Robert: We do have a really different culture in higher ed. I mean, it's hard to identify many other places, industries, areas of where you can work that have such shared governance structures as higher ed. I'm curious how that complicates your lives when you're a cybersecurity professional. That shared governance piece must be a complicating factor.
Jerry Tylutki: Yeah, Jenay. It's funny, I think. Yes, yes and. That's one of my mantras when I'm working. Yes and. Yes, data governance, that kind of governance perspective of who is making a decision, who has the authority to say yes or no when you're a team of one, it's less complicated. I can have relationships with our senior officers. I chair our compliance committee and I also, I co-chair a member of the consortium of liberal arts colleges. There's 80 of our institutions, small liberal arts colleges that are part of this. And I co-chair our affinity group based on data privacy and cybersecurity. And if we meet monthly, we all come together and we talk about this. We've talked about governance not too long ago actually. When you're at a smaller institution, it forces you to wear multiple hats and also forces you to be out there. So in my role, I chair our compliance and risk management committee as well here on campus.
So I'm always talking with our senior officers. I have the trust from that recurring theme here. Trust again, my vice president trusts me that I can go and lead our programs the way I need to and I can make informed decisions. And he also knows that when we come to a situation, when we come to something like setting it or changing a policy or making, implementing a new system or a new service that will impact our end users, that I am going to reach out to the stakeholders, I'm going to reach out to those that are going to be affected. So I'm aware of what this might mean for our faculty members, what it might mean for our students and how we can best support all of them at the same time. And then leveraging that experience and then using my peers from all the other liberal arts institutions that I'm working with so that I can know what I have this plan. It may or it may not be successful, but I might know that someone at Denison or someone at Haverford has tried this already and this is the lessons they learned. And being able to rely on peers from an experience perspective is really helpful.
Sophie White: That's something that's really inspired me about this community every time I go to our cybersecurity and privacy professionals conference at EDUCAUSE just the fact that despite higher ed being an industry that is often the victim of cyber attacks, the fact that the community comes together, I think to brainstorm support each other despite limited resources is really incredible. And I'm curious, you mentioned obviously being a team of one, you have to do things differently. Jerry, how do you prioritize the threats that you're creating awareness around at your institution? And I guess how do you prioritize where you're spending your time? Because you obviously have to make trade-offs being a small team and not being able to do everything that a larger institution might be able to.
Jerry Tylutki: Yeah, you're absolutely right Sophie. And it begins with understanding that I'm going to have gaps in our program, and it's really just about minimizing those gaps and those risks. I use a risk-based approach. When I look at any of risks that I should say, I start with relying on others. I'm a team of one with the team of one comes relationships, comes with networking. I use Isaac as part of EDUCAUSE's cybersecurity program. I rely on, I look at, you mentioned cybersecurity, privacy and professional conference. I'm on that programming committee that's been invaluable from a networking perspective. And while I might go, I've gone to the conference a number of times and I will go and I will sit in an R1 presentation on how they have a team of eight working just on their security awareness training. And I might not be able to do everything that they can do, but I can definitely take the highlights.
I could take that back, those lessons, and I can come back. Last year I started a small, I hired two students to kind of run a student based information security program within Hamilton. So I'll take those lessons and I'll rely on my students. I have some external vendors consultants that I'll use. It's really being able to leverage their resources as well and to build a program. When I look at risks that if it's a penetration test, if it's a program assessment, I can look at the risks that are documented, I'll look at the likelihood versus the impact that that risk could have. Something that we talk about that a conversation from last year's cybersecurity professionals conference, a hallway conversation was around risk scores, where it was, what comes up in my head was kind of asking is that risk exploitable so many of the risks that come out through these automated scores, zero day vulnerabilities and stop me if I'm going too technical and I need to come up a little higher, I am always happy to come up for a breath.
