Stay Informed

Cloud storage is a cost-efficient method of storing data on remote servers that can be easily accessed on the Internet from anywhere. Information is not stored locally, so hardware losses or failures do not result in information loss. Cloud storage is growing rapidly and being implemented in personal and corporate environments, providing many benefits in both areas. However, such rapid growth and usage can lead to complications in privacy and security.

At Algonquin College, employees are granted access to public, internal, and sensitive information. Employees may work from an office, from home, or from other locations, using different computers from time to time. Cloud storage is thereby becoming an excellent business solution to meet employee’s changing needs.

However, if an employee is unfamiliar with the storage solutions offered by the College, they may feel inclined to use personal cloud storage accounts, such as Dropbox, Box, or Google Drive. When employees use a non-approved cloud storage solution such as these, the College loses central, administrator access to that corporate information. As well, the College loses control over the security policies that dictate the protection of that information. For example, employees will use their own passwords with Dropbox that may not meet the College’s IT05 security policy for password complexity or periodic replacement, and in the process lower the level of security afforded the information. The use of these non-approved cloud storage solutions also needlessly creates additional costs.

Please make sure you are using ITS approved cloud storage, OneDrive. Many businesses including Algonquin College use Microsoft OneDrive for Business, which is an approved, centrally paid for, and cloud storage solution.

You can find information regarding storing sensitive information at https://www.algonquincollege.com/infosec/faculty-staff/policies-and-practices/directives/

This page includes a list of policies that contain detailed information about the legislation and policies that apply to the protection and safe storage of sensitive information within internal databases.

Please familiarize yourself with it. Help Algonquin College better secure its corporate information.

Information Security is everybody’s business.

The first step to protecting sensitive information from unauthorized access is data security. Data security refers to privacy precautions that are applied to prevent unwanted access to secure and sensitive information. By following these simple steps to stay secure, you can make a big impact on privacy and information security, both at home and at Algonquin College.

Keep it Limited – Keep the amount of personal information online to a minimum, the more sensitive information you make public, the less secure. For example, do not share your social insurance number or your banking information.

Use Strong Passwords – Make sure you are not using the same password for every account. Use at least 8 characters consisting of capitals, lowercase letters, numbers and symbols. Use a password manager such as LastPass.

Keep Software up to Date – Make sure to install the latest software on all computers and mobile devices. Having outdated software increases your chances of losing your sensitive information to a cyber attack.

Encrypt it – If you have access to sensitive information make sure it is encrypted, this will increase security when transferring files through email, USB, etc.

Do not share – Do not share your passwords with anyone and only grant access to sensitive information if necessary.

Install antivirus protection – Antivirus and anti-malware software are essentials for online security, this will help keep viruses off your devices keeping your data secure. Use anti-malware software such as Malwarebytes.

Backup regularly – Creating regular backups to an external hard drive or in the cloud is an easy way to ensure that your data is stored safely.

Following the above tips will help ensure your personal and sensitive data will stay secure, and please remember…

Information Security is everybody’s business

Did you know that every 53 seconds a laptop is stolen? The theft initially occurs to steal the hardware, but now it is very common for the data found in the laptops to be uploaded and sold online.

We’ve witnessed an increase in missing or stolen laptops, tablets, mobile phones, and portable media drives – both on and off campus.

Thieves know that people will forget to protect their valuable assets for a fleeting moment, leaving them clearly unprotected and visible in cars, on counters and in carts.

It only takes 5 seconds for a thief to steal your laptop!

Please be careful and protect these assets and the valuable information stored within. As an employee or student, you have a responsibility to follow College security related security policies including IT01 and IT05. See the various security tip sheets on how you can protect assets here: https://www.algonquincollege.com/infosec/faculty-staff/resources/tip-sheets

Use a strong password/pin, use encryption, and don’t store sensitive information that you don’t have to. Above all, use common sense.

“Data Privacy Day” – held 28 January every year – is a fast growing, international event that aims to help educate people in understanding their privacy rights, help protect their personal privacy and identity, as well as control their digital footprints. It marks the beginning of “Data Privacy Month” (February) during which privacy-related events are held all over the world. This event began in North America in 2008 as an extension of the Data Protection Day celebration in Europe.

Data Privacy Day is held every Jan. 28 right across the world, to bring awareness about the importance of protecting personal information, sometimes called personally identifiable information (PII). By learning and practicing some simple tips on how to do so, it helps build our culture of respecting privacy, safeguarding information and enabling digital trust.

