Jeff Gardiner knows you think his warnings are the ‘eat your veggies’ messages of the ITS world. Everybody hears them – and everybody ignores them.
But he wants you to eat your veggies anyway.
“It’s funny – just as people either take a balanced diet seriously or not, people take password etiquette seriously or not,” he said.
For Western’s Central Information Security Officer, cyber security is about something larger than changing passwords – it’s gets to the heart of preserving what the university does.
“In the Bronze Age, those who mastered Bronze commanded influence. In the Iron Age, those who mastered Iron commended influence. This is the Information Age, and those who master information stewardship command influence. Western has always been an enterprise in the information business, researching the bounds of knowledge or imparting it to new generations of students. However, we ask ourselves: Is our stewardship of this, our most abundant asset, current and sound?”
This month, Western Information and Technology Services (ITS) is getting the message out to the university community on the seriousness of computer security and safety in recognition of National Cyber Security Awareness Month. ITS designated Oct. 5-9 as Cyber Security Awareness Week.
“This provides us an opportunity to highlight the critical importance each of us plays in the security of our identities, information and systems at Western,” said Jeff Grieve, Executive Director, ITS. “Information technology has become so integrated into our daily lives that it is no longer practical to rely solely on technical solutions and safeguards to keep our cyber environment secure. Students, faculty and administrators have crucial roles to play in the protection of not only ourselves, but also each other.”
Sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security and the U.S.-base non-profit National Cyber Security Alliance, National Cyber Security Awareness Month has encouraged vigilance and protection by computer users since its inception in 2004. This year marks the first Western awareness campaign aligned with U.S. counterparts.
The awareness campaign takes place in the shadow of a Canadian summer which saw several government websites – including those belonging to the general website for government services and Canadian Security Intelligence Service (CSIS) – taken down by the hacking group known as ‘Anonymous’ in retaliation for anti-terrorism legislation passed by Canada’s politicians.
A recent Statistics Canada report revealed 6 per cent of 17,000 private Canadian enterprises surveyed had experienced a cyber security breach in 2013. About one-quarter of those reporting a breach – approximately 260 companies – said proprietary information (including customer personal information) was “corrupted, stolen or accessed without authorization.”
In the background of those high-profile attacks are millions of smaller attacks originating across the globe and hitting other government agencies, corporations and even universities.
“Attacks on Western are really no different – they are global, constant and pervasive,” Gardiner said. “Our technology alone cannot protect us. We need good governance and a community that is ‘cyber smart.’”
Due to the number of systems on campus, it is difficult to tag a precise number on attacks the university faces in a year. But there are countless individual examples that add up.
For example, Western opted to block off-campus access to Remote Desktop Protocol, an interface to connect one computer to another over a network connection, four years ago. At the time the plug was pulled that service was attacked 1.5 million times – a day.
“People complain about receiving spam messages in their inbox,” Gardiner said. “Yet, on average, Western’s spam constitutes about 85 per cent of the email we receive on a daily basis – only about 15 per cent of incoming emails are real. That we block 85 per cent outright is amazing to me.”
ITS officials stress the unit cannot protect the campus through technology alone. And in order to be successful, both Grieve and Gardiner said they need everyone to do their part. Communicating that message is also an ongoing effort, as each year the university ushers in a new group of students, as well as, staff and faculty.
ITS is taking this month to refocus community attention on understanding the risks associated with information technology and developing personal strategy for mitigating it. Some basic steps are available through its CyberSmart website, cybersmart.uwo.ca.
Digital and physical posters have been created outlining some of the common concerns with respect to cyber safety. Various faculties and departments assisted with the coordination of distribution of these materials in their respective areas.
Last week, ITS team members provided cyber security information sessions throughout the week in student residences as part of the Take Care Fair, as well as hosted a booth in the University Community Centre Atrium.
“The biggest challenge we face is striking the appropriate balance between IT security and IT usability – often opposing forces in the university academic environment,” Grieve said. “On one hand, we need to foster open and transparent collaboration between teachers, students and researchers. At the same time, the exchange of information through systems and services needs to be both highly available and secure.
“This tension between needing to be a fundamentally ‘open’ institution that is simultaneously ‘sufficiently and appropriately safeguarded’ is a big ongoing challenge.”
Grieve asks students, faculty and staff to check the website and think about their daily work now – before it’s too late.
“Unfortunately, the wake-up call for most people comes at the point when they realize, or are informed by the university, their user account credentials have been compromised,” Grieve said. “At that point, ‘change your password’ becomes an anxiety-filled, time-sensitive and reactive response to protect your personal information, as well as other university systems and services.”
Students are often targeted as free-wheeling when it comes to data. But there is plenty of blame to share, Gardiner stressed.
“It’s a misconception people who have grown up technology have a cavalier attitude toward the protection of information. Rather, the people who have given them this technology, and not built in de-facto safeguards and protections, have been the ones who have been cavalier – and it’s these new generations who have to live with the consequences not knowing any different.”