Indiana Cybersecurity Hub

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, takes us through the buffet line and explores what we should keep in mind when it comes to our understanding our appetite for cybersecurity risk.  

By David Dungan

I love going to a buffet, seeing all of the different kinds of foods laid out.

Of course, there might’ve been a time (or two) when I found myself filling up a couple of plates before I’ve taken the time to sit down. Thankfully, my appetite is no longer as large as it used to be when I was a teenager and, nowadays, it’s not such a struggle to finish all of the food that I put on my plate.

But, just as it’s a good idea to have an understanding of what your appetite is when going to a buffet, it’s also a very important skill to have when it comes to cybersecurity.

An organization's risk appetite is the amount of risk that they are willing to accept and not accept in order to continue with its mission and complete its objectives. This is often determined in conversations that take place between the executive and its security teams to ensure that all parties are on the same page regarding the organization's appetite.

You may wonder why an organization would need to determine a risk appetite; shouldn’t they just seek to eliminate all risks? Unfortunately this approach has two key issues. The first issue is that an organization that is unwilling to take any risks is not going to be able to accomplish their objectives. For instance, if a convenience store is unwilling to risk having their payment processors compromised and removes them, they are going to miss out on a potentially large amount of business from people that do not use cash.

The second main flaw of that approach is that treating all risks as unacceptable does not allow the security team to prioritize risks. If all risks are seen as equal, the security team is likely to focus on removing as many risks as possible and only focus on the risks that are easy to remove. Even with an infinite budget and infinite time there will be some risks that cannot be prevented. So without a prioritization of certain risks the most important risks will end up not being addressed at all, thereby making it more difficult for an organization to fully protect its assets.

Of course, once you understand why a risk appetite is important, it’s equally important to know how to best determine your risk appetite.

In order to do that, it’s imperative that you possess the knowledge that there are four main ways to respond to a risk:

• Avoidance - choosing to avoid a risk means developing a different approach in order to avoid the risk altogether.
• Acceptance – involves acknowledging the risk may happen and using no resources to deal with it, after determining that it’d either be very unlikely to occur or even if it did, it would not have a high cost.
• Mitigation – defined as taking measures to reduce the risk or reduce the likelihood of the risk occurring.
• Transference – a decision, in which the risk is transferred to another party. For instance, a decision is made to store critical files on a Google drive rather than on your own devices.

In order to decide how you will respond to the risks that are out there, you’ll need to first identify what risks your organization has and what the impact of those risks would be. This process is called risk analysis. The first step of risk analysis is making a list of all of the risks that your organization faces. This is, often, a challenging step because it will be an extensive list, but there are resources to help you with this.

Once all of your risks have been identified, you’ll want to create what is known as a risk assessment matrix. This is a table where each risk is listed down one side and is given a score for how likely the risk is to occur and what the cost would be if the risk were to occur. These two values are then multiplied together to determine the risk impact for each risk down the line. Once each risk has been analyzed, the impact score can be used to prioritize which risks will be addressed and determine how each risk will be responded to.

Determining your organization's risk appetite is an important step in improving your cybersecurity. By fully understanding your risk appetite, you will find that you will be better able to have a secure strategy for managing that risk.

And while it’s true that misjudging our appetite at a buffet will lead to leaving some food on our plate, misjudging your appetite when it comes to your organization's security can have much more dire consequences that’ll take more than a couple of Tums to take away the heartburn caused by a data breach or a cyberattack.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, discusses some of the cyber threats that have emerged when using two-factor authentication (2FA), and what you can do to make sure a would-be cybercriminal doesn’t try to create an off-ramp to try and bypass what is otherwise, a secure method for protecting your personal and financial information.

By David Dungan

Have you noticed anything different while logging in to your online accounts recently?

Some apps have abandoned traditional logins with user passwords in favor of utilizing Time-Based One Time Passwords (TOTP) and/or Two-Factor Authentication (2FA) to bolster account security. 2FA combines the standard password login with a second step, to authenticate that the user is, genuinely, the account owner.

Two-factor authentication (2FA) is highly effective, blocking over 99 percent of automated attacks and significantly reducing successful breaches, even if a password is stolen. That being said, it’s important to keep in mind that no system is entirely foolproof.

Factors that are used for authentication include:

• Something you know: Passwords, PINs, security questions
• Something you have: Phone, smart cards, email account
• Something you are: Fingerprint, iris scan, facial recognition
• Somewhere you are: Based on geolocation or internet network

2FA implementations combine two of these factors. The account login process is more secure because you have to prove your identity by more than just typing a password. If a cybercriminal were to try and circumvent your 2FA, it’s likely they would use one of the following methods, such as:

• Phishing: Setting up a fake login page to steal your credentials and the 2FA code.
• SIM Swapping: Through social engineering, an attacker could gain access to your SIM card in your phone, obtaining 2FA codes sent using a text.
• Compromising your email: By obtaining access to your email account, an attacker could obtain 2FA codes sent via email.
• Keylogger: By planting malware that records keystrokes, an attacker could obtain 2FA codes. Often this type of malware originates from a phishing email or download link.
• Session Hijacking: After logging into your account via 2FA, an attacker could steal the security token stored by the browser that is needed for account access.

Fortunately, there are several recommended best practices that you can follow to keep your accounts and, most importantly, your personal information more secure, including:

• Using strong passwords: Passwords should always be strong and secret.
• Consider using a password manager: Password managers can create and securely store complex, unique passwords. Some examples include: 1Password, KeePass, and Bitwarden.
• Locking down your email client: Protect your email with a strong password and use 2FA.
• Avoiding 2FA texts: Whenever possible, opt for authenticator apps like Google Authenticator, Authy, etc.
• Watching out for malware: As always, be sure not to click on any suspicious links or websites before verifying that they are legitimate.
• Adding a PIN for your mobile carrier: To avoid phishing, set up a security PIN or passphrase with your mobile service provider.

With 2FA becoming increasingly commonplace due to its effectiveness in preventing login credential hacks, it is without a doubt that cyber threat actors will attempt to find methods to bypass it.

By staying vigilant and following best practices, you’ll be better able to protect yourself from running into a digital roadblock.

