Annual Update: Cybersecurity at Biola in 2022

October 5, 2022

In addition to National Apple Month, National Caramel Month, Bat Appreciation Month, Emotional Intelligence Awareness Month, and American Cheese Month, October is also National Cybersecurity Awareness Month (NCSAM).

Each year at this time, we like to provide updates on the state of cybersecurity at Biola. As the quantity and variety of cyber threats increase, so do mitigation efforts and compliance requirements. The InfoSec team works year-round to protect Biola’s people, resources, and reputation. Thanks to your consistent participation in protecting Biola’s data, we’ve had another cybersecure year!

Here are some updates.

Training and Awareness

Employee habits are the main line of defense against data breaches, which is why we take training and awareness seriously. Our main efforts in this area include:

• Mandatory annual cybersecurity training for all employees

• Simulated phishing attacks

• Articles posted on our InfoSec website

This year, 77% of employees completed their mandatory cybersecurity training (compared to 81% in 2021). We also sent a follow-up quiz this year. Let’s aim for 100% participation in 2023!

Our phish-prone percentage (how likely we are to fall for a phishing attack) is 8.7%, down from 12.3% in 2021 and 17.6% in 2020. We’re all getting better at recognizing phishing attacks. Nice work, team! Our goal is to beat the industry average of 4.3%. The InfoSec team will soon require additional phishing and social engineering training for employees who repeatedly fall for simulated phishing tests. Stay alert, and don’t click on email links unless you’re certain they’re safe. And always be incredibly cautious when anyone asks you to submit usernames and passwords.

Just last week, nearly 7,000 Biolans received a malicious phishing email asking them to submit their NetID and password, and no one fell for it. You did well!

Penetration Testing

Biola IT contracted with an outside agency to conduct an internal network penetration test. This test simulates the actions of a skilled attacker in order to find security gaps in our technology environment.

Our penetration tester spent ten days investigating our network and enterprise systems, and identified 5 critical and 23 high vulnerabilities in our environment, which granted access to highly sensitive data. Our teams in IT spent four months working together with departments to either remediate each of these vulnerabilities or decommission the vulnerable systems.

These vulnerabilities demonstrated the need to maintain up-to-date technology systems around campus.

Multifactor Authentication (MFA)

IT deployed the Microsoft Azure AD MFA solution in May 2022 and began transitioning enterprise systems to the new service. We will move Biola’s VPN service to this solution by the end of October of this year and will continue migrating all systems to Microsoft MFA over the next 9 months.

MFA was enabled for faculty, staff, student, and alumni Google accounts in May 2021. MFA was fully implemented on department Google accounts in September 2022.

Program Development

The InfoSec team spends a significant portion of our time developing the information security program at Biola. We are building Biola’s program in alignment with the Center for Internet Security’s (CIS) Critical Security Controls framework, which specifies the requirements for a adequately securing Biola against cyber threats. This is a multi-year endeavor that involves all IT teams.

We also published a data classification chart and a data handling guide so that employees have a standard to follow when assessing and handling university data.

Compliance

Regulatory compliance is a critical part of information security, both for our team and yours.

We continue to work with Legal Counsel, Purchasing, and other departments to stay compliant with cyber liability insurance requirements, the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, the Payment Card Industry Data Security Standard (PCI DSS), and other standards. Thank you to every Biola department that has helped us to satisfy industry requirements.

What’s My Part?

The most important overall action you can take is to stay alert. Attackers count on employees to fall for social engineering attacks.

The most important practical steps for you to take are to:

• Complete your mandatory annual cybersecurity training, which we assign in the spring. To maintain a secure environment, and to remain compliant with industry standards, our employees must be trained each year.

• Don’t make it easy for the attackers to access our data. This means that you should avoid clicking links in email messages, avoid downloading and opening attachments, don’t submit your username and password except through trusted sites, watch out for phone and text phishing attacks. If anything about an email message or phone call seems at all suspicious, treat it as if it’s an attempted attack.

• Create a culture of cybersecurity. Make sure the people on your team have good password habits, know how to store sensitive data, and are able to recognize imposter fraud. Always check our website for cybersecurity best practices, and reach out to us if you have any questions or concerns.

• Protect your data. Make sure you know the protection levels for the data you handle, and that you're properly storing, sharing, and protecting university data.

Thank you for your efforts to protect Biola’s data. We notice whenever you forward suspected phishing emails to phishing@biola.edu. We see each time someone clicks the Phish Alert Button in Gmail. We see all of you who took time to finish your cybersecurity training. We appreciate you and the way you protected Biola in 2022.