Episode Transcript
Kevin Hogan
Next up here are my series of conversations at Educause 2023 in Chicago. Is Joe passionate? He is the director of Educause's cybersecurity program. He talks the new opportunities for improvement and awareness when it comes to cyber security and share some best practices for higher Ed IT leaders to stay on the defensive. Have a listen. OK, Joseph, thanks so much for taking the time to meet with me today. I really appreciate it. And we're we're in the thick of edgy calls here in Chicago. Again. I like to have this conversations by zoom as much as possible. Right. But nothing beats having kind of an impersonal sort. And you know the energy that's coming from your Members who are our listeners, it's just a. A really positive experience, so I appreciate you sharing your insights.
Joe Potchanat
Thank you, Kevin. Happy to be.
Kevin Hogan
Here and I know that that your expertise, you know the the variety of subjects that are listeners, your Members are. Dealing with cybersecurity continues to see them be that the number one pain point talk a little bit about the current state of play when it comes to cyber security and in higher Ed.
Joe Potchanat
Sure. So obviously. Ransomware is still one of the biggest issues that we're seeing in higher end and. There are tools out there that that help mitigate it, but it really I still think it comes down to user education because it is. Really, at the end user level, whether that is someone on their personal device or just you know whether to get a business e-mail compromise, it really comes down to the users having an understanding of the risks that they're facing and being part of the solution.
Kevin Hogan
And when you talk about user. My first instinct is to think student, but you're. Also, talking faculty.
Joe Potchanat
Absolutely. So it's it's, it's everyone at the institution, whether that is faculty, the staff that work at the institution, contractors. But that again, a large chunk of it is going to be the student body.
Kevin Hogan
Although when I look at my own children, they seem to be more savvy about these things than than I am necessarily. Well, so how do you how do you work that idea of user behavior into policy?
Joe Potchanat
Well, some of it comes from awareness and education programs and institutions. So if they are. If the cybersecurity professionals are working with the student bodies, such as different institutions having like a like a a cyber education fair, and they're educating the student body on what the risks. What they can do to protect themselves and how that in turn will protect the institution and protect themselves down the line.
Kevin Hogan
OK. OK, maybe you can get into a little bit more kind of in the the the day of the life. I mean, is that like something that you are when you talk about education of rights? Is this a workshop at the beginning of the? Year or is this kind of like constant? Reminders or notifications?
Joe Potchanat
Some of it is going to be, you know, maybe timed at the beginnings of the semester or something like that. And some of it is going to be continual programs. I know that my former institution, Indiana University, I see constant things on social media about don't share your passwords and just. Different reminders about the importance of cyber security awareness. So it's all over social media targeted to the students. You have a better.
Kevin Hogan
Understanding and when it comes to the responsibilities at the leadership level, are we talking about IT directors? Are we?
Joe Potchanat
Well, it depends on the shop because sometimes cyber security professionals are embedded within the IT organizations and sometimes they have. They're outside of the organization. So it it really depends on the leadership. Now a lot of the larger institutions have brought cybersecurity and privacy outside of IT, and they work at a university level rather than just focusing. In on the cyber security and privacy needs of the IT department, I know it's a little confusing, but it it's a bit nuanced. So by bringing cyber security privacy out of the IT department, they're looking at IT system wide rather than just a technology.
Kevin Hogan
Issue talk talk a little bit about.
Speaker
Right.
Kevin Hogan
Two factor authentication. Sure. Yeah. I mean that seems to be the latest trend, at least when I'm I'm trying to. Upgrade my apps, right? Right. Right. How does it how? Does that relate in the the?
Joe Potchanat
University aspect SO2 factor authentication is or multi factor authentication depending on how you describe. Just think of it as having another lock and key to your account, so there are different types of authentication. Sometimes it's a password and that's something you know. Whereas 2 factor authentication is something that you have. Something that you are would be like biometrics. So like your fingerprint or your your iris scan or something. Like that, OK, so. Very unlikely that a attacker would be able to gain both possession of something that you know that your password or your physical device, like a token or your phone. That's why two factor authentication is so helpful because you're pretty much going to know right away if you've lost your phone. We have become so. Tethered to our personal devices, if you lose. Your cell phone. You know something's going to be up with your account. You're going to realize that pretty quickly, right? So that's why it's so important to have, you know, those two different keys to get into your, you know, your e-mail or different accounts.
Kevin Hogan
Is there a question of scale here? I mean is like your average small. Community College are they at as much risk as say, you know, a major? State University or kind of like a top flyer being over their differences in terms of how they should be protecting themselves.
Joe Potchanat
Well, the the idea is the same, but the the motivation of these hacker may be different. So if you're looking at large R1 institutions they're looking at maybe data sets that the institution has maybe. It is more of about institutional research and that that could be monetized, but if there's any type of financial angle, there is going to be risk to your institution. If you have students and you have payroll, you have student loan data. That's going to be, you know, enticing to an attacker. So anytime anything can be monetized, you're at a risk. Now you might have a lower profile because you're smaller institution, but that doesn't get you off the hook. That doesn't keep you off the radar as long as you have authentication, you may have fewer resources to to get it dedicated towards cyber security or privacy, but the R ones are going to have more to protect.