There are some things that happen in life that shake us to our core. Worst of all, it can happen in an instant.

The phone rings, it’s your grandson calling and he’s telling you that he’s been involved in an accident; he’s hurt and he needs your help to pay for some of the damage and asks you to send him $1,000 as soon as you can. In that moment, his voice sounds familiar to you and knowing him as you do, you want to help and make sure he’s safe, right? You send him the money.

Unfortunately, it’s not long after that you discover that not only was your grandson not injured, but that it also wasn’t HIM that called. Rather, it was a cybercriminal who was able to engage in a “grandparent scam” by using artificial intelligence (AI) to clone his voice.

And, sadly, here in Indiana and across the country, these criminals are creating fake calls, emails and text messages to convince their victims that a family member is in distress. In doing so, they skillfully express (what appears to be) a genuine sense of urgency, along with some pressure tactics, and unusual payment methods – such as gift cards and wire transfers -- to steal hundreds, if not thousands of dollars, from every single person they target. It’s heartbreaking.

The Justice Department recently announced that it charged 25 people from Quebec, Canada, for allegedly participating in a "Grandparent Scam" that defrauded elderly individuals out of more than $21 million in Vermont and more than 40 other states.

In another case, 13 people were charged in a $5 million elder fraud scheme targeting more than 400 people through fake calls that were generated from the Dominican Republic.

To protect yourself, stay calm, hang up immediately and, according to the Federal Trade Commission, don't trust the voice and, instead, call the person who supposedly contacted you and verify the story. Use a phone number you know is theirs. If you can’t reach the relative allegedly calling you, try to contact other family members or friends who may be able to reach them.

Additionally, people are reminded not to let an unknown caller rush you into a decision, as creating panic is key tactic that is intended for you bypass your critical thinking. Also, be sure to never send money to purchase gift cards or wire transfers to give to someone you don’t know or whose identity you haven’t verified. If, in the event you send any money to someone you suspect is part of a scam, inform your bank or credit card company immediately.

Another important tip is to manage your social media accounts and limit, as much as you can, the personal information that you share publicly, as scammers can use it to make their story more convincing.

If you’re targeted, there are several steps you should take, including:

• Report the incident.
• Contact local law enforcement, your bank, and the Federal Trade Commission (FTC) to report the scam.
• It is also recommended that you file a report with the FBI and the Internet Crime Complaint Center (IC3).

In Indiana, if you suspect you might be a victim of identity theft (whether you’re an individual or part of a business), you are encouraged to visit the “Report a Cyber Incident” page on the Indiana Cyber Hub website.

Knowing that our loved ones will be there when we need them is something that all of us can take to heart and is, no doubt, reassuring. And while it’s true that the sophistication of the tactics cybercriminals use to run their scams continues to grow, it doesn’t mean we shouldn’t trust our instincts to protect ourselves and our loved ones.

Owning and operating a small business is, in some ways, all at once, the fulfillment of a dream and an experience that can come with a lot more stress that you might have otherwise expected, right?

And regardless of the type of business you’re in, cybersecurity is one issue that can’t be completely ignored.

Ransomware has become an increasingly prevalent threat to businesses of all sizes in recent years, likely because the perpetrators, often, are able to extort significant sums of money from them. By one estimate, 71 percent of ransomware attacks target small businesses, with an average ransom demand of $116,000. Much of this comes from the fact that businesses, today, are digitally connected to employees (even if it’s just you), your vendors and, of course, your customers.

No business is too small to be a target.

From ransomware to phishing, cyber threats are growing. In 2024, the FBI reported more than $2.7 billion in losses from business email compromise alone, just one of many threats businesses face. Of course that is, understandably, where the challenges come in. Small and mid-sized businesses are especially vulnerable because they may not have as many resources to dedicate to cybersecurity. With that in mind, there are some important and easier than-you-might-think ways that are achievable to protect your business.

Here in Indiana, the Indiana Small Business Development Center (ISBDC), a program of the Indiana Economic Development Corporation (IEDC), is committed to providing Hoosier small businesses with easy to understand and ready to use resources that can help avoid or reduce the impact of cyber incidents. The GCA Cybersecurity Toolkit is a no-cost resource for small business owners as they improve their security. You can select from a wide range of tools to find the resources that best fit you and your business' needs.

At the federal level, the Cybersecurity Infrastructure and Security Agency (CISA) recommend that businesses at all levels implement eight cybersecurity best practices, and it offers a variety of no-cost information, services and tools. To get started, CISA suggests following four essential steps to safeguard your data and enable your employees to stop attacks before they happen, including:

• Teaching Employees to Avoid Phishing
• Requiring Strong Passwords
• Requiring Multifactor Authentication (MFA)
• Updating Business Software

With the four essentials as your foundation, you can level up by implementing four additional practices.

• Use Logging on Business Systems: Log activity so your team can monitor signs that threat actors may be trying to access your systems.
• Back Up Business Data: Incidents happen, but when you back up critical information, recovery is faster and less stressful. Put a backup plan in place that aligns with your organization’s recovery point objective to protect your systems and keep things running smoothly.
• Encrypt Business Data: Encrypting your data and devices strengthens your defense against attacks. Even if criminals gain access to your files, information stays locked and unreadable.
• Report Cyber Incident Information to CISA: When organizations and CISA share threat information, everyone is more secure. Report incidents to help CISA warn others and get information in return to help you stay ahead of threats.

For additional information as it regards reporting a cybercrime, be sure to visit the Report a Cyber Incident website page on the Indiana Cyber Hub.

As a business owner, who’s committed to serving your customers while at the same time protecting the assets that you’ve worked hard to achieve, being cyber resilient will also help in preserving your company’s image and reputation. And it’ll provide you with a greater piece of mind knowing that what you’re doing can help you to proactively protect all that you’ve invested in toward achieving your dream. Moreover, these are goals that are within reason and within your budget.

Cyber threats and cyberattacks are a reality; by now, you’ve probably heard someone say that it’s not IF your company will be impacted, but WHEN. But that doesn’t mean it has to disrupt your business.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, discusses how cybersecurity has evolved, in terms of its importance, for protecting the assets of an individual as well as the critical infrastructure that exists within the communities where we live.

