• Ensure that all of your devices have a passcode or password.
• Don’t take sensitive data with you if you do not need it.
• Enable location services and encryption on your device.
• Keep your device with you.
• Investigate and understand data rules outside the U.S.
• Plan ahead on how you will connect to the Internet.

Prior to traveling domestically or abroad take a few minutes to review your security practices. A lost, stolen or compromised device not only disrupts your travels, but can quickly lead to a very challenging situation. Use the checklist below to protect yourself and your device:

Do all of the devices you are taking with you have a password or passcode on it? Do all of your devices have a timeout feature to auto lock?

• Having passwords on your devices (laptops and smartphones) is a great way to start protecting yourself and Colgate’s data. This stops the initial attempt to pick up a device and start looking at your emails or any other data.

Can you access your data remotely?

• Consider leaving behind unnecessary storage devices (e.g. thumb drives) and not storing data on your desktop.
• Colgate offers centralized data storage that is backed up and can still be accessed on the road.
• Google Drive has unlimited storage and is available everywhere.

Do you have a safe way to connect to the Internet when you travel?

• Be careful of what you do on free public connections.
• Use Colgate’s VPN connection.
• Check out a portable hotspot device from the library.

Is your data backed up?

• Use Colgate’s enterprise backup solution – CrashPlan. Should anything happen to your computer, your data can be restored to a loaner computer so that you can continue to work.

Is your device setup to encrypt your data?

• With your data backed up we can encrypt your devices. Should your devices be lost or stolen we can be be sure that your data is protected and unusable.

Are location services turned on?

• Depending on your device there are ways to help locate them and also remotely wipe them in case of a lost or stolen device.

Is your device small enough and light enough that you’re willing to keep it with you?

• Unattended devices are at risk of being stolen.
• Consider your choice of device bags to maximize keeping devices with you.
• ITS has devices that can be borrowed that may suit your travel needs.

If you’re traveling abroad, do you understand the digital rules at your destination?

• Prior to travel, quickly research what issues or laws may apply to your devices, including access to non-secure Wi-Fi, encryption rules, and requests from police to unlock a device. [link to the goods]

Please check with your support team on which solutions are best suited for your needs.

For more information, contact the ITS Help Desk at extension 7111 or email ITSHelp@colgate.edu.
Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch and Mark Hine.

SHARE

• Question changes in your browser or desktop that you did not initiate.
• Look carefully before responding to unsolicited emails or links.
• Files or emails that are accidently shared or sent in error should be reported to ITS.
• Report lost or stolen devices to Campus Safety right away.
• Big changes are announced; take note of things that are not announced.
• ITS can help you determine if a change is legitimate – call us at x7111

A simple, but important, step you can take to protect your digital life and Colgate’s information is to maintain awareness. Observe your computing environment and note when things are out of place, unexpected, or new without cause.

Emails and websites purporting to be from reputable companies will seldom have poor grammar or spelling. Be wary of unsolicited contact by email or phone, especially when they request any confidential or sensitive information or use an unfamiliar process. These are signs of potential intrusion attempts.

Changes to device backgrounds, new icons that suddenly appear on your desktop, especially after installing “freeware” or other downloaded apps, and other changes to your computing environment may signal that someone, other than you, has access to your device. Free software and apps are more likely to contain malicious code and should be avoided.

Be vigilant when using devices and the network. Report odd or suspicious changes on your computer to ITS. We can help you determine whether your system has been compromised and offer help mitigating issues that are detected.

Report suspected unauthorized access to data, mass email mishaps and any unintended changes to data or systems to ITS. Additionally, please contact ITS if you see confidential or sensitive data in an open environment.

Report lost devices to Campus Safety by calling extension 7333 as soon as possible. Report other suspicious activity in your digital world to ITS by calling extension 7111.

For more information, contact the ITS Help Desk at extension 7111 or email ITSHelp@colgate.edu.
Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch and Mark Hine.