Tips

• Personal Data of learners and employees is entrusted to us. Respect it. Protect it. – Do not collect more personal data than needed. Take every opportunity to de-personalize or “de-identify” data sets whenever you can. When sending sensitive information, make sure that you use correct email addresses. Securely dispose of sensitive information when it is no longer required. Turn in broken or no longer needed hard drives to the ITS Cyber Security Unit for secure destruction.
• Use Strong Passwords – Make sure you are not using the same password for every account. Use at least 8 characters consisting of capitals, lowercase letters, numbers and symbols. Use a password manager such as LastPass.
• Keep Software up to Date – Make sure to install the latest software on all computers and mobile devices.
• At Home Protection – Follow the same guidelines when at home where personal information can easily be compromised as well. Retain from sharing personal information online or with others and keep sensitive College information out of reach from others.
• Immediately Report Security Incidents and Data Breaches – Report to the Cyber Security Unit at infosec@algonquincollege.com

Resources

Risks of File Sharing
Protect Yourself
How to Encrypt an Excel File
How to Encrypt a Word Document
Learn More

Information Security is everybody’s business.

Ransomware is a type of malware that prevents access to a system or its data using encryption. Once the data is encrypted, ransomware proceeds to demand a ransom in exchange for a decryption key that will provide access to the data. The desired ransom payment is usually demanded in bitcoin, which is an electronic currency that is virtually untraceable.

Businesses, such as banks, colleges, universities, and hospitals, are prime targets for this type of malware. These organizations contain sensitive data and are often willing to pay the ransom under the impulse to restore operations as quickly as possible. The act of paying the desired ransom is not recommended, because it could motivate criminals to continue this type of attack, as well as mark your organization as a target for future attacks, among many other issues.

Criminals may not be around to provide the decryption key or demand higher ransom in exchange for not leaking the data acquired. Ransomware creation and distribution is now offered as a criminal service, which indicates that even criminals with little knowledge of the malware can purchase the malware at a low cost and obtain a high reward.

The absolute best defense to protect against ransomware is regularly updated and tested backups.

Ransomware is commonly accomplished initially through email phishing, which aims to compromise a system or sensitive data by disguising malicious software as trustworthy sources. Awareness of the risks of phishing should be provided to all members of an organization, whereby members are taught the difference between safe and malicious links and files.

In summary, ransomware is currently one of the most dangerous risks in cyber security and is constantly becoming more sophisticated and easily accessible in cybercrime. Please make sure to raise awareness about ransomware and take the steps necessary to protect yourself and Algonquin College from it.

With today’s technology, an electronic signature (e-signature) can be as simple as a typed name or a digital image of a handwritten signature. Unmistakably uncomplicated on the user’s side, with the benefit of security- an e-signature can have the same legal validity and enforceability of the traditional pen signature.

The terms “electronic signature” and “digital signature” are often confused and used interchangeably. However, the distinction is important when it comes to the integrity and security of documentation. An electronic signature is a simple way to indicate consent on a digital document, whereas a digital signature is the technology that secures the electronic signature.

Out with the old, in with the new…with good reason!

An electronic signature delivers the level of trust and security that a customer wants and needs. Some are hesitant to adopt e-signature technology because they are comfortable with paper signature, but e-signature has more security benefits than a traditional pen on paper signature! An e-signature carries layers of information about who signed what, when, where, and how, through an audit trail. This protects the integrity of your signatures, whereas paper signatures are vulnerable to forgery. After all, it’s possible to reproduce a traditional pen on paper signature as well as to alter paper documents after they have been signed.

Levels of security for a variety of users

Digital signature security ensures that the signer is who they claim to be through authentication, which is any process through which you prove and verify information. In e-signature processes, there are multiple levels of ID validation to choose from, therefore different levels of security. The minimum level is to use a valid email address. Want even more security? Further validation can include SMS, adding 3rd party customized advanced methods, or by using the ultimate solution – Public Key Infrastructure (PKI) private key generation as provided by an add-on Entrust software as a service (SaaS). Industry regulations for security in e-signature include ESIGN, UETA, PIPEDA, ECA, and the EU Digital Signature Directive.

What about even stronger protection?

Digital signature refers to the use of a key pair- a public and a private key. Public Key Infrastructure will ensure that your privacy needs are met and that a signing party cannot deny that they signed. The public key, as the name implies, is shared publicly among the aspects that come into contact with the document. The private key is not shared. A signed document is encrypted with both keys, which prevents tampering or other modifications. The only communication of keys between the client and the server are the signed certificates that contain the client public key. E-signature ensures integrity due to the PKI workflow. It makes sure that the content of the document has not been changed or altered in any way since it was digitally signed. Each document is ensured to be in-tact and tamper-evident through the cloud-based PKI Digital Signature Scheme, which assures the integrity of the document and signatures every step of the way.