By David Dungan

As the digital landscape continues to evolve, we’ve come to the realization that cybersecurity is a necessity when it comes to protecting not only our personal information, but it is also essential to safeguarding the critical infrastructure that exists within every community in Indiana, regardless of its size.

Being proactive can make a difference in mitigating risks and maintaining a level of consistency in terms of our security.  Cyber threats are no longer rare events, they’re a constant reality for individuals, businesses, and institutions. The number of cybercrime complaints per year has steadily increased since 2020 from under 780,000 to almost 900,000 in 2024. Whether it’s protecting sensitive data, ensuring system uptime, or avoiding financial loss, cybersecurity has become a vital part of navigating today’s world. Understanding the value of early investment in strong security practices is key to staying secure and resilient.

Cyberattacks are more than just technical problems, as even a minor incident can, potentially, carry with it, significant consequences for financial and operational well-being. The impact is wide ranging – from ransom demands and regulatory fines to losses in productivity and a negative impact on a company’s reputation. The overall cost of a breach can escalate rapidly.

One disruption can lead to:

• Missed deadlines
• Lost customers
• Expensive recovery efforts
• Legal consequences
• Negative impact on your reputation, image, or brand
• Fines

More than that, these risks are not limited to large organizations; small- and medium-sized businesses in the private sector, as well as local government (including our schools) and individuals can face even greater challenges recovering from an attack due to a variety of issues that include limited resources and a lower level of security controls.

It’s no secret, too, that the cyber incidents and cyberattacks we’re seeing and experiencing continue to increase at a rapid rate, both in terms of their sophistication and frequency.

In 2020, the FBI reported that it received over 2,000 internet crime complaints a day. The FBI also reported that there were $4.2 billion in victim losses in 2020. From 2020 to 2024, both the frequency and cost have increased, with the financial loss being more than double what it was in 2020. As attacks become more common and costly, cybersecurity has become a necessary part of any responsible strategy. Phishing attacks were the most frequent in both years. These are attacks, in which someone tries to trick you into doing something by pretending to be a trusted source. This means even basic awareness and preventive measures can make a meaningful impact.

Investing in cybersecurity protects more than just data; it safeguards the ability to operate, grow, and adapt. In addition to helping to reduce the likelihood of costly disruptions, it enables even a smaller business or organization to  and build a reputation for responsibility and trust.

It even helps financially, as companies that regularly trained its employees on phishing attacks had a larger return on their investment. When an attack does occur, the Cybersecurity Infrastructure and Security Agency (CISA) reported that companies with incident response plans recovered at a rate that was 77 percent faster than companies without one. If that incident caused a disruption to operations, a company with an incident response plan would save more resources like time and money. For the individual, someone could mitigate their risk by taking the time to educate themselves and be aware of possible threats like phishing attacks or fraud that can be hidden in a text, an email or a deepfake video.

As we celebrate Cybersecurity Awareness Month in October, it’s important to keep in mind that investing in cybersecurity is something that can provide a return and pay a dividend every day and it’ll help in building our confidence to navigate the challenges ahead of us while at the same time avoid more of the scams that have landed in our inbox since we started our day!

As we come together to celebrate National Cybersecurity Awareness Month in October, the Hoosier State is continuing to go “all in” when it comes to protecting its citizens whenever we’re online, whether we’re paying our utility bill, looking for tips to protect our kids, or safeguarding the power grid or water supply that we rely on within the community where we live.

Highlighted by the proclamation issued this week by Governor Mike Braun, the State of Indiana recognizes that it has a vital role in identifying, protecting its citizens from, and responding to cybersecurity threats that may have a significant impact on our individual and collective safety and privacy.

At the same time, because our critical infrastructure is increasingly reliant on information systems and technology to support financial services, energy, telecommunications, transportation, utilities, health care, and emergency response systems, it recognizes the fact that cybersecurity education and awareness are crucial for all of us as part of our everyday life.

In an effort to capitalize on that commitment, Indiana is uniquely positioned as a nationally recognized leader in cyber governance thanks to two resources that are unlike any that can be found in many other states – the Indiana Cyber Hub website and the Indiana Executive Council on Cybersecurity.

Indiana Cyber Hub

If you’re reading this blog, you’ve already discovered our website, which features a wide range of free cybersecurity resources, best practices and tips. Moreover, the information is   provided by trusted sources from both the public and private sectors and is intended to help all Hoosiers build on their understanding about cybersecurity, broaden their awareness, and learn more on how to protect ourselves, whether we’re at home, at work, at school, or we’re online, engaging with others on social media, or checking the balance on our checking account.

Divided into six primary sections, including Business, Government, Education, Individual, Assess Yourself, and Report a Cyber Incident, the Cyber Hub features dozens of links for everything from the Indiana Cybersecurity Scorecard that an office manager, executive, or IT manager can use to start a conversation about the cyber readiness of an organization to several different free-to-download toolkits involving education, healthcare, cyber insurance, and privacy, among others.

What’s more, there are links to guide parents and families on tips for safely using the Internet, as well as information related to pursuing a career in cybersecurity, and on a broader scale, a Cyber Threat Sharing page, with information that can help an organization identify, assess, monitor, and respond to cyber threats, including those posed by Nation State Actors in China, Iran, North Korea, and Russia.

The content on the Cyber Hub website is regularly updated and it also features a weekly blog, featuring the perspective of trusted and knowledgeable experts, as they discuss topics related to the latest trends, threats, and issues surrounding cybersecurity. If you’re interested in learning more about how cybersecurity is influencing our world, including here in Indiana, you can subscribe at no cost by signing up today.

Indiana Executive Council on Cybersecurity

The state’s cyber strategy first began in 2009 and continued through 2016, with the

completion of a unique critical infrastructure tabletop and operational exercise — known as Crit-Ex. From there, Indiana has continued to assert its leadership in cyber governance.

Working from these foundational achievements — along with the recognition that securing Indiana’s information technology infrastructure and industrial control systems is beyond the reach of any single entity — the Indiana Executive Council on Cybersecurity was formed, through an Executive Order by Governor Mike Pence in 2016. Soon after that, it was followed by Indiana’s decision to hire its first, fully dedicated cybersecurity program director in March 2017 to help facilitate the Council in fulfilling its purpose.