SHARE

Before sharing a file with confidential or sensitive data ask:

• Does the person or people receiving this information, need all of the information I’m sharing or could I trim the volume of confidential data?
• Do all the people I am sharing this with need the information?
• Is there a more secure way to share the information?

Colgate generates and uses, through the course of business, a considerable volume of data that should be carefully guarded against loss and unauthorized access, including social security numbers, driver’s license numbers, bank accounts, and grades. In a University environment, collaboration is a natural and necessary behavior. Sharing files is one way we move data from those who have it to those who need it. Below are some practical strategies for reducing the likelihood of data loss:

Limit Data Shared
Providing extracts or portions of data that include only necessary information is strongly recommended. An example is a report that has student IDs redacted or social security numbers removed. If the information does not have a business purpose it should be removed prior to sharing. More importantly, for confidential and sensitive data, ask: should this individual have access to this information? Is it part of their job responsibilities? If they do not need it they shouldn’t see it. This protects the community and the individual.

Avoid Email as a Conduit
For most people, emailing attachments is a quick, easy and practical way to share information. Emailing confidential or sensitive attachments, however, is risky since the email can be accidentally forwarded or shared with the wrong person or people. To share this type of information use password protected attachments, shared google documents, or links to a database. Social Security numbers, credit card numbers, driver’s license numbers and passwords should never be included in an email.

Google Drive
Instead of storing documents on your desktop (another vulnerability), ITS recommends using University supported storage options like Google Drive. Google Drive offers a second layer of security (you have to login to it) and the ability to assign variable permissions (view only, comment and view, edit) to specific documents. Sharing features are built in. If you would like more training on Google Drive, ITS can provide additional training to you or your department.

Use the Colgate VPN when off campus
Using Colgate’s virtual private connection (VPN) is a secure way to access Colgate data and applications. This connection is encrypted and password protected. A VPN connection is a good way to view records and confidential data securely.

For more information, please visit:
http://www.colgate.edu/offices-and-services/information-technology/network-services/accounts

For more information, contact the ITS Help Desk at extension 7111 or email ITSHelp@colgate.edu.
Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch and Mark Hine.

SHARE

• Policies and guidelines are in place to protect you and the University
• Student grades and personal information is protected information
• Colgate email is a University resource. 
• Federal laws that govern copyright applies to us all.
• Leading by example encourages compliance and lowers risk to the University

It is important to review applicable information for your role at Colgate. Please review Colgate-wide and departmental policies regularly.

Policies are in place to protect Colgate community members and the University.These internal rules are often guided by state, federal and industry specific requirements that define acceptable use, conduct and data safeguards to meet our obligation to protect student and financial information.

Acceptable use
http://www.colgate.edu/offices-and-services/information-technology/privacy-and-security/acceptable-use-policy

Email stewardship
http://www.colgate.edu/offices-and-services/information-technology/privacy-and-security/stewardship-and-custodianship-of-email

Staff handbook
http://www.colgate.edu/docs/default-source/d_working-at-colgate_resources_staff-handbook/staff-handbook.pdf?sfvrsn=12

Faculty handbook
http://www.colgate.edu/offices-and-services/deanoffacultyoffice/currentfaculty/faculty-handbook

State and federal laws also specify how certain types of information are handled. While we can not detail all of the potential legislation here, a few important acts are listed below.

FERPA
The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive federal funding, including financial aid. Learn more by visiting http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

DMCA
The DMCA criminalizes production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works. It also criminalizes the act of circumventing an access control, whether or not there is actual infringement of copyright itself. Learn more by visiting http://www.copyright.gov/legislation/dmca.pdf

TEACH Act
The TEACH Act more closely aligns copyright laws regarding distance learning with laws pertaining to face-to-face classroom interactions. There are important differences, however, regarding full-length audiovisual works, such as movies and documentaries. Learn more by visiting http://www.copyright.com/media/pdfs/CR-Teach-Act.pdf

Depending on your role at Colgate, other compliance and notification rules may apply to your work, including the following:

