2021 October Cybersecurity Awareness Month - Employees

The year 2020 broke all the records when it came to cybersecurity incidents.  Driven by the pandemic and the shift to remote work, there were over 1.4M reports of identity theft in the US, more than double the reported count in 2019.  Malware increased by more than 350% and several colleges and universities have been significantly impacted by ransomware. The higher education industry is particularly vulnerable as it holds tremendous amounts of data about its constituents and is generally considered a "soft target" (easy to attack).  SPU is not immune to these incidents as the University continues to block millions of attacks per day and combat fraudsters impersonating SPU deans and administrators.  The University strives to be diligent about security to protect the SPU community and we need your help!

Change on the Horizon

The rise of incidents has prompted a reciprocal increase in SPU's cybersecurity insurance.  The Department of Education has also taken notice and is contemplating a shift from merely recommending NIST 800-171 cybersecurity standards to requiring institutions to meet them.   There are also new requirements for institutions accepting federal financial aid under CUI and GLBA. The Office of Computer and Information Systems, in partnership with the Office of Risk Management, are working to adapt SPU policies, training programs, and systems to reduce risk and protect the SPU community and our students.  While some changes are necessary, SPU will endeavor to keep them from impacting your important work.  The following are some of the changes approved by the Senior Leadership Council that are coming in the near term.

Cybersecurity Training 

There is a new Cybersecurity and Online Habits training available for you to take as part of the Human Resources compliance training program. Both the Gramm-Leach-Bliley Act and the NIST 800-171 require SPU to have a mandatory cybersecurity training that is used in employee onboarding and repeated annually. Training is also strongly recommended by SPUs cybersecurity insurance provider.  This applies to all faculty, staff, and student employees.  Please complete this training by January 1, 2022.

For a more humorous take on cybersecurity issues, see the videos in last year's cybersecurity awareness month blog post.

Email Data Loss Prevention

Email is not a secure medium and is not safe for transmitting sensitive information. SPU will begin rolling out a new feature called Email Data Loss Prevention (DLP) that will identify sensitive data that should not be sent via email.  During the rollout period, you will see a security warning before you send a message containing sensitive information, and you will be allowed to override the DLP system.  If you get this warning during a normal business process, please request a Business Process Consultation to help you transition to a more secure way of sending or receiving sensitive information.  After the rollout period, the Email DLP system will block any emails containing sensitive data and you will not be able to override it.  

Vendor Cybersecurity Assessments

Completing a Higher Education Community Vendor Assessment Toolkit (HECVAT) assessment is now required for all new vendors that have a software component and is recommended for vendors that are only providing services, but have access to SPU Data.  This includes cloud or SaaS vendors as well as hardware and equipment vendors that include a software component (for example a new HVAC system able to be remotely managed by computer).  This change has been noted in the Enterprise Software Acquisition policy and is required by the Gramm-Leach-Bliley Act and by NIST 800-171.

Protecting Student Privacy

Everyone values privacy and is frustrated when companies are careless with the sensitive information they're entrusted with.  As a member of the Seattle Pacific University community, you share in the responsibility to protect our students by complying with data security regulations and University policies.  The Regulated Data Chart provides a simple overview of which places have the security and contractual protections to store certain types of sensitive Regulated Data. You can also learn more about campus Data PolicyData Laws and Regulations, and Handling Confidential Data responsibly.

Using a Personal Computer for Work

Personal computers and departmentally-purchased computers (unmanaged) do not have the same security and regulatory compliance protections that SPU-managed computers purchased and managed by CIS have.  Personal devices or cloud resources (like Google Docs) used for work purposes are subject to eDiscovery and can be confiscated or seized if they are suspected to contain information related to a lawsuit against the institution.  Protect yourself, your property, and the University by following the Use of Personal / Un-Managed Devices for Work policy.

Use OneDrive for Cloud File Storage

Storage platforms like Dropbox and Google Drive are not compliant for sensitive or regulated University data, such as information protect by FERPA.  OneDrive for Business, along with Microsoft Teams and SharePoint, are the contractually protected platforms approved for storing sensitive documents in the cloud.