The IECC is unlike any government organization of its kind. And the progress that has been made is remarkable, given the fact that much of its work was accomplished, initially, amid a global pandemic and during a time of an unparalleled number of cyber threats and attacks that occurred from 2021 through 2024. From its inception in 2017 through September 2025, more than 400 people have served as advisory members of the IECC and all of whom have done so entirely as volunteers; saving taxpayers millions of dollars in their service as Council members.

Following on the successful completion of two, three-year statewide cybersecurity strategic plans in 2018 and 2021, the IECC, earlier this year, presented to Gov. Braun, a 65-page report, entitled the State of Cyber Report 2021-2024.  As part of its work, the IECC completed 84 percent of its 80 identified deliverables and 79 percent of the 151 objectives. The achievement included 11 new deliverables and 17 new objectives that were added to the 2021 Indiana Cybersecurity Strategic Plan that was originally presented to Gov. Holcomb in October 2021.

Now, as the IECC continues with its mission, in 2025, it has adopted a new vision to “organize, train, and equip all Hoosiers with cyber resilience”, with the intention of identifying and completing a new set of deliverables that, in turn, is expected to lead to the adoption of even more cybersecurity policies and initiatives that are designed to provide Hoosiers with the opportunity to increase their awareness for all things cyber.

Among the deliverables that are being planned for include:

• Conducting a tabletop exercise involving hospitals and healthcare providers in East Central Indiana.
• Authoring a series of blogs -- written by experts in banking -- alerting consumers to potential cyber threats related to Bitcoin ATMs and artificial intelligence.
• Outreach effort to students, who are gamers and participate in esports to consider a career in cybersecurity.

The deliverables will be discussed as part of an upcoming IECC quarterly meeting on October 31^st, with these activities to be included as part of a statewide cybersecurity strategic plan in 2026.

To continue with the cyber celebration, the IECC is supporting CISA with its cyber awareness campaign. Entitled “Building a Cyber Strong America”, the messaging is centered on highlighting the need to strengthen the country's infrastructure against cyber threats, ensuring resilience and security. Additionally, CISA is joining again with the National Cybersecurity Alliance (NCA) “Stay Safe Online” campaign, which is all about the simple ways to protect yourself, your family and your business from online threats.

With all of these free resources, the opportunity exists for all of us to do what we can – wherever we are – to be safe and more secure whenever we’re online. And that’s a reason to celebrate, right?

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, examines the steps that students – from high school to graduate studies – should take when it comes to protecting their own personal data while, at the same time, being aware of the free resources that are available to help you stay protected.  

By David Dungan

In our society, educational institutions such as preschools, primary schools, secondary schools, colleges, and universities have the primary responsibility to educate students and help prepare them for a life outside of the classroom.

At the same time, in gaining an education, students need to equip themselves with the skills necessary for protecting their own personally identifiable information (PII). This is especially true when you consider:

• Just last month, iClicker fake pop-ups were used to install malware onto students’ devices;
• Pearson, a leading education company that works with schools, universities, and individuals in over 70 countries, experienced a cyberattack that led to a threat actor gaining access to a portion of their system and exposing some customer information.
• Numerous Indiana schools were among the millions of students and educators globally, who were impacted as the result of a cyberattack related to a PowerSchool data breach that occurred late last year.

Fortunately, there are several key steps and a wealth of free resources that students, as well as their families, are encouraged to follow and access as a way to protect their PII

First and foremost, it’s essential to know and understand your rights under the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA), which highlights the rights of parents and families.

In understanding these requirements, schools eligible for government funding are not allowed to disclose student PII, such as social security numbers, birthdays, and any combinations of information that can be traced to an individual, or to third parties without consent. However, there are some exceptions. Parents and students 18 years and older can request the removal or amendment of files. Likewise, these same schools must also have parental consent or the consent of students above 18 to opt out of surveys, physical examinations (again, with some exceptions), and PII collected for marketing or sales. Furthermore, students can report violations of FERPA and PPRA to the Student Privacy Policy Office (SPPO).

As you continue with your education, it’s a good idea to think critically about the tools, programs, and systems you use, including:

• Contacting your school: If you hear about a potential breach, the first step is to directly contact your school to confirm if your data was affected.
• Looking for direct notification: Schools are legally obligated by state laws to notify affected individuals if their PII has been compromised. These notifications must be direct and timely.
• Searching data breach databases: Use trusted, non-profit resources like the Privacy Rights Clearinghouse and the K12 Security Information Exchange (K12 SIX), for some of the latest information about cybersecurity incidents that are impacting educational institutions.
• Monitoring financial and online accounts: After any potential breach, monitor your credit reports and all financial, email, and social media accounts for unusual activity.

Additionally, there’s a benefit to finding options that limit access to your information and consider companies with cybersafe practices.

• If you don't know which companies use safe cybersecurity practices and which do not, consider doing some research on the company or seeing if they are on a list such as the Security Scorecard public ranking. This listing ranks companies in order based on how secure they are.
• Be sure, too, to look at haveibeenpwned.com. This website takes your email address and searches known cyberattacks to see if your email has been leaked in a data breach. If you find out your information has been compromised, you should change your passwords and lock your credit card if it was attached to the account that was leaked.

Whether you’re still in high school, attending college, or you’re out there working a full-time job as part of a co-op or an apprenticeship, the potential is there for you to have many different experiences. And along the way, you’ll no doubt find yourself in situations that involve sharing – in some form – personal information that is uniquely yours.

As part of that journey, taking into account your digital safety will help in creating an outcome that’s more secure and, best of all, is in your own hands.

If cybersecurity awareness were a baseball doubleheader, the first game, you might say, would be played in September with National Preparedness Month and the second game of the twin bill would occur in October with National Cybersecurity Awareness Month.

Because just as the pennant races give way to the playoffs and the Fall Classic, otherwise known as the World Series, it’s over that same time period of time – a couple of months -- that we have an opportunity to remind ourselves of the importance to stay safe whenever we’re online.

