Cybersecurity Awareness Month

Cybersecurity Awareness Month

In our digital world, cybersecurity awareness is crucial. Cyberattacks constantly evolve, endangering personal information, finances, and the university's reputation. As members of the IU Student Life team, we have a responsibility to secure student and patient information.

Throughout this designated month, we will actively engage in activities and initiatives aimed at equipping ourselves with the necessary knowledge and tools to defend against cyber threats. By enhancing our understanding of the potential risks to data security and embracing industry best practices, we can establish a secure environment and mitigate vulnerabilities.

Successful cyberattacks can have severe consequences personally and professionally. They lead to data breaches, identity theft, financial losses, and operational disruptions. As members of the Office of Student Life team, we all play an important role in cybersecurity. Compliance with regulations like HIPAA and FERPA is a vital part of everyone’s job.

Participating in this awareness month means taking a proactive approach to cyber defense. We'll cover topics like password management, phishing avoidance, general device and online security practices. This knowledge empowers us to protect ourselves and the university.

We must promote awareness, education, and shared responsibility. By adhering to best practices, we create a secure environment.

Check back with us at this website each week as we expand our knowledge, and reinforce our commitment to cybersecurity.

Week 1: Introduction to Cybersecurity

  • Cybersecurity refers to the protection of digital systems, networks, and data from unauthorized access, damage, or theft.
  • It involves implementing measures to prevent, detect, respond to, and recover from cyber threats.
  • Cyber threats are prevalent and constantly evolving.
  • Individuals and organizations are vulnerable to attacks.
  • Cybersecurity awareness empowers us to protect ourselves and our digital assets.
  • By being informed, vigilant, and adopting best practices, we can protect ourselves and mitigate the risks associated with phishing attacks.

  • 91% of cyber-attacks begin with a phishing email. Phishing emails are a common entry point for attackers to gain unauthorized access or steal sensitive information.
  • 76% of organizations experienced phishing attacks in 2020. Phishing attacks continue to be a significant threat to organizations, impacting their operations and data security.
  • 97% of people worldwide cannot identify a sophisticated phishing email. Attackers use increasingly sophisticated tactics, making it challenging for individuals to distinguish between legitimate and malicious emails.
  • The average cost of a successful phishing attack for a medium-sized company is $1.6 million. Phishing attacks can result in financial losses, data breaches, and reputational damage, impacting an organization's bottom line.
  • 80,000 phishing attempts are reported each month. Phishing remains a widespread and ongoing threat, with a staggering number of attempts reported regularly.

Here are some key points highlighting the significance of cybersecurity and its impact on the university and its stakeholders:

  1. Educating and Empowering Stakeholders: Security Awareness Month provides an opportunity to educate the members of DSA about cybersecurity best practices. By raising awareness, we hope to promote responsible digital behavior, such as using strong passwords, recognizing phishing attempts, and being cautious with sharing sensitive information.
  2. Protecting Sensitive Data: DSA handles a vast amount of sensitive information, including student records, financial details, and personal information. Cybersecurity measures safeguard this data from unauthorized access, theft, or misuse. Breaches can lead to severe consequences such as identity theft, financial losses, damage to reputation, and legal liabilities.
  3. Ensuring Continuity of Operations: DSA relies heavily on digital infrastructure, including networks, systems, and online platforms. Cyberattacks such as ransomware, malware, or distributed denial-of-service (DDoS) attacks can disrupt essential services, interrupt academic activities, and affect administrative functions. Robust cybersecurity measures, including regular backups, system monitoring, and incident response plans, help minimize the impact of such attacks and ensure the continuity of operations.
  4. Protecting Personal Privacy: Universities collect and store personal information of students, faculty, staff, and alumni. Safeguarding this information is essential to protect individuals' privacy rights and comply with data protection regulations. Cybersecurity measures, including strong access controls, encryption, and secure data storage, help prevent unauthorized access and data breaches that could compromise personal privacy.
  5. Fostering Trust and Reputation: A strong cybersecurity posture enhances the trust stakeholders have in the university. Students, faculty, staff, alumni, and partners expect their information to be protected, and they rely on the university to maintain a secure digital environment. Demonstrating a commitment to cybersecurity helps build and maintain a positive reputation, attracting talented individuals and fostering fruitful collaborations.

