Almost eight months ago this October, Baldwin Wallace University’s network was the target of a cyber-attack. Despite the time that has passed, BW’s Information Technology Department says that they are not yet in the clear: “The chances of it happening again are high for at least the first 12 months after the first strike. So, even now, we’re not out of the woods,” said Greg Flanik, chief information officer of the IT Department. “It’s unfortunate that it happened, but I think it was a good wake-up call.”
Knowing this, Flanik and his team have been preparing the network for another incident. He said, “One of the things that we do is that we intentionally phish and send spam and junk mail to people… everyone gets tested. And it’s up to the student or faculty to decide ‘Hey, this doesn’t look right,’ and delete it or report it.” He explained that since the attack, students and faculty alike have improved on sensing spam, with an improvement of 50% on the student side and almost 50% on the staff and faculty side.
However, Flanik was quick to note, “All you need is one. So, we still have opportunity for people to really learn and get smarter about it.”
Daniel Ajon, information security analyst, said the team will be promoting Cybersecurity Awareness Month during October. “This takes the whole community. It’s not just the work of IT to keep us safe. Criminals know that too. This is an opportunity [for us] to try and raise awareness about cybersecurity,” said Ajon.
Aside from this, the foremost effort to improve the network thus far has been implementing multi-factor identification. Flanik said that the IT Department is also considering experimenting with a no-password system.
“You would maybe use a token key, very similar to the old USB keys that you would stick in. Some of these are touch ID or little radios. So, we would give those out to people, you could keep them on a keyring, sit at the desk, and the computer would know it was you. Then, it would trip the two-factor identification on your phone just to make sure someone didn’t grab your keyring,” he said.
There is another option the IT Department can choose to implement instead of this: a zero-trust network.
“What if we delineated that there was no difference between when you were at home or when you were at school? Maybe things should almost be as tight as when you are off campus as when you are on,” Flanik said. “Instead of having a network drive that you could click on, you would have to access your files through a virtual desktop.”
He explained that while this may be tedious for students and faculty alike, it would make the system much safer. He said, “Everything since January 29 has had us moving towards this zero-trust model. I think that, with some of the other applications we have been doing, is making things better.”
Ajon agrees that the IT Department is going in the right direction. “We are a lot stronger than we were before the attack.”