But if we go out and you get a risk store, you get an audit report and it comes back and it says, here are three critical risks with a nine plus severity rating that need to be resolved right away, what this conversation was asking, but is it exploitable? Is it behind our firewall? Is it protected and mitigated already? So yes, it's a critical risk and it needs to be patched and remediated, but maybe that moderate, that medium risk that is publicly available, accessible through the firewall, maybe that's the one that we need to focus on because that is the way that an external attacker can get in and then move laterally. So it is really evaluating, taking a holistic review of what risks we have out there and then which ones we can close. And from a project perspective, you're right, I can't do anything without other teams being aware of it.
So it forces me not to be in a silo here at Hamilton. I can't do everything myself. I have to share information, I have to have hallway conversations. I have to be aware of what other teams are doing and then let those teams know what I want to do. So when I want to do a project, and I know it might be not until the summer of 2026, I'm having those conversations now so I can get on those teams project boards, so that come the summer I'm committed and we all have time to work for.
Jenay Robert: I actually really appreciate that level of detail in your answer because I think that gets back to the trust conversation we were having before in higher ed and everywhere. When you're in these siloed units, you don't know what other people are doing on a day-to-day basis. And sometimes it helps just to have a little glimpse into what that day-to-day looks like. If for no other reason, then we're all, now Jerry's a really impressive dude
Isaac Galvan: That cybersecurity Silo could be a pretty rough one to get out of. And we try to work with programs and people who are building bridges between cybersecurity and other functions in higher ed that need to understand, say for an instructional designer who wants to bring a new tool into their teaching, we need them to understand that by doing that, they may be introducing a cybersecurity or privacy issue. So there's a lot of different ways that we can build that bridge to campus. And just by going around and talking to folks and being part of the discourse, even in areas where you might not think cybersecurity should necessarily be part of, there might be things that they need to be aware of or need to start thinking of at the start of the process. So I'm so glad that we have the ability to get together and talk about all these diverse ways that cybersecurity needs to be part of the conversation.
Jerry Tylutki: Yeah. Isaac, I think you said you're leading me to the magic words of artificial intelligence. I think whoever had, what are we at 25 minutes, whoever had that, go ahead and you win the prize. I think that's exactly right. It's creating guardrails around what the experimentation and innovation around AI could mean. And yes, here at Hamilton, we want you to, and I think every college we want you to explore, we want you to challenge, we want you to do your research and really look at exploring ways that you can use artificial intelligence to better operations or make yourself more efficient or respond to that email and tell the person on the other end what you really feel. But then hey, have AI say what you should say instead or really trying to understand what the ethical, what the institutional, what the academic guardrails need to be around the awareness of knowing what artificial intelligence is and what data you can put into it and what that means with just a general awareness.
Isaac Galvan: Yeah, it's so important. All the decisions that everybody makes every day, who's working and these institutions to protecting our data.
Jenay Robert: So when it comes to the cybersecurity awareness month, are there some AI specific topics that people are trying to raise awareness about for this month? Are there other hot topics that are perhaps rising to the surface more this year than they have previously? Other new threats that you all are trying to raise awareness about?
Isaac Galvan: I've been on a couple of calls in the last couple of weeks where we've really talked about a new, traditionally accounts got stolen by someone using a phishing attack, sending a link to a bad login page. We've all seen it. These days. A lot of attackers are now starting to try to get through the help desk. So they'll call into a help desk impersonating somebody else trying to gain access to their account. And this is something they might try 3, 4, 5 times on the same account and getting different people. And so this is a problem that a lot of our communities are starting to think about. So really something that every institution should be considering is how do you validate that the person on the other end of the phone is who they say they are? And I don't want to give away all the beans. There's a lot of different ways institutions are looking to do that and they try to keep 'em kind of close to the chest, the kind of stuff attackers would want to know, but come talk to the community and learn all the different ways we're addressing that. And so that's kind of a new one that we're seeing in the last few years.
Jerry Tylutki: It's one I'm interested in and talking with not only peers and colleagues, but also vendors at EDUCAUSE annual coming up in Nashville in a couple of weeks. I think there's going to be a lot of services, a lot of conversations around this topic because unfortunately where AI can make us a lot more productive, it also makes us a lot more susceptible. Some of the processes that we've had in place to verify the identity of the person on the other end of the line. Those might not be as secure as they have been in the past.
