Last year was the first time we at Oxy actively contributed content to promote National Cyber Security Awareness Month. This year, as you’ve no doubt noticed, we’re back at it again. One slight change this year is to my job title, which is now Director of Infrastructure & Information Security.
There’s a lot about information security that is pretty cool. I can assure you that my job is not one of them. I have no cool job title or nom de code. But the fact is that the bulk of the work involved in information security is pretty boring stuff. Because information security is boring and because boring is the opposite of fun, when nobody is specifically tasked out with doing that boring stuff, it will never get done and that leads to these sort of things happening. It also means that because it’s boring, people tend not to care about it. Sometimes, that means coming across like this.
So that’s no good.
A big part of why I like NCSAM is because it provides a good opportunity to approach the problems of information security with the intent to convince, rather than the control or coerce. On the business side of things, this task is made easier with all of the rules and regulations we have to follow – the Payment Card Industry Data Security Standard, the Family Educational Rights and Privacy Act, the Health Insurance Portability and Accounting Act, and California Senate Bill 1386 being among the more notable.
There’s a bigger challenge on the personal side of things. There are a lot of folks that try to answer the question of why you should care about cybersecurity – this one is representative of the typical approach: If you don’t care about cybersecurity, your information gets stolen. But the fact is, with 885 million records breached since 2005 as a result of attacks taken by or against institutions and businesses (that we know of), you’d be forgiven for thinking that this isn’t your problem.
A better approach, I think, is one that got a little bit of attention last year but hasn’t really broken through yet and that is to treat information security as a public health issue. This is much easier said than done – public health efforts have their own set of challenges to deal with, after all. But, at least for me, I’d rather compare using up-to-date anti-malware software as the vampire sneeze of computing rather than relying on the shock value of scary stories.
At the end of the day, the advice is still the same but the context and framing is different. When looking through some of the resources below, try to think of the consequences of poor security practices in a broader context. If you aren’t picking strong passwords for your personal accounts, you probably won’t pick strong passwords for your work account. If you aren’t good at identifying phishing emails in your personal email, you probably won’t be good at doing it on your work email.
Days Gone Bye:
Last year, I talked about two-factor or two-step authentication. I ended that by mentioning that Oxy hadn’t implemented two-factor authentication for our own systems and to an extend, that remains true. Internally within ITS, I have been experimenting with two-factor authentication for some of our most critical systems to see if any of the solutions can scale up to something we can deploy to the whole campus.
That said, you can turn on two-step for Oxyconnect by following Google’s steps here. Some important safety tips:
- If you’re going to use an app on your phone or tablet for two-step, I recommend trying out the Authy app. Among other things, it will let you manage multiple such accounts and you can make secure backups to the cloud and sync the codes to multiple devices.
- If you run into any problems connecting to your email after turning on two-step, please make sure to let us know that you’ve turned this on when asking ITS for help.
And Another Thing…
Oxy owns a campus license for anti-malware software from Sophos and one of the perks is that all employees and students are eligible to use the product for free on your personal devices. You can find links to download them on our website. You can also get them on USB drives that are available for free from ITS.