It's easy to take for granted our access to and stewardship of precious, confidential information,
whether our own or Syracuse University's. We find it easy and convenient to transport and share our
information over insecure non-SU networks and devices and often fail to safeguard our sensitive data.
We are on a connected campus in a connected world, but we can be undisciplined when it comes to data security.
Recently, Cisco, a world-leading networking firm, commissioned a third-party study of employees' and IT
professionals' attitudes and behaviors related to protecting sensitive information. The research discovered
that despite the security policies, procedures, and tools currently in place, employees around the world are
engaging in risky behaviors that put institutional and personal data at risk. Employee behaviors included:
- Unauthorized application use: 70 percent of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies' data loss incidents. Personal email is the most commonly used unauthorized application, followed by online banking, online bill paying, online shopping, and instant messaging.
- Misuse of corporate computers: 44 percent of employees share work devices with others without supervision.
- Unauthorized physical and network access: 39 percent of IT professionals said they have dealt with an employee accessing unauthorized parts of a company's network or facility.
- Remote worker security: 46 percent of employees admitted to transferring files between work and personal computers when working from home.
- Misuse of passwords: 18 percent of employees share passwords with co-workers. That rate jumps to 25 percent in certain cultures.
Similar behaviors happen here at SU. Of greatest concern is our high rate of behaviors such as transferring files from a work device to a home computer that is not protected or maintained to IT's standards. This occurs whenever faculty or staff use non-authorized or insecure methods to transport data.
By far the most common method of offense is employees using personal, non-SU e-mail accounts such as HotMail, GMail, and Yahoo Mail (and all other providers) to send data to themselves so they can work with it off-campus. This is a poor practice since personal e-mail accounts may be compromised, and home computers may be infected with malicious software. In the Information Security realm, the simple act of emailing data to personal accounts is considered a serious offense.
Another common method of data leakage is placing data on a USB flash drive, portable hard disk, CD, or other portable or removable storage media. These media, while convenient, are easily lost or stolen, and the data stored on them is considered leaked, lost and compromised.
Why is this so important?
Nearly all data that is used in the teaching, learning and administrative functions of the University could be damaging to the University if leaked to the wrong hands. Many forms of data at SU are governed by state and federal laws. Medical Information is regulated by the Health Insurance Portability and Accountability Act (HIPAA), student information is regulated by Family Educational Rights and Privacy Act (FERPA), and many types of Personally Identifiable Information (PII) are regulated by New York State laws. Other forms of data, while not regulated by law, are considered sensitive by Syracuse University, and must be protected. This includes confidential and enterprise data as follows:
- Medical Records
- Student Records
- Personnel Records
- Donor/prospect information
- Physical plant details
- Personally Identifiable Information (see below)
- Security audits
- Directory information for students who have opted out of inclusion in any public directory
- Private e-mail, unless both (or all) parties agree to its release
- Private transactions
- Research data
- General financial information
- Internal systems information
For more details, consult the Syracuse University Information Security Standard
How can I help protect the data?
Follow these simple DO's and DON'Ts to safely share information:
- DO treat all data as precious and something to be protected.
- DO use SU's Secure Remote Access system if you need to work from home or from a remote system. Find out more at http://its.syr.edu/security/remoteaccess/index.cfm.
- DON'T e-mail data to any non-SU email account, including your personal e-mail account.
- DON'T store sensitive or enterprise data on unencrypted removable media such as thumb drives, USB sticks, portable hard disks or CD/DVDs.
- DON'T use services such as GoogleDocs, Amazon S3, DropBox, or other popular internet-based services (also known as "cloud services") to work on, store or transport SU data.
- DO read the "Syracuse University Information Security Standard" to become familiar with the types of data classifications and proper handling of SU data. Visit http://its.syr.edu/security/standards/ITSecurity-standard.pdf.
- DO report immediately any suspected loss or theft of computers, storage media or data to SU's Department of Public Service (DPS) and Information Technology and Services (ITS) departments.
- DO protect your devices from theft, and yourself from resulting data loss and identity theft, by following this advice.