Compiled by Valerie
Rhodes-Sorrelle, M.P.A, C.P.M.
Grand Valley State University
Susan K. Korzinek
Grand Valley State University
Cyber security is a hot topic currently but what does it really mean? How do we protect ourselves and our Institutions?
In this article we will discuss these questions—and many more—by way of an interview with Susan Korzinek, Associate Vice President and Chief Information Officer at Grand Valley State University (GVSU).
Valerie: In your own words, define cyber security and tell us what it means.
Sue: Cyber security is the protection of a broad array of IT services, as well as how individuals access and interact with those services. It is both physical and electronic access to our data centers. It covers the protection of data that is stored on computers, mobile devices, USBs, and data servers. It covers the applications we use to access the data. Cyber security includes the authorization to these applications and data, as well as the education individuals need to protect that data.
Valerie: What are the top issues that affect the security of computers and computer-related equipment?
Sue: The top issues we face are: 1) protecting personal/confidential/proprietary information that is stored electronically, and 2) educating end-users on how to protect the data they access.
Valerie: How has cyber security changed your role and the role of your staff at GVSU and what is GVSU doing to protect the University?
Sue: With the increase in viruses, phishing, and malware, cyber security has taken over the day-to-day work tasks that we are dealing with, pushing normal projects to the bottom. The demands affect the IT organization in every role. Management has to deal with policies and enforcement. Network engineers have to install new hardware and software to assist in keeping out viruses, phishing, malware, and other threats. Programmers have to code differently than in the past in order to protect the data. Helpdesk staff have to clean machines more often.
GVSU has had to train existing employees to perform cyber-security tasks, in addition to taking on their normal day-to-day duties. We have hired temporary employees to assist in managing the infected computers and hacked accounts. We have added one dedicated employee just to do security work, and we have been funded to hire one more this upcoming year, along with another employee to help with the backlog of security projects that have accumulated. As an administrator, I am leading a team to adopt new policies around cyber security and to develop standards and procedures governing access or the performance of specific functions, so that we are protecting all data under our responsibility.
Valerie: How does GVSU communicate with and educate faculty, staff, and students on cyber security?
Sue: We send a monthly newsletter to all staff as well as require annual cyber-security training. There are a couple of smaller cyber-safety committees that I chair, and we discuss ways to educate our community. Through one of those committees, working with our Student Life Office, we developed some videos to educate our students. We send emails about current scams to employees and students, if we feel that they could be targeted. We also post information on our cyber-security website. We submit daily awareness tips to our public shared folders in Outlook to help individuals stay current with what is going on, providing educational information.
Valerie: What are your recommendations for protecting computers?
Sue: Keep a strong password and never give it out. Do not click on suspicious emails with links or attachments. If in question, attach the email and send to the IT Helpdesk for review. If you have a personal machine, make sure you have some type of virus and malware protection installed and keep it up to date. Many businesses will push out security updates for both company-owned and personal machines. Make sure you accept the Windows or Macintosh updates whenever they pop up for you to download; install them.
Valerie: What do you do if your computer is infected?
Sue: Turn off the machine immediately. If it is your work machine, contact your IT Helpdesk. They will instruct you what to do next. If it is your personal machine, turn it off and get assistance from a reputable source. On a clean machine, change your passwords as soon as you can.
Valerie: Is it important to turn off Bluetooth capabilities from devices when traveling? If so, why?
Sue: Yes. Bluetooth technology allows your device to connect to any open Wi-Fi. If your Bluetooth technology is always on, hackers can connect to your device and potentially infect or steal your credentials. If you must connect to a Bluetooth device, turn it on and connect only for the time period needed, then turn it off.
Valerie: How can you increase security when web browsing?
Sue: Never use a link or attachment to go to a site to enter credentials. Go directly to the trusted site, like your bank for instance, that would be secured with a certificate (https://) and login normally. Make sure than any site that requires you to enter personal or payment information has a secure certificate. Hover over the link in an email and check for its validity; many times the link is not even closely associated with the intended organization (they are trying to direct you to a site where they can steal your credentials or infect your machine).
Valerie: How is GVSU fighting cybercrime, and how are cyber-security issues being handled?
Sue: As I mentioned previously, monthly newsletters, updates to the cyber-safety website, mandatory training modules for new staff, mandatory annual training for all staff, professional development for specific IT personnel, and monthly meetings of the various cyber-safety committees. We are requiring stronger passwords and implementing more tools that notify IT of suspicious behaviors.
IT has annual security audits to help identify areas needing improvement. We work with auditors to develop and recommend best practices for our business areas. If a cyber-security issue is identified, GVSU has a protocol in place to contact and manage it.
Valerie: What are some of the most valuable tips that you can share regarding email security, and what are your thoughts on email signatures?
Sue: Ensure that your email password is strong and never give it to anyone. If you read email on a mobile device, make sure the device requires a security PIN for entry, or requires you to log in each time to get your email. Do not read email on any public device or public Wi-Fi if it contains sensitive information. Do not click on links or attachments in emails if they look suspicious. When in doubt, take the time to verify with the sender that it is legitimate.