After all, both campaigns are intended to make us feel good, educating us with all kinds of best practices, resources, and tips that are provided to us with the confidence of a major league pitcher giving us a recommendation on how to throw a 100-mph slider. And whether we’re at home, at work, at school, or we’re engaging with our friends or family on social media, the importance of incorporating these steps – as part of our daily life – can’t be understated.

In 2025, the theme for National Preparedness Month is “Preparedness Starts at Home”. As it relates to cyber, everyone is encouraged to adopt the "Core 4" principles that include:

• Using strong, unique passwords and a password manager
• Enabling multi-factor authentication (MFA) on accounts
• Updating your software to patch vulnerabilities
• Recognizing and reporting scams
  • It’s a good idea to secure your home network by changing default router passwords, use strong antivirus software, and regularly back up your important files to an encrypted format.

Additionally, the Ready.gov cybersecurity website offers a wide range of steps that you can take to be prepared, ranging from additional information on ways you can protect yourself and the steps to take – and who to contact – if you suspect that your personal or financial information has been compromised. Here in the Hoosier State, you can also visit the “Report a Cyber Incident” website page on the Indiana Cyber Hub on what you need to know as it relates to reporting a scam to the authorities, whether you’re an individual or you’re a part of an organization that’s been impacted.

Of course, once we’re through September, it’s on to October and a month-long opportunity to remind ourselves of the role that cybersecurity plays in our daily life – every day of the year!

Originally launched in 2004 by the National Cybersecurity Alliance (NCA) and the U.S. Department of Homeland Security, Cybersecurity Awareness Month is intended to encourage the public and private sectors to work together to raise awareness about the importance of cybersecurity through education, engagement, and shared responsibility.

For its part, in 2025, CISA’s theme for Cybersecurity Awareness Month is “Building a Cyber Strong America”, highlighting the need to strengthen the country's critical infrastructure against cyber threats, ensuring resilience and security.

As we’ve come to realize, cyber threats don’t take time off and, throughout the month, CISA will be encouraging all U.S. small and medium businesses and state, local, tribal, and territorial governments to take one action each day to improve their cybersecurity.

Cybersecurity is more than an IT issue – it’s a public safety and economic security priority. Many organizations are part of the nation’s critical infrastructure, from local utilities and transportation systems to hospitals, schools and public safety agencies. And many small and medium size businesses play an important role in critical infrastructure, who might be suppliers, contractors, vendors, manufacturers, or another role that helps keep critical infrastructure operating.

To celebrate, CISA is recommending that companies, agencies, and organizations follow four key steps to underscore the importance of cybersecurity, including:

• Recognizing the opportunity: Cybersecurity Awareness Month is your chance to engage your entire organization on the importance of cybersecurity. Whether you’re shaping policy, leading a team or simply practicing more secure habits, your involvement matters.
• Getting your customers and vendors involved: Share cybersecurity best practices with your customers and vendors and encourage them to commit to stronger cybersecurity. We all need to do our part to keep our communities safe.
• Planning your participation: Use the ideas and no-cost tools in this guide to promote Cybersecurity Awareness Month throughout October. Coordinate with leadership, IT, HR and other teams to ensure consistent messaging.
• Thinking long term: Talk with leadership and IT about adopting cybersecurity policies that include all of CISA’s best practices. Include your vendors and partners in the conversation so your whole supply chain is more secure.

With all this talk about baseball, it’s a popular phrase to say “let’s play two”; a quote attributed to Chicago Cubs great Ernie Banks, who once expressed his joyful love for the game and the desire to play a doubleheader on a beautiful day.

With that in mind, as September gives way to October, we’ll soon get the opportunity to see two teams battle for a World Series championship while, at the same time, we can improve our skills at being better prepared. And perhaps, we'll walk it off and sweep both halves of the doubleheader from a would-be cybercriminal. That would be beautiful, right?

Of all the cybersecurity threats that are out there, none are more calculating, or, perhaps, possess a more chilling impact than those that take advantage of children.

First observed annually on September 1st in 2018, National Child Identity Theft Awareness Day is intended to call attention to child identity theft and educate all of us about what we can do to protect our children. In doing so, it’s also the perfect time – with the start of the school year – to educate parents about identity theft and how they can protect themselves and their family.

According to Indiana Attorney General Todd Rokita, child identity theft is on the rise. In fact, it’s been reported that 1.3 million children have their identities stolen every year. It might surprise you to know, the term “identity theft” is not something that suddenly starting trending on social media; it was created 61 years ago after it first appeared in 1964 in a Montana newspaper to describe the physical theft of documents, such as Social Security cards and credit cards.

Initially, it was believed that only an adult could have their identity stolen. However, it was later discovered that criminals were also targeting children because all their information is available on the web. Often times, a child’s sensitive personal information is used to illegally:

• Apply for government benefits, including health care coverage or nutrition assistance;
• Open a bank or credit card account;
• Apply for a loan;
• Sign up for a utility service, such as water or electricity;
• Rent a place to live.

Fortunately, as recommended by the Federal Trade Commission (FTC), there are several steps you can take to protect your child’s personal information, including:

• Insisting on asking questions before giving anyone your child’s Social Security number;
• Protecting documents with personal information;
• Deleting personal information before disposing of a computer or cell phone;
• Freezing your child’s credit.

Of course, in the event you suspect someone is using your child’s personal data, be sure to keep an eye out for some potential warning signs, such as:

• Someone contacts you about your child’s overdue bill, but it’s not an account you opened.
• You’re denied government benefits (like health care coverage or nutrition assistance) because someone is already using your child’s Social Security number to get those benefits.
• You get a letter from the IRS about unpaid income taxes for your child. This could happen if someone used your child’s Social Security number on tax forms for a new job.
• Your child is denied a student loan because your child is reported to have bad credit. This could happen if someone used your child’s Social Security number to get a credit card, open a cell phone account, or set up a utility service and hasn’t paid the bills on time, if at all.

Additionally, there are a host of government agencies, as well as non-profit and for-profit organizations that have been formed to defend against identity theft. They focus on victim assistance, consumer education, and identity monitoring services.

Here in the Hoosier State, there are also other free resources. As featured on the Indiana Cyber Hub website, you can visit our Parents page for additional ways to safeguard your child’s personal data. The page also includes a wide range of websites – ranging from the Family Educational Rights and Privacy Act (FERPA) to seven tips from National Child Protection Task Force for keeping kids safe when they’re online.

