With potent bugs like Heartbleed making headlines, UBC CIO Oliver Grüter-Andrew talks about how to protect data
The Heartbleed security bug is just the latest example of the vulnerability of online data. Oliver Grüter-Andrew, UBC’s Chief Information Officer, discusses what the university is doing to safeguard data and what you can do to protect your personal information.
We hear media reports about growing numbers of international cyber attacks. What is happening?
Criminal organizations have realized that money can be made via identity theft and financial fraud conducted over the Internet. Whereas in the past, it was necessary to physically steal documents or credentials, criminals can now steal thousands of records online. This has made credit card theft as well as identity theft a very lucrative illegal business.
How are universities being affected by this? To what extent are they the target?
They’re being targeted as repositories of personal and financial information. The University of Maryland was recently targeted for attack and 309,000 records that included Social Security Numbers and date of birth were stolen. Criminals are doing reconnaissance and learning about their targets before they attack them. They know that credentials like usernames and passwords are the key to their success, so they’re targeting the theft of that information.
How serious a threat is this to UBC? Should we be concerned?
It is a serious threat and we should definitely be concerned. Faculty, staff and students can help by paying attention to phishing emails: messages that ask you to provide credentials or log into a website – usually under threat of something (loss of service, loss of package, etc.). Check with your unit’s IT staff before responding to these emails. Your IT staff will help you identify if it’s legitimate.
Here’s a practical tip: If you are asked to click on a link in a suspicious email, hover your mouse over the link to see if the address is directing you to the actual website. If in doubt, rather than clicking on the link, open a browser and type what you know to be the correct address. Fraudulent links can take you to a malicious website.
What should individuals be doing to protect their information?
We encourage everyone to stay up-to-date with suggested security tips and actions provided by the university. Basic information security best practices, which all of us should undertake, include encrypting mobile devices, installing antivirus software, keeping software up-to-date with vendor supplied patches and updates, creating strong passwords and eliminating the practice of sharing passwords with others.
What information security efforts are being taken by UBC?
Information security is always a priority at UBC. With a dramatic increase of cybercrimes these past few years, UBC created a Personal Information Task Force in 2012 to provide oversight and direction for the protection of information. With this task force, we developed a Mobile Security campaign and a Cyber Security campaign to generate awareness and to educate the UBC community of information security best practices. We’ve also established an Emergency Task Force that handles unforeseen vulnerabilities, such as the Heartbleed bug. Our task force coordinates an immediate security response to the issue and provides communications to the community on steps that they can proceed to protect themselves. There will always be unforeseen vulnerabilities, but we are implementing proactive measures to ensure that the university is prepared for any potential threats.
We also have a number of Information security services available to the community including encryption services, information security programmes, and information security awareness training. Encryption services are available to staff and faculty for their UBC-owned hardware, such as USB storage and personal computers, to mitigate risks associated with physical thefts or loss.
A UBC-wide data encryption program has also been recently launched to protect personal information assets. The benefits of encryption can be quite significant. A break-in at the Faculty of Arts months ago led to the loss of two laptops containing sensitive information. While the stolen hardware was not recovered, data were not compromised due to encryption.
Information security awareness training is available online in a video format to staff, faculty and graduate students at no cost. These short online videos allow viewers to learn about topics that range from how to create a strong password to how to protect information on your mobile devices.
What are the challenges of implementing such security measures in an institution with more than 55,000 students?
UBC is a large and diverse environment and communicating information security initiatives and suggested precautions can be challenging. We need to raise awareness to the level where individuals sufficiently understand the risks. Security is frequently seen as an impediment when it needs to be seen as an enabler for academic and administrative activities of the university.
To learn more about information security, visit the CIO website.
Photos of Oliver Grüter-Andrew are available for download here