October Security Awareness | IT in AV
In 2004 the Federal Government declared October National Cyber Security Awareness Month. When it comes to cyber security many think it is about a strong password and setting up a firewall but there much more to it. This month’s article I will take a look at why security is important and the impact we can see.
Cost (The Impact)
If we take a look at most cyber security that hit the news they center around ransomware. The latest was the hack on MGM Casino. These attacks encrypt all the data they can and then hold that data for ransom. To recover this data you will need to pay the hackers to get the decryption key. Many businesses look at this ‘cost’ and then they determine if they will pay it or try to recover without paying it. This does not take in account the hidden cost when this happens. Yes a business may pay $30K to get the key but the lost business during this time keeps adding up. Every second that business can not access data the cost goes up. Many businesses have cybersecurity insurance. Insurance is, like any type of insurance, to help pay for costs when something happens. The problem with cybersecurity insurance is many of them do not cover the full cost that a business lost.
How does this collate to higher education? Simple, even though higher education focuses on education it is still a business. Joe Way has an article on this site about the business of AV that I highly recommend. Let's take 1 student in account and let's say that each semester their cost is $4,000 and they take a full class load of 4 classes. That means the student is paying $1,000 for each of their classes and they expect to be educated in return. This means in a 16 week semester that student is paying $250 a week or $50 a day to be educated. Now let's say the school is a victim of ransomware and the hackers are requesting $30,000 for the key. Now from the time the school finds out their data is encrypted and them paying for the key can take days. Let's say this process takes 10 days, even though we know things move slowly in higher education, which means the student is losing out on $500 worth of education they paid for. Now if we scale that for a school enrollment, say 25,000 students, that means the school is on the hook for $12,500,000 in education services they should be providing to their students. So the $30,000 hack, even if paid for, really cost the school $12,530,000 and that does not take into account any fines they might need to pay or impact to other aspects of business for the school. Also then there is the risk of losing students, new or current, because now the school is viewed as someone who can’t protect their students' data.
What To Do (Important)
What can we do to help protect our schools? If you noticed I said ‘help protect’ and didn’t say ‘prevent’; as the saying goes ‘It's not if you will be hacked, but when you will be hacked’. There are steps we can take to help protect our schools and I will list just a couple.
- Make sure you take your school’s cyber security training seriously. Don’t push it to the side thinking it's not important or that it won’t happen to you. Also if your school does not do cyber security training, then you need to bring this idea to your leadership.
- As cyber security training covers but I will mention it here as well. Make sure you don’t click on unknown links, open unknown attachments, or scan unknown QR codes. If you are unsure of something then talk to the person who sent it (if you know them) or talk to your security team.
- Make sure you change equipment default passwords. We can thank California for the fact that many equipment now requires a password change once you first log into them. Also do not share this password with anyone who should not have access to it. Also, just like our own personal account, change passwords often; yes Joe I had to say it. What I like to do is change AV equipment password yearly. This is because usually we have student workers who left and new student workers who joined the team.
- Set security settings on your equipment. If you are unsure how or what then work with your security team. This could mean changing default ports, private vlan, and even using zero trust.
This article only scratched the surface of cyber security. The best security, for our equipment and schools, is us. We need to make sure we know what is happening out there and are following proper security practices. We should not only be mindful of cyber security during the month of October but we should always be mindful of security. We wouldn’t leave the front door of our house wide open so let's not leave our AV equipment open to the world.