Category: Security

Stay Secure while Cyber Shopping

Cybersecurity  Black Friday  Cyber Monday Shopping Credit Card Personal Information Reviews Hacked Click Bait Lock Mobile Scammers Passwords Online

Black Friday and Cyber Monday are the biggest shopping days of the year. When you’re looking for the best deals online, keep these cybersecurity tips in mind:

  • Stay secure—Look for the lock in your browser’s address bar or https:// in the website address
  • Don’t give away unnecessary personal information
  • Avoid mobile purchases from unknown sites—Stick with a site or app you regularly use
  • Read reviews about the seller—Scams are often uncovered by the people who fell victim to a scam as fast as they are created by the scammers
  • Use a different password on every shopping site—If an online retailer is hacked, your login information for other sites will stay secure
  • Avoid clicking on links in unsolicited emails and be wary of email attachments

How Can Higher Ed Better Prepare Cybersecurity Students for a Hot Job Market?

Behind every new report of a data breach, data leak, or computer hack is a company scrambling to put out the fire, which is great news for job seekers or soon-to-graduate students with cybersecurity skills. Unfortunately, this is bad news for most companies because there is currently an imbalance between the supply and demand of skilled professionals to address these vulnerabilities.

Cybersecurity person looking at tablet

The 2018 (ISC)2 Cybersecurity Workforce Study estimates a global shortage of cybersecurity professionals of around three million workers. This shortage of skilled job seekers is having a real-world impact on companies and the people responsible for cybersecurity at those companies. The study also points out that Gen X and Baby Boomer workers make up about half of the current cybersecurity workforce, leaving many entry-level opportunities for new college graduates and pathways for growth as these more experienced workers approach retirement age.

The need for trained cybersecurity professionals is not going to go away. The US Bureau of Labor Statistics projects a 28% growth in US employment for cybersecurity consultants between 2016 and 2026. How can we help our students go beyond the theoretical concepts taught in computer science or cybersecurity classes and make themselves more attractive to future employers? We need to take the lead to encourage students to take the initiative to learn more about current issues in cybersecurity and take advantage of the many cybersecurity resources available.

Here are some ways you can help your students and contribute to narrowing the cybersecurity skills gap:

  • Hold informational sessions on cybersecurity. Help spread the word on your campus about the cybersecurity skills gap and job opportunities. You could ask your CISO or information security team to conduct a cybersecurity seminar or invite local experts to share their knowledge and expertise with your students. The Enterprise Security Team at The Ohio State University has already implemented this idea, and they sponsor an annual and free on-campus Cybersecurity Days event to expand knowledge of security and data protection for their entire college community.
  • Sponsor or encourage membership in student associations. There are two student cybersecurity organizations for your students to explore—National Cybersecurity Student Association and Women in CyberSecurity (WiCyS). The National Cybersecurity Student Association has a number of resources on their website, and you can sign up for their newsletter or follow their Snapchat account to view a day in the life of a cyber student or industry professional. The WiCyS is dedicated to bringing together women in cybersecurity from academia, research, and industry to share knowledge, experience, networking, and mentoring. You can also explore setting up a local WiCyS student chapter on your campus.
  • Offer campus internships. In addition to knowledge of advanced cybersecurity concepts, the most important qualification for cybersecurity employment is relevant work experience. You can help your students by hiring them as interns in your institution’s information security department. This offers students real-world experience while providing supplemental staffing for your department. For suggested qualifications and responsibilities, use the Information Security Intern Job Description Template on the EDUCAUSE website as a starting point.
  • Identify scholarship opportunities. The CyberCorps: Scholarship for Services, funded by the NSF, provides up to $22,500 per year for undergraduates and $34,000 per year for graduate students. In return, students commit to work in a for a federal, state, or local agency for a period matching the length of their scholarship. The Cyber Security Degree website provides a comprehensive list of additional cybersecurity scholarships and other career resources.
  • Encourage students to deepen their knowledge. The NICCS Education and Training Catalog is a central location where cybersecurity professionals across the nation can find more than 3,000 cybersecurity-related courses. Anyone can use the interactive map and filters to search for courses offered in their local area to add to their skill set, increase their level of expertise, or earn a certification. You could also direct your students to take advantage of the free online courses offered through edXUS Department of Homeland Security, Cybrary, or SANS Cyber Aces Online.
  • Attend cyber competitions. Institutions with an information assurance or computer security curriculum can give their students an additional way to hone their skills and have fun by participating in regional events hosted by the National Collegiate Cyber Defense Competition (NCCDC). The top regional teams can then go on to the National Championship, which was won by University of Virginia in 2018. Another cybersecurity competition for high school and college students is the National Cyber League (NCL), is a defensive and offensive puzzle-based, capture-the-flag style competition. All participants play the games simultaneously and are tested with real cybersecurity challenges they will likely face in the workforce.
  • Participate in cybersecurity conferences. Students may be interested in the educational and networking opportunities from attending the annual conferences for the National Cybersecurity Student Association or Women in CyberSecurity. For additional conferences in your area, InfoSec publishes a comprehensive list with hundreds of cybersecurity events in the United States, Europe, and Asia.

