Illustration by Thecla Li/ THE CHIMES
(This story was originally published in print on Oct. 17, 2019).
With cybersecurity threats on the rise, colleges and universities around the country have seen an increase in data breaches. An attack at the university level could result in massive data loss, which corresponds to massive financial loss, and a loss of the school’s reputation, according to Anthony Valentino, Biola’s director of systems and information security.
This was shown in the attacks on Regis University and the Stevens Institute of Technology in August of this year, resulting in a full shutdown of their internet, emails and website. While Biola itself has not experienced any university-level breaches yet, the Information Security team sees no reason to wait.
“We just need to get in the mindset of: ‘A couple simple things could really protect my information and protect my identity,'” Valentino said.
The Information Security Program was launched last October, coinciding with last year’s National Cybersecurity Awareness Month. Valentino and his team decided to focus on three goals for the first year: awareness, training and simulated phishing.
Awareness is addressed through the information security website, which is updated monthly with articles on topics like smartphone security, passphrases and data backups. They also began an annual training program for staff and faculty, followed by a phishing campaign last August. All staff and faculty members were sent phishing emails, which are emails sent with the purpose of tricking the recipient into releasing private information. Results showed that 79.5% of Biola faculty passed the test, which is higher than the industry standard of 74%. However, this still leaves 20.5% of staff open to phishing scams.
Valentino expressed reasonable satisfaction with this result, though he and his team will continue to work at lowering the susceptible percentage through strategies like pop quizzes and additional training sessions. He says that the number of phishing inquiries rose after the training sessions, and an increasing amount of staff and students have been checking the information security website, both of which reflect a heightened awareness of information security.
“Staff, faculty and students have been very understanding and very supportive of us,” Valentino said. “We’ve got a great community here.”
Biola has also taken steps to ensure the security of third-party vendors after the Google Docs scam that successfully phished almost 500 Biola students in 2017. These contracts are handled by legal and risk management teams in partnership with the information security team which looks at data protection and accessibility. They ask the vendors questions about which data they want, where it will be stored, who it will be accessible to and how it is protected, Valentino explained.
The team already has many safeguards in place to protect students and staff from breaches, but looking toward the future, Valentino hopes to implement other safety measures like multi-factor identification, continuing the awareness campaigns, developing more firewalls and utilizing computer-made information logs to identify common phishing sources. He listed a few steps that students can take to be proactive in preventing cybersecurity issues now.
A few red flags students can look for to ensure their own safety when it comes to phishing are emails with provocative or scary messages that urge students to “act fast,” misspellings, awkward greetings and unusual URLs. Any emails that ask for passwords or other private information should always be regarded with extra caution as Valentino stated that IT will never ask for any passwords.
Another prevalent privacy issue is what students post on social media. Minimizing the information shared on the internet will also help a lot since no one can completely control who sees their posts. For example, it may be seemingly innocent to post about your vacation on social media, but it could also lead to a robbery because you’re away from home. In general, Valentino advised to “keep what’s private, private.”
“We can get lackadaisical in just the basics,” Valentino said. “Walk through the library sometimes and see who leaves their computer on a desk and just walks away… All those things are well-intentioned, but we have to be on guard sometimes. We have to be aware.”
Another specific measure students can take is to enable 2-factor authentication for their email accounts, which is an extra level of security. Typically, it is the combination of two out of three factors: something you know (password or security questions), something you have (a verification code sent to your phone or another email), or something you are (a fingerprint). An example is a password for an email account and a verification code sent to the user’s phone. Valentino says this extra step will decrease phishing risks substantially.
“It’s easy to not think about it. But I think it’s easy to implement, too,” he said. “It’s kind of like a smoke alarm at home. Yeah, it costs a little money, you’ve got to put it up, change the battery every year. But once you do it, do you really think about it? And are you protected? You are.”
Steps to stay cybersecure
Avoid scary emails that say, “act fast” or that have unusual URLs.
Don’t reveal too much on social media. “Keep what’s private, private.”
Don’t leave your computer unattended, even in “secure areas.”
Enable 2-factor authentication for your email account.
Ignore emails that ask for your password. Biola will never ask for your password.