Information Security is Everyone’s Responsibility

It’s October, and that means it is Cyber Security Awareness Month.  This is a time to reflect on the issues, and to think about what role you play in ensuring that your own, and the University’s information resources, are secure.   In my previous roles I wrote a number of blog posts that revolved around cyber-security, and especially the role the individual plays.  I don’t think much has changed since I wrote those.  The individual plays a significant role, and still seems to be the weak link in our overall strategy.  Whether it is responding to a phishing email, not patching a machine or losing an unecrypted device, human error, or lack of knowledge around best practices, underly most of the issues.

Recently, there have been a number of high profile incidents in the  Canadian Higher Education Sector, as well as many prominent private sector incidents, the most talked about one being Equifax.   Although the root causes of these issues may not be changing much, the public’s tolerance for them is quickly waning.  From the media and public perspective, it seems to be the same problem over and over again, and t0 the layperson it seems like these incidents could’ve be prevented with appropriate education and resourcing.  Nothing is ever that simple, and we do need to acknowledge that the threat landscape has grown significantly and is ever changing.  Often we simply can’t keep up with the bad agents.  That being said we can certainly mitigate the impact of these incidents with more awareness and resources.  Various levels of government and watchdog organizations have started to ask some hard questions and we need to respond along with our governments.

We don’t need to boil the ocean here. Taking some small, well orchestrated steps can completely change our security posture and significantly mitigate risks.   We need to remember that cyber security prevention is everyone’s responsibility and we are only as good as our weakest link. This understanding doesn’t always come naturally. If your neighbour decides to leave their doors unlocked it won’t really affect you; but in terms of cyber security, if the person next to you,  or across campus leaves their systems unpatched or responds to a phish, then it could impact you significantly.    Sometimes culture in Higher Education can be a significant barrier to taking even the smallest of steps, and we need to think about that.   I wrote a blog a few years back on how culture impedes our ability to tackle the issues around information security and I might bring that up for discussion in a  future post.

Here at ITS, we will be running various awareness events across the university over the next month.  I encourage you to check out our website and see what you know, or don’t know, and find out what your role could be.   Remember, you are your own best defence when it comes to protecting your information resources, and what you do, or don’t do, can  significantly impact others.  Small steps can generate big returns.