• NYS Law 4254–A Information Security Breach and Notification Act
• Higher Education Opportunity Act
• Copyright Infringement Executive Order 13224
• Blocking Property and Prohibiting Transactions with Persons Who Commit, Threaten to Commit, or Support Terrorism
• TEACH Act
• Technology Education and Copyright Harmonization
• USA PATRIOT ACT
• ECPA
• Electronic Communications Privacy Act
• Family Educational Rights and Privacy Act of 1974 (FERPA)
• Digital Millennium Copyright Act – Amendment to Section 512 Copyright Act of 1976
• Gramm-Leach-Bliley Act
• Payment Card Industry Data Security Standard (PCI DSS)

For more information, contact the ITS Help Desk at extension 7111 or email ITSHelp@colgate.edu.

Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch and Mark Hine.

SHARE

• Phishing is an illicit attempt to gain personal information which poses as a legitimate request.
• Emails and websites can be made to appear legitimate but often contain clues to their true origin.
• Never send confidential information (passwords, credit card info, social security numbers, etc.) via email.
• Assess the reasoning for the information request. Consider a phone call to verify authenticity.
• If you do accidentally respond to a phishing scam, contact ITS right away.

Phishing is a type of social engineering that lures individuals by making, what appears to be, legitimate requests for your personal data. Most often in the form of an email, criminals pose as trusted sources (like your employer) to trick you into providing a password or account number but instead use this information to cause harm. A second form of phishing takes the form of embedded links in an email which transport you to websites that install malicious code, such as malware, on your device.

According to experts, 156 million phishing emails are sent globally every day and 10% of those make it through filters. Shockingly, eight million messages are opened and 800,000 fraudulent links are clicked. Often, the emails are convincing. Other times, emails contain misspellings, poor grammar and odd formatting – clues that the request is not on the level.

Consider the information being asked and the source of the email. Links can be spoofed (made to appear like they come from a legitimate source). Logos and familiar icons can make an email or website appear to be genuine. Usually, subtle differences are visible that indicate this type of deception. It pays to be diligent and verify the authenticity of any request with a phone call.

Colgate University, and any legitimate commercial enterprise, will NEVER ask you for your password. Hover over links and check their true destination in the status bar (bottom of your web browser). Verify links on a web page in the same manner. Check the web address in the address bar. Pay close attention to the domain suffix (.com, .org, etc.) Does it originate unexpectedly from a foreign country ( .ru, .cn, .tw)? Many phishing scams originate abroad.

Consider what is being asked of you. Is it reasonable or something you requested? Be wary of offers that seem too good to be true – they usually are. Immediately delete suspect emails.

Report all phishing emails to ITS and let ITS know if you clicked on the link.
For more information, visit: https://www.fdic.gov/consumers/consumer/alerts/phishing.html

For more information, contact the ITS Help Desk at extension 7111 or email ITSHelp@colgate.edu.

Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch and Mark Hine.

SHARE

• Data loss is a widespread, but preventable.
• Software is available to automatically backup your important data.
• Physical media is not a reliable means to backup data.
• Be prepared to wipe your device. Data should never reside only on a single piece of equipment.
• Storing your data on Google Drive can mitigate data loss, should your computer become compromised.

Hardware fails. Devices are lost or misplaced. Viruses and other threats corrupt systems. These events can all lead to lost information – sometimes irreplaceably.  More than $1.7 trillion is lost annually due to data loss and downtime, according to a study by EMC, a disaster recovery firm. Moreover, EMC reports that the incidence of data loss has increased 400% since 2012.

Enterprise level backup systems are currently the most robust option. Storing data in Google Drive and engaging with products like CrashPlan, a file backup service supported by Colgate, provide layers of redundancy to protect your data. These options store data in centers with reliable backup strategies and physical security.

A backup strategy can prevent the heartache of lost data and expedite recovery. Before diving in, it is important to ensure that where you backup is a safe and secure environment and that you are backing up frequently enough to protect current information. An important part of your backup plan is to test that you can find and recover files, at least on an annual basis or after a major change.