As with a lot of things in cyberspace, creating a greater degree of awareness and understanding of the threats we face relies on our ability to be vigilant and that it’s OK to trust our instincts. That’s why, too, we have the opportunity to observe National Child Identity Awareness Day to remind us on what we need to do to help keep our kids – and ourselves – stay safe when whenever we’re online.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In today’s blog, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, reminds us to be alert to the important features we need to look for when it comes to making sure that a website is truly secure.  

By David Dungan

For everything you’ll hear about what it is we should focus on in today’s digital age, website security really is more important than ever.

And whether your job relies on providing a shopping service, sharing information about a service or product, or hosting a social platform, a secure website builds trust with your users by protecting them from cyber threats.  The same is true for your employees, as well as the vendors that work with your company or organization.

Of course, website security isn’t just a concern for business owners or developers, it’s something that all of us should be aware of. In doing so, it’s important to keep in mind that recognizing the traits of a secure website is a critically important step we need to follow, especially whenever we’re accessing our bank account, making a purchase, or visiting any website that involves disclosing our personal information.

And while it might be understandable to think spotting these types of features is something that, by now, is or should be second nature, think again.

Cybercriminals exploit the traits of secure websites by using them as cover for phishing, malware, and brand impersonation attacks. By leveraging legitimate features like HTTPS and domain validation, attackers trick users who have been trained to look for those signs of trust.

Recent data suggests they’re working to try and do just that, as evidenced by the fact that studies from 2024 and 2025 report that over 90 percent of phishing sites use SSL/HTTPS encryption to appear legitimate, according to Vocal and Keepnet Labs. This tactic exploits the common expectation that a padlock icon indicates a secure connection, effectively "hiding in plain sight" to deceive users.

Fortunately, there are several defining steps we can take when identifying (or creating) a secure website, including:

• HTTPS Encryption – Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP, which is the primary protocol used to send data between a web browser and a website. HTTPS is encrypted in order to increase security of data transfer.
• Strong Authentication Measures - Secure websites recommend users to utilize strong passwords when creating an account. It’s a good idea, too, to use unique passwords and be sure not to re-use the same password. Measures like this are often paired with two-factor authentication (2FA).
• Website Backups - Backups are vital to helping businesses prepare for the worst-case scenario. Backups allow for quick website recovery in the event of the website being taken down due to malware or cyber-attack
• Use Anti-Malware Software - Anti-malware software protects against malicious programs, such as viruses or malware. You can use this software to scan the site for malware and alert when any is detected. It can also be used to remove any malware that is found. This allows for the website to be secure from any malicious software that may find its way into the website.

In today’s digital society, it’s OK, too, to feel overwhelmed, at times, by our online experiences. And some of the threats we face are advancing as rapidly as the technologies we’re using to protect ourselves against these attacks. That’s especially true, both in terms of the frequency at which a lot of this is happening and the sophistication of the techniques that are being used by nation state actors and cybercriminals.

The best approach we can use is to remember that website security is not just a technical requirement, but that it’s a critical piece of user trust and online safety. And by prioritizing these measures will help ensure that your website remains a safe space for users to browse, shop, or interact with others and the same will be true when visiting the website to manage our checking account or visiting our favorite store.

In every corner of the Hoosier State, from Lake and Steuben County to Switzerland and Posey County – and everywhere else in between – County Emergency Management Agencies (EMAs) provide a vital public service.

In doing so, these agencies work with other public safety partners and organizations to prepare for, mitigate, respond to and (help all of us) recover from emergencies. In doing so, they skillfully utilize every available resource to handle every threat, be it a natural or man-made disaster, or a cyber incident or cyberattack.

To celebrate their dedication and service to our communities, Gov. Mike Braun recently issued a proclamation declaring EMA Appreciation Week as Aug. 17-23, 2025. Led by Public Safety Secretary and IDHS Executive Director Jennifer-Ruth Green, the Indiana Department of Homeland Security recognizes the efforts and accomplishments of all emergency managers statewide and invites Hoosiers to join in honoring them during EMA Appreciation Week.

In addition to the work we might see as part of an urgent call, emergency managers help create disaster response plans, organize training that includes first responders and other community partners to practice response plans. They also draft preparedness plans that are designed to help minimize the impact of disasters, and they work with state and federal agencies on assistive programs to find the most effective methods of disaster recovery.

To get the job done, a wealth of free-to-download emergency response and recovery resources are available on the Indiana Cyber Hub website, including the Indiana Emergency Manager Cybersecurity Toolkit 2.0.

First introduced as a first-of-its-kind resource in 2019, the toolkit is updated with newly released information, best practices, detailed plan templates and more. It is an ideal tool for helping an emergency manager to begin conversations with their local partners, as simply and directly as the complexity of the effort allows.

Included in the toolkit is the Emergency Manager Cyber Situational Awareness Survey. Developed by the Indiana Executive Council on Cybersecurity (IECC), National Governors Association (NGA), Cybersecurity Academy participants, and Indiana State University, it is intended to assist local government emergency managers who want to better assess the areas within their purview while developing and exercising their cyber emergency incident response and continuity of operations plans.

In addition to a cybersecurity training and exercise guide, the Toolkit also features four different professionally designed templates that a local municipality, such as a city or county, can download to use for free to develop a cybersecurity incident response plan.

Additionally, the Indiana Cyber Emergency Resiliency and Response State Guide was created to communicate the roles of an effective emergency response to a cyber emergency from the Executive Branch of Indiana government and indicate what roles partners may have during a cyberattack.

As it’s often said, the frequency and sophistication of cyberattacks continues to increase. As it does, the role of an emergency manager and the agencies they oversee is more important than ever.

All the more reason is that we express our appreciation for their service and dedication. At the same time, it’s reassuring to know that there are free resources, such as the EMA Cybersecurity Toolkit 2.0, that are available here in Indiana and that it can be used as a tool to add to our preparedness with a plan before something bad happens, or if it does, we’ll be able to recover in a way that’s safe and secure.