Kevin Hogan
What about for our readers or listeners who have? Obviously everyone should have a certain layer of protection, right place and an understanding of. That, but maybe they're a little. Uncomfortable about where they are or how secure they are, what sort of steps would you recommend them in terms of doing an audit or in in terms of just kind of establishing how they feel about their current?
Joe Potchanat
State do you mean at the institutional level or you? Mean at the individual?
Kevin Hogan
Level at the institutional level, OK.
Joe Potchanat
At the institutional level, obviously having, uh. Having a kind of a, you know, a data audit and an inventory of you know what your systems are having an understanding of, who are all the third parties that you're you're doing business with, who has access to your data, do you, what is your? Account provisioning process. Do you let alumni have access to their accounts indefinitely? Do you? Let applicants have access. I know some institutions as part of their onboarding. Even if you apply your grades at accounts, so you are coming to granting an unknown into your institution. So having an idea of. You know your. Identity management system of of what systems that people have access to all the different vendors that or service providers that you have access to.
Speaker
There were eight off though late cubic.
Kevin Hogan
No, that's it. Thank you. Yeah.
Joe Potchanat
So having a better understanding of your entire portfolio of information, where your data is and that comes back to the idea of data minimization, if you don't have to keep track of something and you don't have to store it, you're better off not doing it because as we know with. Different privacy principles, even though you may do a pretty good job of anonymizing the data right now with enough data points, you're going to be able. To to unmask someone. So the fewer data points that you don't need. And part of that comes back to this mentality that storage became so cheap that it was just easier to collect everything because you never know when you might need it. So by having a mentality of data minimization. You are in the lower room protecting your systems because you are less likely to have something breached because that data is not there.
Kevin Hogan
Yeah. Yeah. Let's go back to the behaviors for a minute. And again talk about how. I mean, that's really no matter how good the technology gets, it's always going to be coming down to that human error. Right. Are there precise? Strategies that can be put in place in, in terms of you, you talked about the education aspect, I guess I see in my own world with just those constant reminders that pop up and yet this thing still still kind of get in is. Is is a situation where people should just to expect to be hacked and then think about what's. Going to happen.
Joe Potchanat
Yes, I I think it really needs to be kind of a a buyer beware mentality. You need to be your own best advocate because. You may not think it, but your data has value because you have bank accounts. You have credit cards, you have mortgages, you have a credit history, you have medical information. All this stuff can be monetized. So it is imperative for you to be your own best advocate. And just expect that someone, somewhere will try to extract value from stealing what you've had.
Kevin Hogan
For for those who are listening and feel overwhelmed. By all this. What sort of recommendations do you have for them in terms? Of just taking those.
Joe Potchanat
First steps? Well, the the best thing to do is the not to panic because that's where the. Social conditioning gets you, so if someone contacts you and says that. It could be a. An AI cloned voice of someone that you know. Saying I am, you know, in a prison, you know, outside the country. And I need to have $10,000, you know, wired to me right away. Stop say. Is this really necessary to do? Right now most of the time they're trying to be attackers are trying to play on your emotions of it has to be done right now, and that's when you're. Going to think less. Or if it is. That's why when an offer seems too good to. Be true, right. It's it's just that if.
Kevin Hogan
You're that Nigerian Prince.
Joe Potchanat
Absolutely. Absolutely. So it's the idea of just stop and think and. That's why two factor authentication is really good because it is kind of an interrupt. It has even though it is a a brief moment where sometimes you have to click through. It is a moment. Did I actually log into something that I'd actually do this if you didn't, then don't acknowledge the two factor authentication request, because that's going to let somebody in. If it wasn't you. So it is that pause and you know it it it's also very much like that reading the terms of service. You just want to get to your stuff and you just.
Kevin Hogan
Right.
Speaker
Right.
Joe Potchanat
Click, click, click, click so. Take a moment. Think about what you're doing and. The delay will actually help. You in the long run.
Kevin Hogan
To the the pandemic and the the switch to remote learning and for platforms going to where and not only remote but also the use of mobile devices as being attached to your network. Has that made things even more complicated than they were in the past.
Joe Potchanat
I don't know if it changed that that much. I think where the problem with the pandemic came in were institutions were scrambling to come up with a solution and they didn't have the chance to fully look at. How the best way to do something and they were just under the gun of we have to do this right now. We have to switch everything over. And we've got 48 hours. To do it so that time made things more difficult because. Just like what the example of the user, yeah, they didn't have a chance to think about what they were doing. Yeah, they just needed to know they needed to accomplish something. Just in that moment, right.
Kevin Hogan
Right now, when you look ahead. Give our listeners and readers some kind of a little bit of advance warning of what the next threats are going to be or the things that you kind of see on the horizon that are going to conflict that this never ending war. What are the next battles going to be from your from your perspective?