Can a signer deny that they signed a document? The risk of a signer denying that they signed a document is minimized in the case of PKI based e-signature because a customer’s signature is permanently bound to the exact contents of the document at the time of signing. Since the private key is personal and secret, the signers of a document cannot make claims that they did not sign the document. Process evidence and platform monitoring protects the security of customer data. An audit trail tracks the steps in the signature process in order to verify the signer and document authenticity. This involves application and system logging that provides a digital record of the users accessing the document.

Legality in Canada

Various governments across the world recognize e-signatures. They aim to build confidence in electronic commerce and the technology underlying it. So, what is the law concerning e-signature in Canada? The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), describes the use of secure “electronic signatures” in Canada:

• the electronic signature must be unique to the person using it;
• the person whose electronic signature is on the document must have control of the use of the technology to attach the signature;

• the technology must be used to identify the person using the electronic signature;
• the electronic signature must be linked to an electronic document to determine if the document has been changed after the electronic signature was attached to it.

Algonquin – Increasing E-Signature Use!

Use of Signority (www.signority.com) – a SaaS electronic signature service – at Algonquin is growing. As just one-use case example, before e-signature was implemented within the Centre for Continuing and Online Learning (CCOL), academic staff would receive a contract attached to an email, and then print, sign, scan, and attach to another email to send it back, or fax it back or mail it back to the College. This entire process meant that it would take weeks for the College to receive all its contracts. Since implementing e-signature using Signority, it now only takes several days to send and receive most contracts each school term, and many staff have positively commented on how much they prefer the new electronic process.

Most departments have a need for routing and signing agreements of one form or another, either internally or externally. It is highly recommended to staff that they try an e-signature pilot to see how it might aid their business area. Licenses are provided by ITS thus there is no software cost to the end department. Check out Signority for yourself and see how easy it is to use!

Craig Delmage, CISSP

Senior Manager, Information Security and Data Privacy

Mobile Security and Privacy

Mobile phones are increasingly being used for all kinds of fun and productivity, and this includes using them for all kinds of reasons in support of education. Many Algonquin College students are using the Brightspace, Adobe Creative Cloud, and Algonquin College mobile applications, among many others. However, despite this increased utility, it is important to note that the potential threats out in cyberspace have greatly increased requiring all users to take extra precaution. In 2017, Google took down over 700,000 bad Android apps, 99 percent of apps with abusive content were identified and rejected before anyone installed them.

Here are some tips to reduce smartphone security risks and potential loss of your personal and valuable information:

1. Label your device with your name and telephone number, and record your device’s unique manufacturer’s serial number, Wi-Fi and Bluetooth addresses, as well as your International Mobile Station Equipment Identity (IMEI) number in case you lose your device. Canadian cellular service providers have maintained a national lost and stolen IMEI blacklist.You can check IMEI at https://www.devicecheck.ca/check-status-device-canada/
2. Use a strong password or PIN (preferably 6 numbers) to access and lock the device. Don’t have a password on your device? Create one today. If your phone has the fingerprint ID feature enable this as well.
3. Keep the mobile device software up to date. Only 19% of Android users are using the most updated OS version, and only 50% of Apple users have the most up to date IOS version.Keep your phone updated, this prevents criminals and hacktivists from exploiting software vulnerabilities.
4. Carefully check the URL to which you are connecting. Incorrect URLs can lead to a malicious website that may compromise your device, make sure the web address begins with HTTPS, and not HTTP.
5. Avoid using the web browser “Save Password” feature. Some rogue websites can steal your stored passwords using common web browser vulnerabilities, if you need to store your passwords, use a password manager such as Lastpass.
6. Connect to secure Wi-Fi networks only. Open, unsecured networks may seem like a great way to connect to the internet, however they often come at a cost. Open networks don’t encrypt your information, thus anybody with often simple tools can view your data as it is transferred from your device to the wireless access point. You should never conduct internet banking on unencrypted networks.Strongly consider using virtual private network (VPN) software on your mobile, to keep your communications private.
7. Do not “jailbreak” or “root” a device. Jailbreaking may bring you some benefit, such as allowing you to “sideload” additional apps from non-Apple Store or Android Store servicesbut doing so allows hackers to circumvent security control and use the device without your knowledge.
8. Consider installing antivirus and antimalware software. Particularly with Android devices, it is important to install extra protection. There are numerous free products available such as Avast! Free Mobile Security and Avira Free Mobile Security that provide basic protection.
9. Research the app that you wish to download. Over 40% of apps do something malicious, such as steal your personal data, and it was found that the Google Play Store apps that have malware were downloaded 500,000 times. Check the privacy statement carefully before installing.