Main content

Cyber Security Upgrades

Security

Cyber Security Upgrades at Purchase College


We all receive phishing messages trying to trick us into logging into fake websites to steal our credentials. When they succeed, they steal the contents of our mailboxes and then use our accounts to phish others, including everyone in our contact lists.

Our email accounts are where our online banking and shopping accounts are homed - and our email account can be used to reset those passwords and gain access to those accounts.

The bad actors are getting better at what they do. These campaigns are increasingly conducted by foreign state or military operators. This real and present danger cannot be understated. Phishing accounted for over 93% of the breaches that occurred last year. People are always the weakest link, and social engineering is the easiest way to penetrate any organization.
Phishing risks exposure of critical and sensitive information, and our ability to communicate with the world.

Please remember: No college officer or official will ever ask you to conduct fund transfers, buy them gift cards, or send sensitive information via email. If you get any request like that – or anything unusual at all – call the requester on the phone and verify before acting or responding.


What are we doing about this problem?


Campus Technology Services (CTS) has many security measures in place already, and we engage in projects to ensure the continuous improvement of the College’s information security posture.


What’s that lil’ blue doggie on my desktop?


Last spring the College acquired a Data Loss Prevention tool named Spirion to scan for the presence of personal, private or sensitive information (PPSI). This tool scans email, PCs, Servers, and databases. Tested on our own staff first, this tool proved very effective in identifying sensitive information in our possession that the owner may not be aware of. Over the last few months CTS has conducted scans upon request for a variety of offices and individuals to help them identify and manage their important and sensitive information.
We have now deployed the Spirion client to a variety of administrative offices across campus, and you may notice the cute little blue hound-dog icon on your desktop. In deploying the Spirion client we are moving to a more proactive approach. Spirion looks for SSNs and credit card numbers – and you may get a pop-up warning if you try to type an SSN into an email message. It will allow you to acknowledge and continue in its current “monitoring mode.”

Spirion does not remove or modify your data in any way, nor does it automatically notify anyone. it allows you to identify sensitive data, and it allows you to classify sensitive data. Spirion can be used to report on the location of sensitive data so that you can better control it or remove it as you deem necessary. Per the college’s long-standing Privacy Policy, Spirion reports only to you, or to a Supervisor when and if there is appropriate written executive authorization for a specific incident.


New York State SHIELD law

As is increasingly clear to all of us, “Surveillance Capitalism” is out of control. Since 2008 and the dawn of the smartphone, citizens worldwide have willingly given up their privacy to technology giants in return for a few shiny baubles (apps on our smartphones) offering mostly inconsequential conveniences or manipulated news feeds.The European Union attempted to claw back some basic privacy rights for EU citizens in 2017 with the General Data Protection Regulation (GDPR). California and New York have now passed similar laws. Last July, The New York state passed the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act – which takes effect on March 21st 2020.


This new law significantly broadens our Breach Reporting requirements. If you get phished – and you give away your Account and Password – that must now be reported as a breach, whether anyone accesses your account or not. That happened to 213 individuals at Purchase College within the last year – most of them faculty and staff. After March, every phished account must be reported to the State as a breach – whether there is any sensitive information in the account or not.

If you have not already taken the online Security Awareness training - do so now.  Awareness training is one of the best ways to understand why you need to be careful where you click. Err on the side of caution and call someone when they send you anything unusual. Look at the actual email address of the sender - does it pass the sniff test? Do not buy those gift cards for your supervisor, and if they ask you if you are available during working hours, then it’s probably not really coming from them.

Security Awareness Training

New York State and SUNY mandate that all employees must participate in Security Awareness training. Last September Purchase College launched a new training environment that everyone agrees is “much better” than the previous training.This training consisted of about 45 minutes of interactive video, and more faculty and staff completed the training than ever before.(If you have not already completed the training, please visit the training dashboard to begin.)  In February we will launch a Spring Training campaign – look for an announcement shortly.

Treat your mailbox like the one outside your front door – yes, important stuff gets dropped off there, but you take it inside the house for safekeeping. Don’t leave important or sensitive documents in your mailbox.