Joe Potchanat
I think. A lot of the battles are going to be on the home front because of the. Internet of Things. You're going to see more and more smart devices. I you know the the keynote speaker this morning was joking about having, you know, and an AI powered toaster. And do you really need that technology? Is that secure? Is there a password? Is it updated? Who's listening? Yeah, so. It does make you paranoid, but it there are some conveniences and. Their their trade-offs but. I think part of it is going to be even more so at the individual level, so that because you know. As technology has moved in. Become less and less expensive. I mean it the thought when the first iPhone came out in 2007, the thought of everyone on the street having a smart phone did not seem possible because it the the iPhone was the first unsubsidized cell phone device out there, and it was, you know, pushing $1000 even back then. So the thought that everybody would have on. Was like no. Yeah, you know, Fast forward to hell, you know, whether it's, you know, Google or Apple, everyone seems to have a smart toys unless they actively choose. No, I'm just going to go with the flip phone. So having that level of technology that many levels of. Sensors all in your your pocket. You know, as I'm wearing a smart watch and. To that point of the IT stuff. So your personal data, you know, this watch has my heart rate, it has, you know, my oxygen rate, you're going to be able to interpret different things about my behavior and money health from that device. So my personal data is even worth more because you're going to be able to then tie that to where I was at the time, you know. Was I seeing a particular advertisement? Did that get an emotional reaction out of me? Can you get that data and then target advertisements? I mean, it could be, you know, the next level of. You know corporate personalization, yeah, towards the individual based on your biometric data.
Kevin Hogan
And I think we got through at least 12 minutes without mentioning artificial intelligence which. Might might be a record so far this year.
Joe Potchanat
Either I tried to. I tried to avoid it because. Generative AI is I. Mean the the overall trajectory with AI it's a little different. Right now generative AI is kind of. The hot topic? I don't know if the future is going to be about generative AI. I think AI is a topic overall, yeah. Will be there, yes.
Kevin Hogan
But as you say it's it's. It's an aspect of cyber security and where those, those, those you know, ransomware attacks are just going to get that much.
Speaker
The the.
Kevin Hogan
More sophisticated, right? The stitching attempts are going.
Joe Potchanat
To be that much so the. The stuff that has the the social attack, the part that is mimicking people, that that's where generate AI is going to get more interesting, especially with being able to craft a phishing e-mail that looks sound. Has the same. Cadence as somebody that you know and be able to impersonate it. So I think there's going to be some of that you know the what we would call spear phishing where you're actually targeting an individual rather than just kind of blanketing out. So yes, I think gender of AI is in there. Machine learning and having the ability to interpret all of that data and put together all these different data sets of like I was saying, health information, your location information and be able to track where you know the behavior of people. You know that that gets kind of scary, but it would that that's more machine learning and kind of the bigger idea of. AI than generative AI generative AI is really about sounding like a person you know, passing the Turing test, yeah.
Kevin Hogan
Well, you're not exactly making me feel better. I mean, it's certainly, you know, it is, it's a very, it's scary talking. Yeah and essential topic both leave us with some some words of of hope when it comes to this. I mean if if done properly and if if you're having proper education. We should get along, right?
Joe Potchanat
So I know that there wasn't a. Whole lot of hope in what I said. But we're eventually going to figure this out, because if you think about bank robberies that used to be a big deal where people would would rob banks and they would get away with it and eventually it just didn't become a thing anymore. It's mostly just something that happens in movies. So I think that eventually. We will figure out the technology. We'll figure out a way. Pay either monetarily to remove the ability for people to get the financial incentives out of stealing it, and once the money is out of it, I think. Crime will move. The the cyber crime will move more back into what it was before, whether it was. You know an individual being targeted because they wanted into it. They wanted information about them, but not so much As for anything that they could get monetarily. So I think the technology eventually will catch up, our policies, our monetary policies, the punishments for said crimes. Our ability to detect and shut down those criminals. We'll get there not there yet. But I do think we will. Well, in if I'm looking into the crystal ball, we'll figure that out, much like we did with bank robberies. It just will become a thing of the past.
Kevin Hogan
Yeah, that. That's good news to hear and a good way to end up this conversation and.
Speaker
It kind of.
Kevin Hogan
You know, from a consumer standpoint? I see that myself in terms of credit card fraud. Yes, right. I mean, I'll get a call from. My from MasterCard or Visa saying are you pumping gas in Petaluma, CA right now we don't think you are. Right. And I. Say no and they say great. They don't have to shut down the card. You don't have to go through and prove that you didn't do those sort of things. It's convenient to them a protection. For the consumer, so in. It sounds to me like that's kind of.
Joe Potchanat
Talking about with the payment card industry, it's a little different because they ship to the burden from the consumer to the to the the merchant. So that's where it's a little different. So the so the credit card company says we're not going to pay for it. The customer is not going to pay for it. The merchant has to pay for it, so they shifted the the burden of the cost so it it made it, it incentivized the merchant to it to a better job of securing their own endpoint so that.
OK.
Joe Potchanat
Fraud would be less of a thing. Yeah, but it's right. It was. It was great for the consumer. It was great for the credit. Card companies not as good. For for the merchants. But that idea of taking away that ability for someone to to individually charge you for something or to take away your money and say. No, that's forgiven. We're going to redirect the funds. Yeah, and it got your money back. So that would be a great day for the. Consumer. Well, Josh, thanks again. Thank you very much.