To learn more about how Indiana is showing its celebrating EMA Appreciation Week, be sure to visit the IDHS website, including information on how EMA staff members work daily to plan, train, and practice responding to emergency situations, and what they’re doing to assist other first responders to prepare and respond to emergencies regularly. There is also a 2025 Spotlight, featuring video interviews from emergency managers from across the state, as well as some links with ideas on how you can share your thanks for those who serve your community.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In today’s blog, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, takes a look through the lenses of today’s smart glasses to share his perspective on what we’re seeing – both in terms of the innovation it represents, as well as the potential for what it means when it comes to our privacy and for those who we’re looking at.

By David Dungan

Smart glasses are a breakthrough in wearable technology, adding visual elements to the wearer without distorting their vision and interaction with the world.

With Meta AI glasses, made in collaboration with Ray-Ban, users can access their camera, record audio, and use artificial intelligence (AI) in a more convenient manner than smartphones. And it’s not just Meta that offers these types of smart glasses, with brands such as Xreal, Viture, Solos, RayNeo, and Amazon Echo Frames. These alternatives also offer features like integrated cameras, open-ear audio, and AI assistants, often with different design aesthetics and focus areas.

However, as their popularity increases and more people purchase them, the question of how they might affect someone’s personal and public safety becomes more prevalent.

A major concern with smart glasses starts with the built-in camera and microphone, which are always on and listening for the cue. Because of this, the features also affect people who aren’t wearing the glasses, especially if they’re unaware that the glasses are being used to record them. And while it’s true smart glasses could be useful in a courtroom, recording other people without their permission or knowledge can be tricky, especially depending on where you are when it happens. In particular, it could enable a person to engage in doxing or stalking someone or having any identifying information on unsuspecting people (for example, their addresses, classes, schedule, etc.).

Similar to dash cams that are used by drivers, being able to always record something that’s taking place in front of you might help to deter or discourage someone from engaging in unsafe driving/behavior, theft, or withholding information/evidence.

Conversely, it could be used, potentially, to help create safer environments while ensuring a greater measure of accountability. In medical settings, wearable technology provides real-time health monitoring, support, and emergency alerts. In providing hands-free access, it could help in facilitating telemedicine, allowing for remote consultations and diagnoses.

What’s more, cloud storage introduces vulnerabilities and data risks. For its part, Meta attempts to combat safety concerns by adding a small LED blinking light to indicate its recording. However, that feature could be unclear to the people around them and may not adequately inform those who are engaged in a conversation. Additionally, the battery life might not be sufficient for all-day use, and some users report issues with the frame build quality and audio quality in louder environments.

As it is whenever a new form of technology is developed or a product is brought to market, there is a responsibility not only with the manufacturer, but also with each of us, in how we use it. There’s no doubt that smart glasses offer convenience and protection and its features will, no doubt, continue to evolve at a rapid rate.

As it does, we will do well to focus on keeping in mind, as much as possible, the ethical considerations that come with anything that contributes to the collective progress we achieve as a part of our everyday life. And that includes using products in a way that’s not only responsible, but that it’s safe and secure.

When you hear someone refer to the Internet as the World Wide Web (WWW), what comes to mind?

Perhaps, you’re laughing at your Mom or Dad because you’re 23 years old and hearing them talk about what it was like when yahoo.com was, actually, a big deal, is kind of hilarious. Or, maybe, the term “webmaster” – once used to describe someone who created every bit of a website – is a term that’s all but disappeared.

All kidding aside, regardless of your age or generation, or how you might be using technology when you’re online, the World Wide Web is a permanent part of our society. What’s more, it’s intertwined in, seemingly, every aspect of our everyday life. Maybe that’s why later this week, on Friday, August 1^st, we will again celebrate World Wide Web Day.

Of course, before we begin the celebration, it’s important to keep in mind that whenever someone uses the words “internet” and “web” interchangeably, a computer scientist might be tempted take off their lab coat and throw it in the air like Bobby Knight once did with a chair.

You see, the internet, was first conceived in 1969, and it refers to the system of networked computers which makes things like web browsers, web pages, and other applications possible. It would be two decades later, in March, 1989, before Sir Tim Berners-Lee would submit his first proposal for what would become the World Wide Web.

With the help of Robert Cailliau, a Belgian informatics engineer and computer scientist, they developed the HyperText Transfer Protocol (HTTP) and set it up for release in early 1992. Interestingly, the World Wide Web was not initially intended for use by the public and was devised, instead, to be utilized by physicists to share data.

Yet, it would be just two years later, in April, 1993, the Web was put into the public domain, ensuring its place as an open standard. And by year’s end, there would be more than 500 known web servers and the WWW accounted for one percent of Internet traffic. By December, 1994, the number of servers had grown to 10,000. With 10 million users, the Web traffic was equivalent to shipping the collected works of Shakespeare every second.

How does that compare to today?

Given the fact that any server that uses software that communicates with hardware, whether supplied by cloud computing providers or small organizations, can be classified as an online server, it’s virtually impossible to pinpoint just how many web servers are in operation. By one estimate Data Center Trends once believed there were more than 100 million servers around the globe, with many of those being on the internet because they handle HTTP requests, DNS logs, and IP address authentications.

Regardless, it’s safe to say that there exists a mountainous amount of data that we’ve created. In fact, the amount of data generated worldwide soared from 2 zettabytes (ZB) in 2010 to a whopping 64.2 ZB in 2020 — which is more than the number of detectable stars in the cosmos.

In 2025, data creation is predicted to reach 181 ZB by 2025 (that’s 21 zeroes). And in case you’re wondering, a zettabyte is a unit of digital information equal to one trillion gigabytes.

Now that you might be feeling more than a little overwhelmed by all these numbers and bits of data, there are three things you can do to have some fun on World Wide Web Day including:

• Search the web - What other way to celebrate World Wide Web Day than by searching the web? Use this occasion to check out different sites and give in to the power of the web.
• Listen to a podcast - Look, there was no such thing as podcasts before the WWW and the internet entered our lives. So, just do what any millennial would do and instead of watching a typical documentary, tune into a podcast.
• Make your presence known on social media - Without the World Wide Web, there would be no social media. What better way than to thank the person who created the WW by posting photos, statuses, and blogs on social media platforms. It’s the one time, you might say, that it’s OK to stay online all day and no one will judge you!

