Information Security and Privacy is everyone’s business

Posted on Tuesday, January 11th, 2022

Protecting the privacy and security of employee and learner information at Algonquin College is everyone’s job. Data Privacy Month in January exists to ensure every member of the College community has the knowledge and tools to do the job well.

The College employs its Cyber Security Unit (CSU) to protect learner and employee privacy. Senior Privacy Specialist Stefano Bianco says the team is engaged full-time in deploying state-of-the-art safeguards and technology that scans the College computer network for attacks in real time.

“There are thousands of attacks that our safeguards detect and intercept every day,” Bianco says, “but we still need the College community to be aware and alert and do its part to keep our systems secure.”

When people let down their guard, systems can be compromised. In the last phishing incident, the attackers used compromised accounts to send emails asking people to input their College credentials in a Google form.

“You will never receive an email from the College asking you to do this,” Bianco says. “No College employee will ask you for your College credentials and say they need them to fix something.”

The CSU, a division of ITS, was rapidly alerted to the intrusion and went to work to block the compromised accounts and remove the offending emails. But to be optimally protected, the College also needs employees to play a role. To increase awareness of cyber attackers and their methods, the College has a mandatory online Information Security Awareness and Training program (which is available on the Employee Learning Platform) to prepare employees with the knowledge to act in the face of these ongoing threats.

This knowledge includes alertness to the kinds of phishing emails that caused the intrusion, which usually follow a certain pattern

  • The sender requests sensitive information such as SIN, Algonquin credentials, etc.
  • The message creates a sense of urgency for you to perform a specific action.
  • The sender directs the recipient to click on a link (which may download malicious software on your device).
  • The message creates a feeling of fear if you do not perform a specific action.
  • The email contains an offer that appears too good to be true.

How do you protect yourself from phishing emails?

  • Be wary of any messages with the ‘AC ITS Caution” banner – the warning banner is applied to any incoming mail originated from an external sender. It is intended as a first line of visual defence for all Algonquin College employees: if you receive an email with this banner, even though it appears to be sent by a colleague, it is most likely phishing.
  • Do not click on any links or attachments unless you are certain the email is from a trusted individual or entity.
  • Forward or report a suspected phishing email using the “Report Phishing” Icon located on your Microsoft Outlook email Quick access toolbar. If you do not have this icon (which looks like a fish), please contact the ITS Service Desk for assistance to install it.
  • If you respond to a phishing email with your password, change it immediately, notify the Cyber Security Unit via this link, and report the email using the “Report Phishing” Icon. The Cyber Security Unit will work with you to protect your account.

While Information Security plays an important role in protecting sensitive information, it is not enough alone to ensure that we respect the privacy of College community members. Data Privacy Month provides a high-profile platform to disseminate privacy best practices, so employees know how to protect College information and share it with colleagues and learners in the safest possible manner.

Almost every employee at the College deals with sensitive data, including learner, alumni, employee and donor data. They collect or access this sensitive information in order to do their jobs. Some of the best practices in doing so with maximum safety and security are as follows:

  • Employees should only have access to the information they need to do their jobs. Someone in the Registrar’s Office needs different data, for instance, than someone in Finance. This avoids potential abuse of data, and limits access by malefactors in the event one or more of the College’s accounts is compromised.
  • In every instance, employees should collect the minimum amount of information required to achieve their goal. For example, when creating a web form for people to register for a webinar, they should not be asking or an employee or student number.
  • When asking for data, employees should explain why this information is being collected. This gives the other employee or learner a degree of control and lets them decide whether or not to provide it.
  • When sharing sensitive personal information with learners or colleagues by email, employees should pay particular attention. Sending sensitive personal information to the wrong individual could result in liability for the College. When a breach takes place, report it immediately. The Cyber Security Unit will assist in remediating the situation. During Data Privacy Month, the College will highlight email best practices to avoid privacy breach situations.
  • If, after data is collected for a specific purpose, there is a proposal to use it for other reasons, these should be examined in detail. For instance, the College collects student pictures in order to issue student cards for identification purposes so they can access services. If a plan arises to use them elsewhere, say in the Learning Management System, an assessment needs to be carried out to ensure that the purpose matches what the students were originally told.
  • Whenever the College decides to change existing programs in ways that might affect the privacy of learners or employees, a privacy assessment should identify possible risks to individuals and provide recommendations to eliminate or reduce those risks to an acceptable level.

“Hackers have so many ways to take advantage of the good nature of people,” Bianco says. “So we need to be alert to anything that seems suspicious. At the same time, Information Security alone is not enough to ensure that the College respects the privacy of learners. We need people to take the Information Security Awareness and Training program to heighten awareness and to share privacy best practices. Every bit of knowledge employees can gather on this subject is good for them and good for the College.”


Comments

Comments are closed.