We are awash in cyber-insecurity. From the recent breach of federal employee records affecting an estimated 22 million workers to the theft from retailers of tens of millions of credit card numbers to phishing scams at BU, it seems no one can stop hackers and online frauds.
Yet government, businesses, and nonprofits recognized the threat long before these recent incursions. October marks the 12th annual National Cyber Security Awareness Month, designed to highlight security procedures to make the information superhighway less prone to info-hijacking. Last week, BU’s observance kicked off with the annual collection by Information Services and Technology (IS&T) of hard drives for disposal, along with some old-fashioned paper shredding to protect sensitive printed information.
Eric Jacobsen (CAS’93, MET’03), interim director of information security, also wants to publicize IS&T’s archived “blasts” of security bulletins, which contain relevant advice for protecting yourself online. He spoke about security with BU Today.
BU Today: How serious a problem is cybersecurity for BU students and staff?
Jacobsen: As we put information about ourselves onto computers and networks, it’s important that we understand not only the benefits of doing so, but the risks as well. The most common protective control on data is a username and a password. The strength of that control is directly dependent on the person who has the knowledge, and phishers prey on that human element. Universities are definitely a major target for phishers because of their large, ever-changing populations and open environments. They use a variety of tricks, from fake mailbox quota messages to imitation web portals to phony invitations, to access shared Google documents in hopes of luring people to give up their credentials. Technology can protect us only so much; we must all share in the responsibility of protecting the passwords we have and thus the information the passwords protect, whether it is our data or data about others that we are entrusted with.
As a reminder, IS&T will never ask you to email or recite your password.
Another major issue facing our community is malware—software that has malicious objectives, like stealing information such as passwords or altering the behavior of the system. Someone with a malware infection might see advertisements directly in their operating system, receive warnings from programs they didn’t know they had installed, or find messages posted on Facebook or tweeted out that they didn’t write. The most malicious of the malware is ransomware, which will encrypt files on a computer and require the owner to pay a ransom to regain access. In some cases, paying the ransom isn’t even effective—the victims end up out of money and their files.
If you think your system is infected with malware, the best thing you can do is to reach out to BU’s IT Help Center. Their staff can assist any BU community member with detecting and recovering from a malware infection, as well as provide free antivirus software to help prevent further infection. They can also provide you with resources for backup software that will help ensure your data can be recovered from more malicious attacks like ransomware. In addition to in-person assistance, their website provides a wealth of information on both prevention and recovery from viruses and malware. Of course, the best way to recover is to avoid the problem to begin with: be mindful of the phishing attacks and the unsolicited advertisements for software to fix your computer, and think twice about opening attachments in emails sent by strangers.
Are there other security events IT is sponsoring this month to promote cybersecurity awareness?
We are working on a few virtual items, like an awareness survey to help our community test their knowledge of security best practices and the services we offer. We also have our Information Security website, where we have posted information about things everyone can do to keep their computers, phones, and digital identities safe.
What vital security measures has IT implemented recently, and will there be additional ones in the foreseeable future?
Duo, the two-step authorization now required for employees viewing BUworks data, is certainly a major success story for the University, and many other higher education institutions are now following in our footsteps and using us as a model for how to implement the system. We are undertaking a major initiative to improve the firewall and intrusion-prevent capabilities of the campus in the coming year as well. These improvements will help keep our community safe while they use the internet by providing more active protections from malware and malicious actors.
In past years, about how many people have availed themselves of the shredding and hard drive disposal services?
We have been running the shredding and hard drive disposal event since 2011. While we haven’t counted the number of people who have attended, we do know that we have eliminated as much as two tons of paper in a single year. That is over 400,000 sheets of paper that were removed from filing cabinets and desk drawers around the University in just one year. Last year was particularly successful, with some departments sending vehicles loaded with paper to us to shred.
In addition to paper, we collect dozens of hard drives for destruction at these events, which ensures that the trillions of bits of information that they contain are destroyed rather than being left around to be discovered.