Jenay Robert: Yeah, I want to know why I still have to check boxes to prove that I'm not a robot because AI can do that now. So why do I still have to jump through those hoops?
Jerry Tylutki: Jenay, I wish I did
Jenay Robert: Question. No pressure.
Jerry Tylutki: I wish I didn't have to push those buttons anymore.
Sophie White: It's not always as easy as I want it to be. No, it's not. I have to select the fire hydrants or whatever, and there's a corner into the next box. It's true.
Jerry Tylutki: I will say in week two of cybersecurity awareness month, the highlight is on passwords and password managers. And so every week with each week of the cybersecurity awareness month, I send out an email to our community letting 'em know what the focus of that week is, letting 'em know some tips, tidbits, little helpful hints that they might have. And today, when I mentioned the password manager, I always like to give a practical reason. Some example of how I use one, and I've been using one for probably the better part of eight years now, give or take two, so whatever, six to 10 years. But I realized today I have 749 accounts in my password manager, which I had to go through. I was scrolling, I was like, that can't be right. I don't have 700. But the reality is, anytime now when I go to a new website to register for an account, my password manager pops up and is like, do you want me to generate a password?
And I'm like, yeah, I do. And then I'm never going to know that password. I can set restart. In fact, I get annoyed now when the website comes back and tells me my password is too long or I can't have special characters. I was like, you want me to make it less secure? Maybe I shouldn't even register on your account, but I really want that belt or those shoes, so I'm going to, anyways. I think just having that general awareness. We talked about a little bit on how we can build trust, and here at Hamilton phishing emails is one of those avenues that I've done. I've had conversations. Everyone feels like I'm always tricking them. So I've changed up this year and I've now switched to educational phishing emails where the subject is blatant and it says phishing simulation, and then in giant red text in the middle of the phish, this is a phishing simulation. You'll click the link to see what it might look like when you get prompted to enter your password. And really, that's all I want. I want people to be aware of phishing, what a phishing email might look like, what it might look like today, what it might look like tomorrow.
One of my favorite stories to tell is when I sent up first phishing email a campaign, it was right after a security awareness training that I did in person. And this was a couple years ago. And I said, just to let you know, I'm sending out a phishing email later. And I didn't tell 'em when. I just said later this week. And I got an email from someone that was in that training the next day and they forwarded me a phishing email and they said, ha, ha, ha, this time Jerry. And I was like, that's not even my phishing message. I didn't even send it yet. It was a legitimate phishing message and I loved it. If I could tell everyone that I'm going to try to trick you. And then they send me all their phishes like, great, I'm doing my job and we're more secure. And that's really what it's about. It's awareness. It's not cybersecurity tricking month, even though it's Halloween in October. It's cybersecurity awareness, and that's what it's all about.
Isaac Galvan: I have seen a lot of programs integrate costumes into their cybersecurity awareness though. So if you can get away with it, and maybe some people are bringing their costumes to annual next week, I don't know, it's close to Halloween, so we'll see what people do that.
Jerry Tylutki: I saw a couple where the mascots were getting kidnapped or aliens were abducting them. Maybe I need to step my phishing game. My awareness came up a bit. I didn't do any boring emails and a tabletop thing with cider donuts.
