What is one thing people should know about cybersecurity? “There are no dumb questions,” says Director of Infrastructure Services Pete Kellogg. Kellogg is William & Mary’s information security officer, and has been pushing for increased cybersecurity awareness on campus.
As part of this effort, W&M IT recognizes National Cybersecurity Awareness Month every October. NCSAM is a joint program between the Department of Homeland Security and technology industries to provide resources for technology consumers. The 2019 campaign focuses on consumer privacy, devices, and security with the theme “Own IT, Secure IT, Protect IT.”
Building a Conversation
“People kind of know what cybersecurity is,” Kellogg says, “but they’re afraid to talk about it because they think they’ll say something incorrect.” He sees that lack of conversation as a serious impediment to raising awareness on campus among students, faculty, and staff.
Kellogg has been pushing for change in the way William & Mary talks about cybersecurity. He noted that some awareness has been building organically, particularly among students who have a “heightened sense of the need for protection” from cybercrime. But he knows that W&M IT needs to step up to the challenge.
Up until a couple years ago, the IT department prioritized security infrastructure and focused less on cybersecurity literacy around campus. For instance, W&M IT did not actively reach out to faculty and students to teach them to recognize cybersecurity threats. “We would approach departments at their request,” Kellogg says, adding that it was a piecemeal and reactive approach rather than a proactive one.
The Status of Campus Cybersecurity
While William & Mary has not experienced any data breaches, Kellogg says there have been issues with inappropriate sharing and mismanagement of credentials as well as successful phishing attempts. He estimates that there are 10-15 phishing victims per year on campus.
In response, W&M IT is adopting both cybersecurity literacy and defense measures to protect the campus from potential threats. Starting in the summer of 2018, IT initiated a Security Awareness Training Program for W&M staff through the SANS cybersecurity institute. The same program is scheduled to begin for faculty during November 2019. The curriculum is customized for W&M system needs, drawing from over 100 different modules and using learning tools such as videos and quizzes to present real-world scenarios for faculty and staff to apply the concepts. Each employee is required to complete the training, and modules will be periodically updated with new information.
On the defense side, W&M IT has adopted a two-factor authentication (2FA) service called Duo. Duo requires the use of a secondary piece of identification to log in to W&M accounts with a CAS Login, such as Blackboard and G Suite. Users are prompted to verify their identity either with their smartphones (through the Duo App or SMS text codes) or with a hardware token before access to these systems is granted. Duo provides an extra layer of defense for these systems which contain users’ credentials and personal information.
In addition to protecting users from phishing attempts and data breaches, it also ensures William & Mary is compliant with FERPA by not exposing personally identifiable information (PII). Duo was required for faculty and staff in the Spring 2019 semester and for students at the beginning of October 2019.
As cybersecurity threats continue to evolve, W&M IT will keep working to adopt solutions to fight them. And Pete Kellogg will be working at the frontlines to keep the conversation going.