Technology Update - January 25, 2012
Table of Contents
Welcome to this special issue of the IRT Technology Update! January is "Data Privacy Month." Below, you will find information on a variety of data privacy topics at Drexel University.
What is Data Privacy Month?
January is Data Privacy Month in the higher education community. The highlight event, Data Privacy Day on January 28 celebrates the anniversary of the Council of Europe signing Convention 108, one of the first multinational laws that addressed the right of individuals to protect their personal information.
But what exactly is data privacy, and why dedicate an entire month to it? In our very digital age, smart phones and tablets are everywhere. Traffic on social networking sites such as Facebook and Linkedin is bustling with millions of daily visitors and registered users. Information permeates our lives, and everyone exchanges it every day, whether willingly—or not. Coincidentally, information can and often is stolen or sold to third parties. Also, consider the fact that a wide variety of devices, all with varying levels of protection, access university networks. Such variety makes a single security solution for the network difficult to manage, and this makes university networks prime targets for hackers.
Here are just a few numbers for your consideration: The US Cost of Data Breach survey found that the average cost per compromised piece of sensitive information per breach was around $204 (reputational costs were not included). Nearly 31% of breaches affected education-related organizations, as reported by privacyrights.org from 2005 to 2008. More than 12.4 million student records were vulnerable and potentially compromised in 324 security events. Note that of these breaches, higher education (universities included) was involved 79% of the time.
The goal of Data Privacy Day and EDUCAUSE is to educate teens, adults, students, teachers, etc. on how to protect their sensitive information (home addresses, SSNs, passwords, phone numbers, bank account numbers, etc.) and prevent damage to their reputation, finances, job, and even health.
Below, you will find discussions on these topics and what you can do to keep your sensitive information safe. For more information on Data Privacy Month and Day, see EDUCAUSE's Web site.
Data Privacy and Mobile Technology
Smart phones and tablets (the Apple iPad, Motorola Xoom, and Samsung Galaxy, to name a few) are everywhere these days. We have seen the shift from desktop PCs to laptop PCs, and now the shift from laptops to ever more mobile devices. However, this shift to a highly mobile environment comes at a price—decreased security. At least, until measures to protect sensitive information catch up with increasing mobility.
In the mean time, however, there are some things that all users of smart phones, tablets, and other highly mobile devices should bear in mind regarding their sensitive and private information:
- Most smart phones and tablets cannot require user logins to access personal information, and are instead meant for a single user per device.
- Smart phones and tablets are easy to lose or steal due to their portability and small size. Because most of these devices have no password protection activated, personal data is at risk from thieves.
- Currently, there is little to no anti-virus/firewall software for smart phones or tablets, leaving them vulnerable to hacking attempts and viruses that can steal sensitive information. While most app stores have a review process to ensure that apps follow certain rules, the Android market is almost devoid of rules, which has led to a number of malware apps being inadvertently distributed to unsuspecting users.
- Some apps gather more of your sensitive information than is necessary the app to run; others collect private data such as passwords and account numbers, but don’t explain how they encrypt or transmit the information; while other apps might have hidden malware functionally such as key-logging or screen/audio recording.
- Wireless networks present their own challenges for security. Because data is being transferred outside of a physical wire, a hacker can intercept the transfer much more effortlessly and from anywhere the network is accessible.
For more information, see "Smartphone Security & Privacy" on EDUCAUSE's Web site.
So, what can you do to protect yourself? See the below article, "Keeping Your Sensitive Information Safe and Sound," for more information.
Data Privacy and Social Networking
Millions of people have registered and regularly use accounts with social networking sites such as Facebook, MySpace, LinkedIn, FourSquare, and more. However, millions of people are also sharing their sensitive information on these social networking sites, whether or not they know it. This includes information that can damage one's reputation and one’s chance of getting a job—more and more job interviewers and hiring managers are searching social networking sites for this very same information and rejecting candidates whose online presence is unsavory.
The best pieces of advice regarding social networking sites and sensitive information is as follows:
- Don't post anything (text or photos) that you wouldn't want a prospective employer, your parents, or your significant other, etc. to see, regardless of "privacy" settings. Your online reputation matters just as much as your physical reputation.