Video: Cybersecurity in 7 Minutes. What is Cybersecurity, how it works.

Week 2: Phishing and Social Engineering Awareness

Phishing attacks continue to be a prevalent method used by cybercriminals to deceive individuals and gain unauthorized access to sensitive information. Employees play a critical role in reducing the likelihood of falling victim to phishing attempts. 

By following essential steps and adopting good cybersecurity practices, employees can enhance their protection against phishing attacks:

  • Stay Alert and Be Skeptical: Developing a healthy skepticism towards unsolicited emails, messages, or phone calls is crucial. Be cautious of unexpected requests for personal information, urgent actions, or offers that sound too good to be true. Verify the authenticity of the sender or source through alternative means, such as contacting the organization directly using official contact information.
  • Think Before You Click: Avoid clicking on suspicious links or downloading attachments from unknown sources. Hover your mouse over links to view the URL before clicking, paying attention to inconsistencies or misspellings. Verify the legitimacy of links by manually entering the website address in a new browser tab.
  • Examine Email Sender Details: Phishers often use deceptive tactics to make their emails appear legitimate. Carefully inspect the sender's email address, as phishing emails may use slight variations or misspellings of legitimate addresses. Be particularly cautious of emails claiming to be from banks, government agencies, or popular online services.
  • Keep Software Updated: Regularly update your operating system, web browsers, and security software. Updates often include patches for known vulnerabilities, reducing the risk of successful phishing attempts.
  • Implement Strong Password Practices: Use unique and strong passwords for different accounts. Avoid using easily guessable information such as birthdays or common words. Enable multi-factor authentication whenever possible to add an extra layer of security.
  • Be Wary of Sharing Personal Information: Be cautious when providing personal or sensitive information online. Legitimate organizations typically do not request sensitive information via email or unsecured forms. When in doubt, contact the organization directly using official contact information to verify the request.
  • Educate Yourself: Stay informed about the latest phishing techniques and evolving trends. Participate in cybersecurity awareness training programs offered by your organization to enhance your knowledge and skills in identifying and avoiding phishing attempts.

Remember, cybercriminals are continuously adapting their tactics, so maintaining a proactive and vigilant mindset is essential. By following these steps and being mindful of potential phishing red flags, employees can significantly reduce the likelihood of becoming victims of phishing attacks, protecting themselves and their organizations from potential data breaches and financial losses.

LinkedIn Learning videos:

Subject: Urgent Account Verification Required

Dear [Recipient's Name],

We regret to inform you that there has been a security breach in our system, and we require your immediate attention to resolve the issue. Our records indicate that your account information might have been compromised. To ensure the security of your account and prevent any unauthorized access, we kindly request you to verify your account details by clicking the link below.

[Click Here to Verify Your Account]

Please note that failure to verify your account within 24 hours may result in the temporary suspension or permanent closure of your account. We understand the inconvenience this may cause, but we prioritize your account's security and privacy.

If you have any questions or need assistance, please don't hesitate to contact our support team at [fake email address] or call our helpline at [fake phone number]. Our representatives are available 24/7 to assist you.

Thank you for your cooperation in this matter.

Sincerely,

Josh Abrams, Customer Support Team

Note: This example illustrates a common phishing email that attempts to trick recipients into clicking on a link to verify their account due to a supposed security breach. The email creates a sense of urgency and provides contact information to further deceive the recipient. It's essential to be cautious and verify the legitimacy of such emails before taking any action.

Resources

Week 3: Passwords

Best practices for password management and the importance of strong, unique passwords.

  • IT will NEVER ask for your IU passphrase or system password. NEVER give out or share either of these.
  • Use a Password Manager: Consider using a reputable password manager to securely store and generate strong passwords. Password managers help you manage and remember unique passwords for different accounts without the need to memorize them all. The DSA IT Office uses and recommends 1Password. https://1password.com/pricing/
  • Use Strong and Complex Passwords: Create passwords that are long, unique, and include a combination of uppercase and lowercase letters, numbers, and special characters. Avoid using predictable patterns or easily guessable information, such as birthdays or names.
  • Don't Reuse Passwords: Each account should have a unique password. Reusing passwords across multiple accounts increases the risk of a security breach. If one account is compromised, all other accounts with the same password become vulnerable.
  • Enable Two-Factor Authentication (2FA) DUO: Implementing 2FA adds an extra layer of security to your accounts. It typically requires a verification code sent to a trusted device or a biometric authentication method, making it harder for unauthorized individuals to access your accounts even if they have your password.

