The State of Cybersecurity
at Biola in 2021
September 30, 2021
October is National Cybersecurity Awareness Month, so stay tuned this month as the information security team reviews fundamental cybersecurity principles. If you’re a new employee at Biola, this will be a great way to get caught up, and if you’ve been around for a few years, it will be a helpful refresher!
Article at a Glance
- The Information Security team is now exclusively focused on cyber security at Biola University.
- Third party vendors are a major risk for data breaches, but the Biola Information Security and Legal teams are working together to protect university data.
- All Faculty, Staff, Student and Alumnus Google accounts are now protected with 2-Step Verification! Departmental accounts will begin using 2-Step Verification in October of 2021.
- Simulated Phishing tests demonstrate that Biola employees are improving at recognizing phishing messages.
Information Security Team
Biola's Information Security team oversees the Information Security Program, serving as Biola's first point of contact for information security incidents, providing training and development opportunities, and overseeing the annual assessment and review of regulatory requirements.
Since 2018, our InfoSec team has consisted of three staff members with multiple roles in IT. This year, in light of increasing cyber threats, our team is now exclusively focused on cybersecurity.
- Steve Earle serves as the Chief Information Officer and oversees the Information Technology Department and, in conjunction with the IT Leadership team, establishes the direction, goals, and objectives of the Information Security Program.
- Anthony Valentino is the Director of Information Security, and he oversees the Information Security team and manages the program.
- David Walton and Timothy Pinkham serve as Information Security Analysts where they carry out the goals and objectives of the Information Security Program.
This has been a big year for Information Security. Beyond the everyday work of creating awareness, responding to security incidents, and training employees, this year our team focused on three areas:
- Protecting Biola software and services.
- Google accounts are secured with 2-Step Verification.
- Employees are recognizing simulated phishing messages.
What We've Done
Contract Review: Protecting Software and Services
These days, very little work happens at Biola that doesn’t depend on technology or interact with university data in some way — Whether it’s a Faculty member using qualitative research software, baseball players using iPads to record and analyze their pitches, or HR tracking worker’s compensation claims for OSHA reporting — data is everywhere, and needs protection.
If a software company storing Biola data suffers a data breach, Biola could be held responsible, and our people, resources, and reputation are at risk.
This is why the Information Security team reviews all the contracts for software the university uses. The last thing we want is for our business data—or your personal information—to be compromised because of a vendor’s poor security practices.
For the past 18 months, the Information Security team has worked closely with Biola Legal and Purchasing departments to review all technology purchases that interact with Biola data. We negotiate with vendors to ensure that their security practices meet our standards, and that all pertinent contracts include terms that protect Biola.
Since October 2020, the Information Security team has reviewed nearly 100 technology purchases and renewals to ensure that Biola data is protected.
This year, Information Technology rolled out Google 2-Step Verification to protect Google accounts.
2-Step Verification (2SV) is a form of multifactor authentication, and adds an extra layer of security on top of your passphrase. 2SV makes it very difficult for an attacker to gain access to your Google account, even if they know your password.
First, we enabled 2-Step for faculty and staff, since employee accounts are more likely to store sensitive information in their email or Google Drive. By March 2021, all faculty and staff Google accounts were using 2-Step Verification.
Second, we focused on students and alumni. Student accounts may carry FERPA-protected data (and many student workers also have business data). Additionally, 2SV ensures that our students’ privacy is protected from unauthorized access. By September 2021, all student and alumni accounts are being protected with 2-Step Verification.
Next, we’ll be focusing on shared departmental accounts. Be on the lookout for more communication about 2-Step for shared accounts in the coming weeks!
Phishing attacks have increased over 220% during the pandemic, so learning to recognize suspicious emails is more important than ever.
Simulated phishing is graded based on the percentage of users who fall for a simulated phishing attack. Based on our scores over the last three years, Biola employees are getting better at recognizing phishing messages, but there is still room for improvement:
As a reminder, if you think an email could be simulated phishing, don’t click any links in the message!
If you are signed in to a Chrome web browser with your Biola email account, you can click the Phish Alert Button to report suspicious emails.
There are many new opportunities for Information Security at Biola! Here’s a sneak peak at what we’re working on for the next year:
- Run penetration tests on Biola’s network and computing environment, to identify current vulnerabilities.
- Implement a multifactor authentication solution for login.biola.edu and critical business applications (e.g. Banner).
- Improve our incident response procedures, and develop emergency tabletop exercises for data breaches, Ransomware, or other attacks.
For Cybersecurity Awareness Month, we’ll send out additional updates here and on My Biola. Look for our article each week in the Campus-wide News email!