Campus Security Awareness Campaign 2019

This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).


The IT Team Can’t Do It Alone—Cybersecurity Is Everyone’s Responsibility

Higher education institutions use lots of data every day. Payroll information, health insurance information, payment card information, and student information that includes financial aid information are just a few of the most sensitive data elements that are shared. These data elements are shared within institutions and with the vendors we do business with daily. It is not just IT departments that need to understand the information security requirements needed to protect these data. Every department that uses data needs to understand how to properly secure the data entrusted to it. Information security is a shared responsibility, and we offer the following tips to share with your campus community.

Did you know?

In 2017 the education industry (which includes K–12 and higher education institutions) had 7,837,781 records breached in 35 events. To put that into perspective, the healthcare industry had 6,058,989 records breached in 428 events, and the retail industry had 123,652,526 records beached across 33 events. (See Privacy Rights Clearinghouse Chronology of Data Breaches, 2017 data.)

More than half of the breaches in the education sector were caused by activities directly attributable to human error, including lost devices, physical loss, and unintended disclosure (see figure 1). These breaches were arguably preventable through basic information security protection safeguards.

bar chart showing types of security breaches among educational institutions
Figure 1. Types of security breaches among educational institutions

What can you do every day to protect data?

There are very few, if any, verticals such as higher education that transmit, process, access, and share such varying sensitive data elements. There is not a “one size fits all” blueprint for information security controls that all institutions can follow. Yet all campus members have a responsibility to know basic information security protections to safeguard data and prevent those data from being mishandled:

  • Update your computing devices: Ensure updates to your operating system, web browser, and applications are being performed on all personal and institution-issued devices. If prompted to update your device, don’t hesitate—do it immediately.
  • Enable two-factor authentication: Whether for personal use or work, two-factor authentication can prevent unauthorized access even if your login credentials are stolen or lost.
  • Create really strong and unique passwords: Create unique passwords for all personal and work accounts. In today’s environment, one of the best ways to create a really strong password is to use a password manager for all of your accounts. A password manager will alleviate the burden of having to memorize all the different complex passwords you’ve created by managing them all in one “vault” and locking that vault with a single master password.
  • Protect your devices: Using biometrics or six-digit passcodes on smartphones and tablets is critical to keeping curious minds from accessing personal information, work email, or retail/banking applications. It also helps protect your device if you lose or misplace it.
  • Understand where, how, and to whom you are sending data: Many breaches occur because of “oopsie moments” where we accidentally post sensitive information publicly, mishandle or send to the wrong party via publishing online, or send sensitive information in an email to the wrong person. Taking care to know how you are transmitting or posting data is critical.

Getting ready to send data to a vendor or sign a contract? With more and more services moving to the cloud, higher education institutions have an additional obligation to ensure that third parties are protecting our most sensitive information. If you or your department is looking to purchase or adopt a service or technology that uses institutional data, it is imperative that you include information technology at the beginning of the project or contract process to help ensure that data are properly protected. To determine whether or not IT should be involved in the vendor/contract process, ask yourself the following questions:

  • Does the project (and in-scope technologies) involve the handling or storage of personal data (e.g., student data, employee data, donor data, research data, or financial data)?
  • Does the project (and in-scope technologies) involve the handling or storage of personal data that is regulated by government entities or has special contractual obligations to a third party (e.g., contract sponsored for research)?
  • Is there transfer of any institutional data from an institution-owned system or device to a third-party vendor-contracted system or device?
  • Does the project involve acquiring/implementing/developing software, services, or components that your institution has not previously deployed?
  • Does the project involve providing a new data feed to an existing campus partner?
  • Does the project involve accepting card payments in any way?

If the answer to any of the above questions is “yes,” collaborate with your IT department at the beginning of the project to ensure that institutional data are properly protected.

Campus Security Awareness Campaign 2019

This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).