News & Updates
Small Talk from the VP: Creating a Culture of Information Security Awareness: Small Steps
By Dave Smallen
April 22, 2015
While waiting for the long winter to depart and the golf season to begin I have been reading a variety of books with golf themes, some biographical and some for self-improvement. Most recently I tackled Golf’s Three Noble Truths by James Ragonnet, a professor of English and golf coach at Springfield College. One of his three truths is awareness by which he means being fully awake and watchful about everything you do. If I do so he promises improvement in my game. While I am skeptical about his advice about golf, I do think increasing awareness is the key to improving information security at Hamilton. Moreover, creating a culture of awareness (aligning what we believe and say with what we do) is critical to reducing the risk of compromising sensitive information. Three small ways to begin to create this culture are avoiding Phishing, creating strong passwords and using screen locking.
One of the most common, and easily avoided, security threats is known as Phishing. “Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card numbers (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.” (http://en.wikipedia.org/wiki/Phishing).
Members of the Hamilton community regularly receive Phishing emails and the best approach to reducing the risk of Phishing is to recognize the telltale signs and reporting suspicious emails to our Help Desk so that we can alert our community. In an experiment on March 12, we were able to get a better estimate of our current level of awareness of Phishing. Twenty percent of our employees clicked on the link in a Phishing email. Over the March break, two hundred sixty-three employees attended information security awareness training which included a reminder about Phishing.
A second way to create a culture of awareness is by using “strong” passwords for your Hamilton accounts. Not only are these passwords harder to crack but using them serves as a continuing reminder to you of your contribution to keep information secure. One hundred forty non-faculty employees have changed their passwords already, students will start on the 23rd of April and faculty will follow after grading is complete. The goal is to have everyone use a strong password by the end of the semester and to change their passwords annually.
In 2013, the information security advisory committees, on the recommendation of our information security consultants, created a policy requiring screen locking on all college computers after fifteen minutes of inactivity. A screen lock requires the user to reenter his/her password to use the computer. The purpose of this feature is to prevent unauthorized use of the computer while the person is away or distracted. Recently, at another college, several students distracted a faculty member while another student used the faculty member’s computer to change their grades. While this kind of event is rare, it does happen. Certainly, this feature is an inconvenience, but it should be viewed as an individual’s contribution to developing a culture of awareness (it also can help people remember their passwords :<)
We all need to feel a part of creating a culture of security awareness. Being fully awake and watchful about everything you do with sensitive information can help this process. As the trainer from GreyCastle said on March 18, “If you see something, say something.”