As for email signatures, make sure the signature is not your actual signature in digital format. Many times, names and titles are on websites that hackers use for phishing expeditions. It is best to give as little information as possible, while still providing the level of service needed by your customers.
Valerie: Sue, we are almost at the end of our interview and I would like talk a little about hoax, hackers, usernames, and passwords. How does the type of username and or password affect the security of a computer?
Sue: Your account credentials should always be kept private. This includes your username where possible. There are accounts in which the username is easily guessed or is part of an automated system that creates them. So, keeping them private may not be an option or easy to do. However, the password is the key. Passwords should never be shared and they should be complex in such a way that they cannot be easily guessed, and they should not contain any personal information that may be generally known. Passwords should not reflect your favorite colors, animals, teams, or anything else that other people may know about you or be able to figure out from social media or other sources. Passwords should be different for each account. A strong password is one that is made up of a passphrase or a combination of words that makes no sense, pulling from a combination of upper case, lower case, numbers, and special characters. Alternatively, a password manager is an excellent tool that creates the complex password for you; you will, however, need at least one strong password to access the manager.
Valerie: What should you do to reduce the chances of your password from being compromised?
Sue: Again, never share your passwords with others. Never write down passwords. Create a strong password for each account and check it against a password checker. GVSU has a password checker at https://www.gvsu.edu/cybersafety/password-security-2.htm. Initiate the screensaver when you leave your computer unattended. Be cautious when clicking on links or attachments in emails and never key in your account credentials from one of those links. Do not log in to any personal information or work accounts from a public computer or on an open Wi-Fi network.
Valerie: How do you identify hoax virus warnings?
Sue: Typically these are found when browsing the Internet or possibly from an email. Never click on the links or make the phone call to “improve” your browser speed or “fix” your computer. Immediately close all applications, shut down and come back up in Safe Mode, if possible. Run the anti-virus and anti-malware applications that are on your computer. If it is a work computer, contact your IT Helpdesk and ask them to run a scan or to walk you through what you should do next. If you continue to see hoax warnings or if your browser start pages direct you to other websites, seek professional assistance to inspect your computer, as it will probably need to be re-imaged or restored to the way it was prior to the virus/malware. If the hoax appears on a mobile device, you might consider doing a factory reset.
Valerie: What are some of the results from hoax virus warnings and malicious spam?
Sue: Hoax virus warnings can create browsers opening to locations that you did not select, typically asking you to click on the site to resolve your computer problem, or they can trigger pop-ups every few seconds or every time you try to go to another site. Malicious spam can wreak havoc on your email, as it could start sending email to your contacts and potentially cause others to click on the links, which, in turn, propagates the problem and may result in additional credentials being hacked.
Valerie: How do you to recover from a hacked device?
Sue: If your device has been hacked, the first thing to do is to quit using it. The more you use it and access accounts, the more information you potentially could be giving to hackers. If it is a work computer, contact your IT office immediately. If it is your personal machine, get help from a reputable source. As soon as possible, change your account passwords on a machine that has not been compromised. Contact any banks or personal accounts you feel have been hacked to have them change accounts and add extra security if it is available, such as two-factor authentication. Contact the credit bureaus with a fraud alert to monitor your accounts. A good source to review—and to prepare yourself in case of identity theft—is USA.gov.
Valerie: We are at the end of our interview. Any final thoughts and or advice on cyber security that we have not covered?
Sue: Cyber security is everyone’s responsibility. IT cannot protect us from ourselves. We need to take cyber-safety education seriously. Slow down and think before you click. Ask questions, make an extra phone call before giving away data that might be asked of you. If it takes a little longer to get something done, it will be worth the effort—if it saves you from being a victim or contributing to the scam.
Valerie Rhodes-Sorrelle, M.P.A, C.P.M., 2013-2014 NAEP President, is Senior Strategic Sourcing Specialist at Grand Valley State University, Allendale, Michigan, where she has worked for more than 27 years in the Procurement Services Department. Valerie was awarded NAEP’s Bert C. Ahrens Achievement Award 2015-2016. She is a corporate member of the Michigan Minority Supplier Development Council and member of the Positive Black Women organization, where she served as Treasurer for 10 years. She has served on the Women of Achievement & Courage Committee for the Michigan Women’s Foundation for over a decade. She has a B.S. degree from Ferris State University and a Master of Public Administration from Grand Valley State University. Ms. Rhodes-Sorrelle writes for NAEP’s Journal of Educational Procurement and serves on the Association’s Editorial Board. Email: firstname.lastname@example.org.
Susan K. Korzinek, Associate Vice President and CIO at Grand Valley State University, worked for Universal Forest Products as a Systems Analyst before coming to GVSU in 1993. Her Grand Valley career has included positions in Administrative Computing and Academic Computing and as Director of Information Technology. She graduated from GVSU in 1983 with a B.A. in Computing Information Systems. Email: Korzines@gvsu.edu.