Twenty years ago, diskettes were the primary backup tool. Then came CDs and DVDs and external hard drives. The problem with physical media is that it too can be lost or damaged, particularly when stored in the same space as the original. Media also has a finite lifetime, whose demise can be accelerated depending on storage and care. While external drives are better than physical media, they too can suffer failures and corruption or damage that affects an entire location.

Mobile devices are also at risk. Sync devices to a computer frequently to ensure your mobile data is preserved.  Ensure that your synced data is included in your backup solution for that computer.

For more information, contact the ITS Help Desk at extension 7111 or email ITSHelp@colgate.edu.

Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch and Mark Hine.

SHARE

• Enable a timed logout to lock your computer when you step away.
• When viewing confidential or sensitive data, be aware of your environment.
• Beware of inadvertently revealing login information or passcodes.
• Log out of your computer when leaving.

Imagine all of your mail being delivered in clear envelopes. Unsettling, to say the least. The opaque envelope is designed to shield your personal information from prying eyes. The risk is that your personal data could be used to steal your identity, gain access to other confidential data, or be used to access the data of others, including work information.

One way to increase data security is to think about where you use devices. Consider who is looking over your shoulder when you login or view confidential data. Theft of login credentials or personal data in this manner is called shoulder surfing. It’s shockingly easy to learn a phone pin by watching.

Tailgating or piggybacking is another risk that describes someone who follows you after you have gained access to a resource. Think about your ATM activity. You enter your PIN and complete your transaction. The ATM machines asks you, “Would you like to perform another transaction?” You leave without answering. Someone pulls up quickly, who has observed your PIN entry. Because no card swipe is required, you’re out $100 or potentially much more. The parallel is the typical login – not logging out is an unlocked door to your personal information. Always logout of public machines. Always use a timed logout (five minutes or less) on your devices.

For more information, contact the ITS Help Desk at extension 7111 or email ITSHelp@colgate.edu.

Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch and Mark Hine.

SHARE

• Keeping your device with you helps ensure control of your data.
• ITS has loaner devices you can borrow when travelling.
• When a device is stolen, data thieves have more time to attempt to overcome passwords.
• Mobile device theft is more likely when travelling.
• If your device is lost or stolen contact Campus Safety right away.
• Always enable a password or passcode on your device.
• Be wary of storing devices in hotels and leaving them unattended for even brief periods of time.

Your laptop, tablet and cellphone are storehouses and or gateway to valuable information. If your device is lost or stolen and contains any Colgate information, you need to immediately contact Campus Safety. Information can be exploited should it fall into the wrong hands. Plan ahead so you can keep your device with you when traveling. ITS has basic loaner devices that you can borrow. We know from experience, devices are also accidently left on restaurant tables, in conference rooms and even bathrooms. For mobile devices, including laptops, maintaining control of these devices means you have it in your possession or it is secured in a locked location.

Hotel rooms are not secure locations. According to Department of Justice crime reports, the most frequent crime reported in hotels is property related. While theft on airplanes appears rare, the loss of luggage is not. Keep your devices in your carry on bag. A 2010 CNET survey notes that about 5.5 million computers were stolen in the United States over a three year period with only 3% recovered.

Another risk regarding stolen or misplaced devices is the time someone has with your device to try to unlock it. This underlines the importance of using strong passwords and passcodes, lock screens and disabling auto login. Mobile devices with a four digit passcode are at greater risk because they are smaller and easier to lose and typically people avoid  complex access controls.

Enabling location services is an essential step in protecting your devices. Many devices, particularly Apple iOS devices, provide a means to locate, lock down or erase your mobile device remotely.  To learn more, visit the following:

For more information on how to protect your mobile device from theft, check out this article:
http://www.wikihow.com/Protect-a-Mobile-Phone-from-Being-Stolen

Blog Post: Secure Your Mac When You Step Away
http://blogs.colgate.edu/its/2015/04/secure-your-mac-when-you-step-away.html

Blog Post: Secure Your PC When You Step Away
http://blogs.colgate.edu/its/2015/04/secure-your-pc-when-you-step-away.html

If your device does become lost or stolen, contact Campus Safety immediately at extension 7333.

