The year 2020 broke all the records when it came to cybersecurity incidents. Driven by the pandemic and the shift to remote work, there were over 1.4M reports of identity theft in the US, more than double the reported count in 2019. Malware increased by more than 350% and several colleges and universities have been significantly impacted by ransomware. The higher education industry is particularly vulnerable as it holds tremendous amounts of data about its constituents and is generally considered a "soft target" (easy to attack). SPU is not immune to these incidents as the University continues to block millions of attacks per day and combat fraudsters impersonating SPU deans and administrators. The University strives to be diligent about security to protect the SPU community and we need your help!
Change on the Horizon
The rise of incidents has prompted a reciprocal increase in SPU's cybersecurity insurance. The Department of Education has also taken notice and is contemplating a shift from merely recommending NIST 800-171 cybersecurity standards to requiring institutions to meet them. There are also new requirements for institutions accepting federal financial aid under CUI and GLBA. The Office of Computer and Information Systems, in partnership with the Office of Risk Management, are working to adapt SPU policies, training programs, and systems to reduce risk and protect the SPU community and our students. While some changes are necessary, SPU will endeavor to keep them from impacting your important work. The following are some of the changes approved by the Senior Leadership Council that are coming in the near term.
There is a new Cybersecurity and Online Habits training available for you to take as part of the Human Resources compliance training program. Both the Gramm-Leach-Bliley Act and the NIST 800-171 require SPU to have a mandatory cybersecurity training that is used in employee onboarding and repeated annually. Training is also strongly recommended by SPUs cybersecurity insurance provider. This applies to all faculty, staff, and student employees. Please complete this training by January 1, 2022.
Email is not a secure medium and is not safe for transmitting sensitive information. SPU will begin rolling out a new feature called Email Data Loss Prevention (DLP) that will identify sensitive data that should not be sent via email. During the rollout period, you will see a security warning before you send a message containing sensitive information, and you will be allowed to override the DLP system. If you get this warning during a normal business process, please request a Business Process Consultation to help you transition to a more secure way of sending or receiving sensitive information. After the rollout period, the Email DLP system will block any emails containing sensitive data and you will not be able to override it.
Everyone values privacy and is frustrated when companies are careless with the sensitive information they're entrusted with. As a member of the Seattle Pacific Universitycommunity, you share in the responsibility toprotect our students by complying with data security regulations andUniversity policies. TheRegulated Data Chartprovides a simple overview of which places have the security and contractual protections to store certain types of sensitiveRegulated Data. You can also learn more about campus Data Policy, Data Laws and Regulations, and Handling Confidential Data responsibly.
Using a Personal Computer for Work
Personal computers and departmentally-purchased computers (unmanaged) do not have the same security and regulatory compliance protections that SPU-managed computers purchased and managedby CIS have. Personal devices or cloud resources (like Google Docs) used for work purposes are subject to eDiscovery and can be confiscated or seized if they are suspected to contain information related to a lawsuit against the institution. Protect yourself, your property, and the University by following the Use of Personal / Un-Managed Devices for Workpolicy.