As faculty and staff adjust to the new normal of teaching and working remotely, the Office of Information and Technology (OIT) has been hard at work to ensure cyber security remains a priority as users shift off-campus.
Many of the threats to Boise State’s networks and information remain the same as when users are on campus but others are unique to remote working.
“Certainly, social engineering threats such as phishing and social media campaigns are present onsite or offsite,” said Doug Ooley, OIT’s executive director and chief information security officer. “But when someone is on campus, they can utilize the tools and security controls that keep Boise State’s networks and devices secured, upgraded, patched and protected. That protection does not extend to personal devices and home networks.”
Ooley and the OIT team have provided technical tools and guidance for all employees to mitigate the risks associated with having nearly all of the university’s workforce offsite.
Virtual Private Network
Boise State requires faculty and staff (including student employees) to use the university’s managed virtual private network (VPN) service to access Boise State resources to secure communications and data.
“A VPN is the de-facto industry standard tool for securing remote working sessions,” Ooley said.
A VPN provides an encrypted, secure “tunnel” between the user’s device and university networks. This tunnel effectively protects both the user and Boise State from malicious interception of sensitive communications and data.
Employees not using the supplied VPN can have significant financial, legal or compliance impacts on the university. This could range from the loss of privacy and anonymity of communications, regulatory compliance violations, or the breech or loss of sensitive university data. The reporting of such infractions can damage the university’s reputation and may inflict financial losses that can exceed millions of dollars in regulatory fines, data breach reporting and remediations.
The requirement that employees utilize the provided VPN to access university resources remotely also applies to mobile devices. Information on how to download and set up the Cisco AnyConnect VPN app can be found one the OIT website.
While the VPN requirements only apply to university employees working offsite, OIT does recommend that students utilize a reliable, reputable VPN service when connecting to courses and doing class work remotely.
Personal devices and home WiFi networks
Many employees will use personal devices on home networks for Boise State tasks. Personal devices may lack the basic security tools built into university-managed devices and networks such as strong antivirus software, firewalls and automated patching tools. This increases the risk of a device being compromised and personal and work-related information being stolen. Additionally, the use of personal devices may lead to the inadvertent storage of Boise State data on personal devices, the loss of which could have legal and compliance-related implications for the university and the user.
Employees at home may also be using unsecured networks or public WiFi networks, which are targets for malicious parties to spy on internet traffic and collect confidential information. OIT has created instructions for securing your wireless home network.
Scams targeting remote workers
OIT has seen a marked increase in malicious social media campaigns specifically targeting remote workers since work-from-home directives were implemented as a response to the COVID-19 pandemic. Ooley suggests users remain vigilant and follow some basic security guidelines.
“Always think before you click and when in doubt, throw it out,” he said. “You should use Boise State owned and managed devices if at all possible, keep your device’s operating system, software and antivirus up-to-date, and avoid sharing devices used by other family members.”
New tools, new threats
The proliferation of new remote working tools such as Zoom has presented challenges for OIT.
“There are always risks associated with adopting new software,” Ooley said. “Increased usage of a tool like Zoom provides bad actors a vehicle to focus malicious activity. The recent uptick in ‘Zoombombing‘ is a perfect example.”
Despite the risks of new technology, Ooley and his team have continued to follow procedures established before the wide-spread call to work remotely was implemented and little has changed regarding how they evaluate new software.
“An effective security program has to balance the demand for innovation, functionality and efficiencies in support of our business and the risks we inherit with doing so,” he said. “Boise State already has an efficient and effective process in place, so beyond expediting approvals, the underlying model to assess and accept risk has not changed.”
A human’s role in a digital world
While the technical tools do most of the virtual heavy-lifting, the end user bears much of the responsibility for remaining cyber secure. From not updating software to clicking on phishing links or simply losing devices, human error can leave even the most secure system susceptible.
“Ultimately, cybersecurity is a shared responsibility,” Ooley said. “We strive to provide the most cyber secure infrastructure and device management security as possible but the user has an equally important role in keeping Boise State and themselves safe. It comes down to the human factor no matter the device; people can make unintentional mistakes. Keep your devices patched, use the VPN, always be vigilant and follow cybersecurity best practices to minimize risks.”