For more information, contact the ITS Help Desk at extension 7111 or email ITSHelp@colgate.edu.

Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch and Mark Hine.

SHARE

• Public Wi-Fi connections are vulnerable.
• Know the name of the network you are connecting to and who controls it.
• Turn off sharing features when connected to public Wi-Fi.
• Use Colgate’s VPN connection for a secure connection.
• Forget public networks when you are done using them.
• Keep your devices up to date.
• Enable two-factor authentication on services that support it.

Wi-Fi is a communal resource. Shared. Meaning – a path to your device for experienced data thieves. The danger of data theft is directly related to how you connect to a wireless signal. CNET.com offers some valuable advice to protect you when using a Wi-Fi connection.

Know your SSID
An SSID is a name given to a wireless connection point. You select the SSID, such as “Colgate”, when you setup a connection. In public locations, such as hotels, restaurants and cafés, it is important to verify the name of the SSID so you can verify its ownership. CNET notes, “it is easy for someone who wants to intercept your data in a man-in-the-middle attack to set up a network called “Free WiFi”, or any other variation that includes a nearby venue name, to make you think it’s a legitimate source”.

Turn Off File Sharing
File sharing, especially when connected to a public hotspot, is a potential risk that can expose data on your device to others. Turning off Internet sharing, Print Sharing and File Sharing reduces the “hooks” into your device.

Use Colgate’s VPN
Using Colgate’s virtual private network (VPN) is one of the best ways to keep your browsing session secure. A VPN client encrypts traffic between your device and the VPN server, which means it’s much more difficult for a potential intruder to grab your data. Also, consider using only https connections.

For more information visit:
http://www.colgate.edu/offices-and-services/information-technology/network-services/accounts

Avoid Auto-Connections
Do not configure your device to connect automatically. Use settings that only allow you to connect to known networks. Sometimes you may need to connect, but it’s important to forget the network when you leave a hotspot so that your device won’t automatically connect when you’re in range.

Update Your Device and Apps
Keep your devices up to date with the latest versions on a trusted network. According to CNET, travellers have been caught off guard by requests to update software packages when connecting to public or hotel Wi-Fi networks. If accepted by the user, malware was installed on the device.

Enable two-factor authentication
It’s good practice to enable two-factor authentication on services that support it, such as Gmail, Twitter and Facebook. This way, even if someone does manage to sniff out your password when on public Wi-Fi, you have an added layer of protection. For more information, visit: http://www.cnet.com/how-to/tips-to-stay-safe-on-public-wi-fi/

For more information, contact the ITS Help Desk at extension 7111 or email ITSHelp@colgate.edu.

Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch and Mark Hine.

SHARE

In our summer long series on security awareness, we’ve reviewed strategies and practices that can improve and protect your digital life. Putting these ideas into practice reduces the risk of an untoward event, improves data security at Colgate and can put your mind at ease knowing you are prepared and ready for any attempts at intrusion or loss.

Think about how you use your device and where. Know where your device connects and keep it with you. Review the risks to devices and data when you travel, when you connect to someone else’s network and when you access the web and email. If your computing environment changes – question it. ITS announces changes we make ahead of time and so do most service providers, like Google.

If you manage a database or file share, it’s critical to include a review of permissions at least annually. Here’s a quick list of what to review:

• Do you have a process for adding and taking away permissions as staff or students change their access needs?
• Do individuals that access the information understand the level of confidentiality of the data they use?
• Have all the individuals with access been appropriately trained to use the database?
• Are there any roles that can be eliminated?
• When access is granted, do individuals have the least access they need to accomplish their duties?
• Are responsibilities separated, so that there are checks and balances against accidents?

If something does happen, know that ITS is here to offer advice and help mitigate any suspected loss or intrusion. Remember to contact Campus Safety if a device is lost or stolen.

For more information, contact the ITS Service Desk at extension 7111 or email ITSHelp@colgate.edu.

Contributors: Ellen Holm, Ahmad Khazaee, Kevin Lynch, and Mark Hine.

SHARE