Happy October and National Cyber Security Awareness Month (NCSAM)!
Did you know? In 2017 the education industry (which includes K–12 and higher education institutions) had 7,837,781 records breached in 35 events. To put that into perspective, the healthcare industry had 6,058,989 records breached in 428 events, and the retail industry had 123,652,526 records beached across 33 events. (See Privacy Rights Clearinghouse Chronology of Data Breaches, 2017 data.)
More than half of the breaches in the education sector were caused by activities directly attributable to human error, including lost devices, physical loss, and unintended disclosure (see figure 1). These breaches were arguably preventable through basic information security protection safeguards.
What can you do every day to protect data? The Princeton Information Security Office (ISO) believes YOU are our guardians at the gate and can actively help us protect data! There are very few, if any, verticals such as higher education that transmit, process, access, and share such varying sensitive data elements. There is not a “one size fits all” blueprint for information security controls that all institutions can follow. Yet all campus members have a responsibility to know basic information security protections to safeguard data and prevent those data from being mishandled. Here’s how you can help:
- Update your computing devices: Ensure updates to your operating system, web browser, and applications are being performed on all personal and institution-issued devices. If prompted to update your device, don’t hesitate—do it immediately.
- Enable two-factor authentication: Whether for personal use or work, two-factor authentication can prevent unauthorized access even if your login credentials are stolen or lost.
- Create strong and unique passwords: Create unique passwords for all personal and work accounts. In today’s environment, one of the best ways to create a strong password is to use a password manager (Princeton offers LastPass password manager free of charge to all students, faculty, and staff). A password manager will alleviate the burden of having to memorize all the different complex passwords you’ve created by managing them all in one vault and locking that vault with a single master password.
- Protect your devices: Using biometrics or six-digit passcodes on smartphones and tablets is critical to keeping curious minds from accessing personal information, work email, or retail/banking applications. It also helps protect your device if you lose or misplace it.
- Understand where, how, and to whom you are sending data: Many breaches occur because of mistakes where sensitive information is posted publicly, mishandled, or sent to the wrong party. Be sure you are familiar with Princeton’s data classifications. Visit our Protect Our Info website for details.
Getting ready to send data to a vendor or sign a contract? With more and more services moving to the cloud, higher education institutions have an additional obligation to ensure that third parties are protecting our most sensitive information. If you or your department are looking to purchase or adopt a service or technology that uses institutional data, it is imperative that you include the ISO at the beginning of the project or contract process to help ensure that data are properly protected. Visit our Architecture & Security Review (ASR) webpage for more information.
For additional tips and to learn about upcoming events, visit our NCSAM webpage.
Portions of this blog were provided by Educause (www.educause.edu/securityawareness).