LinkedIn Learning videos

DSA password requirements section 12: IT Policy and Procedure Manual.pdf

Week 4: Proper ways to secure and handle critical student data

  • Privacy and Confidentiality: Sensitive data, such as PHI and student records, contain personal and private information that must be kept confidential. Patients and students trust the Division and the Health Center to protect their sensitive data. Maintaining their privacy is crucial for establishing trust and maintaining a professional relationship.
  • Legal and Regulatory Compliance: Post-secondary institutions and student health centers are subject to various legal and regulatory requirements, including the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). Compliance with these regulations is mandatory to ensure the privacy and security of student records and PHI. Failure to comply can result in severe legal consequences, including fines and damage to the institution's reputation.
  • Preventing Data Breaches: Sensitive data, especially PHI, is a prime target for cybercriminals. Data breaches can lead to unauthorized access, misuse, or theft of personal information, which can result in identity theft, financial fraud, or reputational damage. Protecting sensitive data helps minimize the risk of data breaches and the associated negative consequences for individuals and the institution.
  • Safeguarding Student Wellbeing: In a student health center, protecting sensitive data is directly linked to the wellbeing and healthcare of students. Confidentiality and security of health records are vital to ensure that students feel safe seeking medical assistance and disclosing personal information. This trust facilitates proper diagnosis, treatment, and support for students' physical and mental health.
  • Maintaining Institutional Reputation: A post-secondary institution's reputation is built on trust and integrity. By effectively protecting sensitive data, the institution demonstrates its commitment to privacy and security. A data breach or mishandling of sensitive information can significantly damage the institution's reputation, resulting in a loss of trust among students, staff, and the wider community.

LinkedIn Learning video

Week 5: FERPA and HIPAA Regulations

  • The Family Educational Rights and Privacy Act (FERPA) is a federal law that grants certain rights and privacy protections to students regarding their education records. FERPA applies to educational institutions that receive funding from the U.S. Department of Education. The primary goal of FERPA is to safeguard the privacy and confidentiality of students' educational records while balancing the need for information sharing within the educational community.
  • Under FERPA, students who have reached the age of 18 or attend postsecondary institutions have the right to control their educational records. These rights include the right to review and request amendments to their records, control the disclosure of their records to third parties, and seek redress if their privacy rights are violated. FERPA also requires educational institutions to notify students of their rights and maintain reasonable procedures to protect the confidentiality of student records.
  • FERPA sets limits on the release of student information without consent, aiming to protect sensitive data such as grades, disciplinary records, and enrollment details. However, FERPA allows for the disclosure of certain information known as "directory information" without consent, unless the student has opted out. Examples of directory information include the student's name, address, phone number, and enrollment status.

In summary, FERPA grants students' specific rights over their educational records and establishes guidelines for educational institutions regarding the privacy and disclosure of student information. It plays a crucial role in protecting students' privacy rights while promoting transparency and accountability within the educational system.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to establish national standards for the protection of individuals' sensitive health information. HIPAA regulations play a crucial role in the healthcare industry by safeguarding patient privacy, ensuring the security of electronic health records (EHRs), and promoting the secure transmission of health data.

One of the primary objectives of HIPAA is to protect the confidentiality of individually identifiable health information, also known as Protected Health Information (PHI). PHI includes a wide range of personal data, such as patient medical records, treatment history, insurance details, and any other information that can be used to identify an individual. HIPAA mandates that covered entities, including healthcare providers, health plans, and healthcare clearinghouses, implement administrative, physical, and technical safeguards to protect the privacy and security of PHI.