- Don't allow these sites to post location updates for all to see.
- Never post your phone number, social security number, passwords, account numbers, or any other pieces of sensitive information.
- Learn how to properly configure your privacy and sharing settings for each site, but don’t rely on these settings to offer you bullet-proof protection – privacy features and settings can change and once information is leaked, there’s no sure-fire way to clean it all up.
Keeping Your Sensitive Information Safe and Sound
What can you do to keep your sensitive information safe? Here are some general tips for keeping your information out of the hands of malicious individuals:
- Never, ever text or email your passwords to anyone. No legitimate organization will ever ask you to provide this information.
- Don't leave your office while your computer is logged in. When you are logged in, none of your data is encrypted and thus can be accessed by anyone working on the computer until you log out. If you leave your office, log out of any computers present.
- Avoid conducting financial transactions on smart phones or tablets, especially if your device is not optimized for security. These transactions include online banking and online shopping.
- Learn to recognize spam/phishing messages and never, ever respond to them or click any of the links they provide. Many of these messages ask for login information, pose as support of account closure message, contain numerous spelling and grammatical errors, use various fonts or font colors, use various symbols and exclamations or bad graphics, or pose as transaction receipts for transfers or purchases you didn't make. Always use caution and thoroughly inspect any messages you weren’t expecting to receive!
- Do a little research on the trustworthiness of apps or the organizations behind them. Apps are one of the prime vectors for malware that can steal or record your personal information and habits.
- Avoid apps that share your device's location, and avoid sharing your current location at all. Location information, especially if it is stolen by a hacker, can put you at risk for stalking, burglary, or worse.
- Learn how to set up your privacy options on social networking sites. If you don't, you might be opening up your personal information (location, home address, pictures, phone number, email address, etc.) to malicious individuals or sellers of personal data. Avoid posting this information at all on social networking sites unless your privacy options are properly set and under your control.
- Purchase a device that includes a remote data wiping feature. That way, if the device is ever stolen or lost, your personal data can be remotely wiped from the device. You can also do a little searching for software that provides the same service for devices that don’t already have it installed.
And most important of all, use common sense. If something looks suspicious, it probably is—avoid it just to be safe. Use extreme caution when conducting financial transactions online, and when sharing any of your personal information. Perhaps the most important thing a user can do, however, is take the time to learn more about cyber security and threats for the devices you use, and learn how to tweak its security settings. Do your homework on anything you download, including software packages and apps.
If you are ever concerned about the legitimacy of an email message, you can contact the IRT Help Desk for advice at firstname.lastname@example.org or 215-895-2020.
What is IRT Doing and How Can You Get on Board?
During late 2011, IRT began encrypting data in key administrative offices using BitLocker, a data encryption tool built into Windows 7 that secures data on the hard drive; BitLocker adds a second layer of security by requiring a PIN to start up the computer. If you have a computer that has access to or stores key university needs, you need data encryption. Note that since BitLocker is built in to only the Enterprise and Ultimate versions of Windows 7, IRT will need to upgrade computers running other versions of Windows to Windows 7 Enterprise in order encrypt the drive.
As the University develops a campus-wide data security policy, to include Macintosh laptops and smartphones, each department will need to begin assessing their hardware requirements in order to become compliant.
If you want to begin encrypting laptops and flash drives in your area, contact the IRT Help Desk at email@example.com or 215-895-2020.
The iSchool Takes the Lead on Data Encryption
As part of the data privacy initiative at Drexel, the iSchool is taking the lead and requiring the adoption of some best practices (as described in the above articles) and policies when it comes to securing data on devices (laptops and flash drives) that leave the building.
All laptops require analysis and encryption of data on their hard drives. Any laptops running Windows XP will be upgraded to Windows 7, which includes a number of security features and updates.
Flash drives, another source of data vulnerability, should also take advantage of built-in security software. If this software is not included on the drive, other freely available software can be used to encrypt the flash drive.
Faculty and staff members of the iSchool can contact the iCommons for assistance. Call 215-895-2480, email firstname.lastname@example.org, or visit the iCommons in Room 106 of the Rush Building (N. 33rd Street and Lancaster Walk).