Isaac Galvan: We have been seeing a lot of creativity from the cybersecurity awareness communities and escape rooms and virtual experiences and interactive fictions and things like that to help spread the awareness beyond the traditional phishing simulation. So love seeing that creativity from people and love hearing those stories about how impactful, and I've seen some of these things that take off and get experienced by thousands of people at a campus, and I think that's a pretty good day for a cybersecurity program. So spreading their message. So if there's so much creativity going on in that area right now,
Sophie White: Yeah, it seems like at its best, it can be a way to bring the community together against a common foe, which is the cyber attackers. I know just thinking about the reward system of Jerry finding that you told someone there would be a phish, and then were thrilled to find that they sent you a real phish. I've always loved when I correctly identify a phishing email, and then it sends me a nice little popup that I successfully found the phish. And it's kind of the carrot versus the stick approach. But I was thinking about it kind of in context of I caught a phish in my personal email recently and just thinking about our role in higher education and cybersecurity awareness month being so important to protect the institution, but also as an institution, training future citizens of the world who will be interacting in digital spaces for the rest of their lives. It's just so important to make sure that students understand, and faculty and staff too who are on the internet all day understand all the threats out there and how they're changing. So I think as stewards of that information, you all are so important too, for just overall success as a sector.
It's not necessarily a question, but just I'm inspired by the work that you do. So thank you.
Jerry Tylutki: Well, thank you, Sophie. I appreciate that. I want to echo, I get the same personal attacks, and my favorite is when I have, I dunno about all of you, but as the second I went into anything with technology, I realized that I became the help desk for my family and my friends as well. And so I'll get a email forwarded or a text message forwarded from an in-law or a sister or a friend being like, Hey, is this a phishing message? And I'm like, yes, you don't know that person. Hey, if you need it, if you're questioning it, if it looks legitimate, call a number you know and verify. And my favorite, just this past summer I had someone reach out to me and they're like, they got this. Even the text message saying that a purchase was fraud and to call this number. And I was like, well, that seems pretty suspicious to me. That sounds like a text phishing, so you should probably call your bank and let them know. And they called the bank. And long story short turned out that it was the bank messaging them from a different number that they had never set before, but just making a phone call. They were able to verify that it was legitimate, and turns out their credit card was compromised, but they got rid of the fraudulent purchases, which happy, happy ending to a story.
Jenay Robert: I'm wondering if in current cybersecurity awareness is there more education about how our voices can be simulated? Our likenesses can be simulated on video. And what inspired me to ask this question is because I actually not so long ago asked my mother-in-law to have a verbal conversation with ChatGPT because I wanted her to firsthand experience how realistic that can be. And my voice is on this podcast, I present at conferences, and I really needed her to understand that there absolutely could be a computer talking to you and seem like a real person. And that was a really interesting experience for her because she was really surprised that it seemed like a real person. So that hands-on was helpful. I'm just curious if there's anything in that neighborhood of, hey, if you get a call from the provost saying, I immediately need you to do such and such, that that might not be real.
Isaac Galvan: I think your approach is right on Jenay. It's grabbing the bull by the horns and doing a good demonstration. I've heard one thing that I heard in order to help expose people to AI and some of the threats there is introduce them to say a chatbot or an audio to text to speech generator and then get it to lie to them. Just get it to lie to them. Say something completely false, incorrect. And that really helps people understand that these technologies can be used for telling lies and spreading falsities. So getting ChatGPT, it's not hard to get ChatGPT to say, or any provider not to pick around one, but to get to say something false and breaking through that veil. And I know the text to speech and deepfake technology can also be used really easily to make things that someone will know is not true. And that really kind of breaks the spell, I hope. I hope that's successful. That's one technique I've heard of.
Jerry Tylutki: Yeah, it's a growing concern. Being able, where we always trained our users to look at an email and look for missing punctuation or grammatical errors, same thing, right? When you're having a conversation and you're questioning if it's AI, question the question on the video, right? Question, whoever you're converting with look for for little glimpses, what hallucinations that might come in there. It's a challenge that's ever forward facing. It seems like in security, we're always reactive instead of being proactive. And even in our best cases when we are thinking we're proactive, we're still being reactive to something. And so in this, Jenay, you mentioned the better videos, the better simulations.
