Cybersecurity Practices: Post-Secondary Institutions

Sylvia Adam
Post-secondary institutions use cybersecurity to protect their computer systems from security incidents, which include phishing, vishing, smishing and email attachments. All these security incidents can be labeled as social engineering.

According to Oxford Languages, social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

Lethbridge College has faced some forms of social engineering. Daryl Hergenhein, a security analyst at the college says a few weeks ago someone tried to get money from the college.

“I received an email, we have a button in our Outlook and when people push it, it automatically submits the email to the security team, which is me and another guy. We review those email letters and one that came in was someone asking for funds to be sent to them at a certain time during the day. They’re trying to get you caught up in the importance of urgency to try and manipulate you.”

Hergenhein says this happens all the time. He also adds that social engineering can happen in any form.

Lethbridge College deals with computer security incidents by following a simple formula. First, the college determines if the situation it’s dealing with is actually a security threat.

The second step is stop further activity if it’s an ongoing security issue, if it’s not, they go into “detective mode” and try to figure out why and how the incident happened and if it’s a known issue. New computer security incidents are usually mitigated, which means the impact of the threat is stopped.

To protect itself, the college’s computers have firewalls and anti-virus and anti-malware software.

In regard to social media, Hergenhein says people need to understand the kind of information they’re putting out there so they can protect themselves.

“I would suggest to anybody that has social media who is concerned about security or privacy, to look for those settings within whatever app they’re using.”

Hergenhein uses software to protect his devices from security threats. He also monitors his children’s internet activity to make sure they don’t install malicious software or visit questionable websites.

Mount Royal University (MRU) has two cybersecurity certificate programs within their continuing education unit. The first certificate program teaches students the fundamentals of cybersecurity and for those who choose to move onto the second certificate program, information to help them earn their Certified Information Systems Security Professional (CISSP) designation.

Some topics covered in the two programs are network fundamentals, security and compliance, mitigating risk and protecting ownership, cryptography, vendor procurement and detecting vulnerabilities.

Arlene Worsley, a graduate of the cybersecurity program at MRU explains how cybersecurity companies secure network designs.

“The most important step most organizations take when it comes to securing network designs is to understand, one, the industry they’re in, two, the type of business they operate in and three, what are the relevant compliance and regulations they have to abide by. Based on that, they develop a full strategy and road map to understand, OK, these are the regulations, these are the standards that apply to us and then we can build a secure environment based on that.”

According to Worsley, the health care industry would be an example. The health care industry is concerned about protecting personal health information, so they build their network environment to protect that information. They determine what works best for them based on their environment and what’s in compliance with personal health information.

Risk assessments are conducted regularly within companies so employees are aware of the potential risks applicable to their company. Based on the risk assessments, they’re able to remediate potential security threats.

Worsley says cryptography is the ability to disguise or hide a code and then to decode it. She explains how it crosses over into cybersecurity.

“Overtime it evolved into the computer environment. For example, transmission of data over email for example, you want that information to be encrypted. An encryption is where cryptography comes in and basically there’s a lot of different encryption types out there, but it’s disguising that data so adversaries cannot decode it. That is the best form of being able to protect the data from what we call in cybersecurity, the CIA triad, so that’s the confidentiality, integrity and availability triad for ensuring the protection of networks, assets, etc.”

Vendor procurement in cybersecurity is third party access, which comes with potential security threats. Companies use safeguarding when dealing with third parties, meaning they limit third party access to their information.

When third parties get access to a document, they may only be allowed to read the document, or write on it or view it.

According to Worsley, a rule of thumb in cybersecurity is to follow security frameworks.

“For example, there are companies that want to be ISO certified when it comes to security. So, the first thing they want to do is assess the maturity of their security hygiene. So how are they doing compared to the industry? That’s based on a scale of one to five from NIST Cybersecurity Maturity Assessment Framework.”

Worsley says most companies receive a score of two to 2.5 on the NIST scale when they first start. Over time they try to improve their score by following key measures on the CSF Framework.

To learn more about how to protect yourself and others from security threats, see: https://www.canada.ca/en/services/defence/cybersecurity.html