What You Need to Know to Protect Your Cybersecurity
Some suggestions from BU’s director of information security and free shredding scheduled this week
October is National Cybersecurity Awareness Month (NCSAM), a collaborative effort of the US government and the cybersecurity industry to promote awareness about the resources individuals need to be safer and more secure online. The message of this year’s campaign is focused on citizen privacy, e-commerce security, and consumer devices: “Own IT. Secure IT. Protect IT.”
Not a week goes by without some new headline about a massive cybersecurity attack or data breach, whether it’s a health services corporation, a collection agency, or a retail operation. And with growing privacy issues surrounding social media sites like Facebook and the increasing ransomware attacks that have hit communities nationwide, it’s hard to know what you can do to protect yourself online.
The purpose of NCSAM is pointing out the dangers of these attacks and breaches and the steps to take to safeguard your information. Along those lines, BU Information Security & Technology is partnering with sustainability@BU to host a series of Fall Shred events on both the Charles River and the Medical Campus this week: Tuesday, October 8, in the Kenmore lot (549 Comm Ave), Wednesday, October 9, in the parking lot behind Agganis Arena, and Thursday, October 10, in front of the Talbot Building, 715 Albany St., on the Medical Campus. Students, faculty, and staff are encouraged to bring their old hard drives, notebooks, and personal documents for shredding.
We sat down with Eric Jacobsen (CAS’93, MET’03), BU’s director of information security, to talk about steps the University has taken to protect the online presence of students, faculty, and staff and to ask for some tips on what you should—and shouldn’t—do to ensure your cybersecurity.
With Eric Jacobsen
BU Today: What measures has IS&T taken to protect BU, and is there anything in the works to increase that protection?
Jacobsen: Information Security does a bunch of things to protect the community at all times. Our overall mission is to help the University protect the sensitive data that it has in its care, and to help the community understand what the cyber risks are and what they have to do in response to those things.
We have a cybersecurity operations component that provides a variety of services, such as supporting compliance assessments for the administration, supporting Research and their compliance requirements, helping design and implement secure services. Most of those don’t get seen by the community, and there are some that are really invisible, like the work we do with network firewalls, scanning for vulnerabilities, monitoring for bad things that happen on our network.
The biggest, most outward-facing service I have in my care is Identity & Access Management, which controls how you get access to everything here on campus from the moment you authenticate to one of our services with a password: to courseware, Student Link, whatever information you need to access at the University. That’s our most visible piece that people touch, but they don’t spend a lot of time thinking about it until something goes wrong, and then it’s high visibility and we do a lot of work to fix those kinds of things.
Finally, the third piece we have is a cyber incident response capability. If something does go wrong, that’s the team that will jump in and find out what happened, find out if there was a breach, and handle the response to that.
Is the issue of cybersecurity becoming more urgent?
It is certainly much more in the public eye than it used to be. The amount of data that we’re putting into our networks and into services that we give to Facebook and other institutions has made this a more important issue to people. There’s a lot of attention to data privacy, what companies know about us and what they share with other people, and how they are using that data. Having good data privacy requires you to have good data security first. So that’s driving a lot of what happens with my industry.
What are the most common mistakes people make that end up putting them in danger online?
From the University’s perspective, our single biggest problem is user account compromise—people responding to phishing messages. Phishing is when somebody sends you an email and tries to convince you to send them personal information, your password, or both. They use a series of standard tricks for doing that: pretending to be somebody that they’re not, trying to convince you that this is urgent, that you need to respond to this today or your account will be disabled, or that something bad will happen to you. The impact of that urgency is that it overrides our common sense. We think, oh my gosh, I can’t think about this, I just have to respond to this message or I’ll lose something that’s important to me. There’s a lot of telephone scams that are doing this now—phishing is the email version of this. The difference in phishing is that it’s virtually free for the attacker. And it succeeds.
When I think about, is there one thing people can do—it’s to be vigilant when they look at their email, when they get these emails that say, “You must do this right now.” Think about whether or not that’s really true. Do you know who sent you the message, were you expecting the message in some way, does it make sense? And then, does the urgency make sense? Anything that asks for your password is a hoax. You need your password—we don’t need it.
What steps should someone take if they believe they’ve been hacked, and how can the University help?
They can reach out to our IT Help Center, and we will help walk them through what to do. The process looks a little different if you’re a student or a faculty or staff member, but the Help Center can be that first point of contact. They come in through our incident response team, and we will help triage the situation. If it’s a case of phishing, they just need to change their password, and they need to change it immediately. But any sort of security concerns someone has, they can bring directly to my team through BU InfoSec or the Help Center and we’ll work with them toward whatever the appropriate resolution is.
What do you think is the biggest misperception people have about cybersecurity?
We all like to feel secure in our lives, and so we assume we have a lot more [security] than we do. Social media is built on the idea of sharing, and we share a lot of information very readily to a very large audience. And that is great—Facebook is a wonderful tool for my family to help keep track of what’s going on in my life. But I think very carefully about the information that I share there. We need to figure out how we as a society want to use these technologies, what we should be sharing and with whom. That Facebook post I write and put up on my page is visible to me and my friends, but it’s also visible to Facebook corporate. And they can do whatever they want with that information. That’s the data privacy challenge that the world is starting to wrangle with.
How does the University stay abreast of such a rapidly changing landscape, with security threats coming from so many different directions?
It is certainly a challenge to keep up with the fast rate of change in technology, the fast rate of security threats within that technology space. And it is something that BU and all institutions are struggling to keep up with. The answer is to build systems and processes that are nimble enough to keep up with that change. The IT industry historically has been about long, slow deployment of services. We need to work to make that happen a little more quickly, and to keep up with the times. We just need to become more nimble.
What are BU and IS&T doing to help promote awareness for cybersecurity during National Cybersecurity Awareness Month?
We’re implementing NCSAM here on campus in several ways. We’re going to send a weekly email throughout October covering a bunch of security topics, things like passwords, phishing, device security, travel security, online privacy. We’ll put up new website content, update our Facebook and Twitter feed. We’re doing paper shreddings this week, which are particularly popular with the offices that collect a lot of paper records, but students are welcome to use the service as well. If they’ve got notebooks they want to shred, old personal information such as bank records, whatever they’ve got, they can bring it for shredding.
IS&T’s 2019 Fall Shred events are being held this week on both the Charles River and the Medical Campus: Tuesday, October 8, at the Kenmore lot (549 Comm Ave), Wednesday, October 9, at the parking lot behind Agganis Arena, (925 Comm Ave), and Thursday, October 10, in front of the Talbot Building, 715 Albany St., on the Medical Campus. All are from 10 am to 1 pm. Find more information here.
IS&T will also host a presentation titled Foreign Influence and the Media on Wednesday, November 6, from 3:30 to 5 pm, with special guest Kristopher Grahame, a longtime FBI Intelligence analyst; location TBA.