We're proactive about it, right? We're forward facing and we know we're going to have to change our policy and our procedures to verify the identity of the person, but it's still reactive to the fact that we're reacting to what generative AI can do and the steps that it can take. And when we start looking at agentic AI and the different ways that decisions that it can now an action that it can take instead of just being a prompt, I think that's where it really starts to get scary. And I hate being the echo chamber, but it's about awareness. Before it was having a conversation about an insider threat and knowing that an insider threat might be your student researcher. It might be that employee next to you who just walked away from their computer without locking it and leaving papers out on your desk. And when you leave for the day, just because it's termed one way. When we look at artificial intelligence and we always look at the positives, the efficiencies, the good things that can bring us the fact that as a team of one, I can now be way more productive operationally from a cybersecurity perspective where I can leverage AI tools to do things for me. Now I have new tools targeting me as well. So it's a challenge.
Sophie White: Yeah, I found staying up to date, it's humbling. I think every time we do our EDUCAUSE cybersecurity awareness training, which I think is once a quarter, I go in and I'm like, oh, I feel pretty good about this based on talking to our community. I've done some of the foundational work. And then every time it's like, oh, there's this new cyber attack vector. There's this new strategy based on AI that I've never heard of before. So I think just all of us making sure we're communicating about what we're seeing in the field and being open to new information is so important in this space. So I think we have to wrap up soon and would just love to hear from both of you, Jerry and Isaac, about if there's one actionable tip that you would encourage institutions to take right now during Cybersecurity Awareness month to keep their institutions more secure. So if there's one thing that you want to leave our listeners with, what would that be?
Jerry Tylutki: Isaac, if you don't mind. I'll take the first one. I think that the biggest tip I can kind of keying off what we just said, realizing that everyone is a person, they're human. And I have a really good friend that I used to work with and he was adamant that he was good at information security. He knew data privacy. And I sent him a test phishing message just when I first got access to the platform and it was something about a change to vacation policies. And he fell victim to it. And he logged in to look at the document and he came down the hallway afterwards and he had in hand, and he was just saying, I'm sorry, but it was not a big deal. And he goes, it was just any given moment. And he goes, I had just got off the phone with HR talking about vacation or something.
And he goes, and you didn't even think about it, just follow the link. Clicked on it. And it's understanding that everyone is human. And pick up the phone, have a conversation, walk, take the time to walk across campus and meet with people so that they know who you are. You know who they are. At least not yet. We're not robots. We haven't been, if you see me in person in a couple of weeks in Nashville, it's me. I'm real. I'm not a fake person yet. And you can engage with me. You can have a conversation. And that's what I think we need to do with everyone.
Isaac Galvan: And I'll mention, I think one thing I would take away, and I think it's cybersecurity awareness month. I'll give a practical tip. I think don't reuse passwords. I mean, that's such a big way that things get mixed up and accounts get compromised, and things spread around. Reusing passwords between systems and your personal accounts and other accounts. Just one of the core things we talk about during cybersecurity awareness month, and it's such a simple step. So Jerry, I applaud you in your 749 passwords. That's really a valiant effort to never reuse a password ever. So yes, I love it.
Sophie White: It's a great tip. The National Cybersecurity Alliance has four tips for this month, and we have some resources at EDUCAUSE that came out in October 2025. Isaac wrote an article about cybersecurity awareness month and recorded a video. We have some other great resources in EDUCAUSE review from the community about what they're doing at institutions, but I'll say they're really promoting the core four through this cybersecurity awareness month. So using strong passwords in a password manager, that's how you get 749 passwords. There's no way you'd ever remember all of those. Turning on multifactor authentication, recognizing and report scams, that's a lot of what we talked about today related to trust. Making sure that you're creating that trust so that folks are reporting those, and then updating software too. I know that after hearing that, that was a core element. Whenever I get that little red notification in my right hand corner of my screen to make sure that you're updating things so that the software is up to date and secure, I think this is a great place to end it. Any last thoughts before we wrap up? Thank you for the great conversation everyone.
This episode features:
Jerry Tylutki
Director of Information Security and Privacy
Hamilton College
Isaac Galvan
Community Program Director, Cybersecurity and Privacy
EDUCAUSE
Jenay Robert
Senior Researcher
EDUCAUSE
Sophie White
Content Marketing and Program Manager
EDUCAUSE