The significance of HIPAA regulations for the healthcare industry cannot be overstated. Here are some key reasons why HIPAA compliance is crucial:

  • Patient Privacy and Trust: HIPAA regulations ensure that patients' personal health information is kept confidential and accessed only by authorized individuals. Protecting patient privacy builds trust between healthcare providers and patients, which is fundamental to the delivery of quality healthcare.
  • Legal and Financial Consequences: Non-compliance with HIPAA regulations can result in severe penalties, including substantial fines and legal actions. Violations can damage an organization's reputation and lead to financial losses, making adherence to HIPAA regulations a top priority for healthcare entities.
  • Data Security and Breach Prevention: HIPAA requires the implementation of robust security measures to protect electronic PHI from unauthorized access, alteration, or disclosure. This includes practices such as encryption, access controls, regular risk assessments, and employee training. By complying with these regulations, healthcare organizations can mitigate the risk of data breaches and potential harm to patients.
  • Interoperability and Data Exchange: HIPAA regulations promote the secure and standardized exchange of health information among healthcare providers, health plans, and other covered entities. This interoperability ensures that patient data can be accessed, shared, and utilized efficiently while maintaining the necessary privacy and security protections.
  • Business Associate Compliance: HIPAA extends its requirements to business associates, such as third-party vendors or service providers, who have access to PHI. This ensures that any entity handling PHI on behalf of a covered entity adheres to the same standards of privacy and security, further protecting patient information.

Overall, HIPAA regulations are critical to maintaining the privacy, security, and integrity of patient health information in the healthcare industry. Compliance with HIPAA requirements not only protect patients' rights but also helps organizations avoid legal consequences, build trust, and foster a secure and efficient healthcare ecosystem.

Data breaches and non-compliance with regulations such as HIPAA (Health Insurance Portability and Accountability Act) and FERPA (Family Educational Rights and Privacy Act) pose significant risks and consequences, particularly in terms of privacy, security, and trust. Understanding these risks is crucial for individuals and organizations operating within the healthcare and education sectors.

Data breaches occur when unauthorized individuals gain access to sensitive information, such as personal health records or student records, without proper authorization. These breaches can result in severe consequences:

  • Privacy Violations: Data breaches compromise the privacy of individuals, exposing their personal information to potential misuse. In the healthcare sector, unauthorized access to medical records can reveal sensitive health conditions, treatment history, and other personal details, which can lead to discrimination, identity theft, or harassment. Similarly, in the education sector, unauthorized access to student records can disclose personal information, academic performance, and disciplinary history, violating students' privacy rights.
  • Financial Loss and Legal Consequences: Data breaches can lead to financial losses for individuals and organizations. Victims may suffer financial harm, such as unauthorized transactions or fraudulent activities carried out using their stolen information. Organizations that experience breaches may face substantial financial penalties, legal actions, and damage to their reputation, resulting in financial burdens and potential closure.
  • Trust and Reputation Damage: Data breaches erode trust between individuals and the organizations responsible for protecting their information. In the healthcare industry, patients may lose confidence in healthcare providers if their sensitive health information is compromised. In the education sector, students and their families may question the ability of educational institutions to safeguard their personal data. Trust and reputation damage can lead to a decline in patient or student enrollment, loss of funding, and diminished public perception.

Non-compliance with HIPAA and FERPA regulations further exacerbates these risks and consequences:

  • Legal Penalties: Failure to comply with HIPAA or FERPA regulations can result in severe legal penalties and fines. Organizations found in violation of these regulations may face financial sanctions, lawsuits, and even criminal charges. Non-compliance demonstrates negligence and a lack of commitment to protecting individual privacy rights and can have long-lasting legal ramifications.
  • Loss of Funding and Accreditation: Non-compliance with FERPA regulations in the education sector may lead to the loss of federal funding or accreditation, impacting an institution's financial stability and reputation. Similarly, in the healthcare industry, non-compliance with HIPAA regulations may result in the loss of government contracts, insurance reimbursements, and the trust of patients and stakeholders.
  • Diminished Stakeholder Trust: Non-compliance with these regulations undermines the trust of patients, students, parents, and other stakeholders. It signals a disregard for privacy and security, creating an environment where individuals may hesitate to share sensitive information or seek services from non-compliant organizations.

Data breaches and non-compliance with HIPAA and FERPA pose significant risks and consequences. These include privacy violations, financial losses, legal penalties, damage to reputation and trust, and the potential loss of funding or accreditation. Adhering to these regulations is essential to protect individuals' privacy rights, maintain trust, and ensure the security of sensitive data in both the healthcare and education sectors.

  • IU has a mature collection of HIPAA related resources here.
  • FERPA can be found here.