If nothing else, it gives us all an opportunity to revisit a time when we were surfing the Web while, at the same time, celebrating the fact that we’re not having to dial up a connection on our 56k modem!

When it comes to cybersecurity, we’re often reminded to be kind when we’re online.

The same is true when we’re on our cell phones (or mobile devices). Maybe that’s why, this month, July is National Cell Phone Courtesy Month.

Reminding ourselves that it’s a good idea to be courteous when we’re on the phone is occurring at an interesting time, in that we’ve benefitted from all of the seemingly endless advancements in technology that have turned our phones into something that, at times, we use for everything but to make a call.

Because of this, it’s so much more than about our manners. As never before, phone scams are evolving with the help of artificial intelligence (AI), with sophisticated schemes that have resulted in phishing emails, deep fake videos, and fake voices that mimic real people and organizations that, up until now, we’ve had no reason not to trust. To say that they’re convincing would be an understatement (be sure to check out the timeline of some of the more notable deep fakes).

Robocalls continue to be a significant problem, with billions of calls received by Americans each month. While the Federal Trade Commission (FTC) estimates that scam calls decreased by almost nine percent in April, the financial damage from these calls remains considerable, with millions of dollars lost each quarter. In fact, the increase in the volume of calls reached its highest level since August 2023.

Vishing, or voice phishing, is another significant threat in 2025, with ongoing increases in both the number of attacks and the financial losses they cause. In 2023, vishing incidents rose by 30 percent, with 68.4 million Americans falling victim, according to the GSMA. One study indicated a 442 percent increase in vishing incidents in 2024, reports IBM citing CrowdStrike. This upward trend is expected to continue, with attackers increasingly focusing on bypassing security measures and exploiting human vulnerabilities to successfully carry out attacks.

The FTC estimates that consumers lost $280 million to phone scams in the first quarter of 2025; a figure that translates to roughly 15 cents lost per scam call, according to YouMail. Additionally, a survey from Experian indicates that 21 percent of Americans have lost money to text message scams. When it comes to reporting these crimes, statistically, women acknowledge they are being scammed more often while men tend to lose more money on average.

To help avoid trouble, there are several steps you can take to help make sure the calls you’re receiving are not only more courteous, but could save you money while, at the same time, protecting your identity, including:

• Be skeptical of unsolicited calls and messages. It’s OK to trust your instincts.
• Do not click on links from unknown senders.
• Consider using call-screening apps and services that allow you to block or filter unwanted calls.
• Report scams to the FTC at ReportFraud.ftc.gov.
• Register your number with the National Do Not Call Registry (though this may not stop all robocalls).

Here in Indiana, if you suspect that you’re the victim of a scam, visit the Report A Cyber Incident page on the Indiana Cyber Hub website. And whether you’re reporting it as an individual or as a business owner, there are free resources you can access that’ll take you through the process, connect you with law enforcement and the appropriate authorities, as reporting a cyber crime or incident could help others avoid being impacted.

In addition to being more secure whenever we’re on our phones, National Cell Phone Courtesy Month is a great time to take a page from Major League Baseball’s Home Run Derby and knock one out of the park by practicing good habits and be considerate to our family, friends, and co-workers whenever we reach for our cell phone!

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In today’s blog, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, examines the balance between using Artificial Intelligence (AI) and its many potential benefits with making sure we adequately protect ourselves when it comes to our privacy.

By David Dungan

Artificial Intelligence (AI) is one of the most impactful contributions in modern technology to date. And yet, for all of the advancements it could and does represent, it is very much a work in progress.

Of course, in as much as we’re beginning to use it for a variety of purposes, including, but not limited to, our work, personal advice, translating languages, research, and simply asking random questions, AI is still very new with very little restriction and monitoring.

The U.S. government has yet to implement new nationwide AI and data privacy laws. There are some fragmented policies and a blueprint for an AI Bill of Rights is being developed. However, as all of this unfolds and, arguably, begins to take shape, it is necessary to understand the importance of protecting yourself online in an age where everything is online.

While AI can be an incredibly useful tool, it has the potential to collect all of the data you provide. Some AI engineers may not all follow the best practices or industry standards when it comes to protecting private data, AI can be programmed to remember anything you might tell it, including passwords, IP addresses, phone numbers, family names, the addresses of your home or office, even faces from the images (featuring all of us).

This all can lead to a potentially very dangerous leak, as collecting this data allows for potential cybercrimes like spear-phishing or AI plugins, which can be used to commit theft or fraud. You can always change your password in this occurrence, but you cannot take away any information that you give to AI. That being said, until it becomes more regulated and safeguarded, all of us need to be aware of the steps we need to follow to protect ourselves from cyber threats.

Here are some ways to keep your data private:

• Understand the technology and its privacy policy or policies
• Avoid entering private information (known only to you)
• Use strong passwords for sensitive data
• Utilize a strong antivirus to protect against malicious programs
• Use two-factor authentication

Understanding AI and any website or app you are trying to use is crucial to keeping yourself safe, including as to how it works or what its privacy policy is can help you better understand why it does certain things. A privacy policy is especially important: it details how the AI uses your data. Strong passwords and not revealing private information is not just great for helping to avoid trouble against hackers, as well as guard against password leaks. If the AI doesn’t have your personal information, there is nothing to find. Finally, having a strong antivirus and using two-factor authentication is the, consistently, the best way to secure and protect yourself online in the event there’s a breach.

Ultimately, AI is a tool that needs to be used with care. Any time you share personal information, you risk your safety and privacy, especially given the fact that your data isn’t always being stored and used in ways you would expect. Use it with caution and respect and you will reap many of the benefits that can come from using AI while, at the same time, avoiding some of the consequences that can come from being online (in any form). The more you understand about AI, the more control you’ll have over your privacy.

In case you missed it (or ChatGPT didn’t generate the answer for you), today, July 16^th, is National Artificial Intelligence (AI) Day!

In this space, we do our best to share with you the latest information about what’s happening in cyberspace – everything from the latest best practices, free resources and tips to the knowledge and expertise from recognized experts to provide their guidance in a way that’s intended to protect all of us.

That being said, there are few topics related to cybersecurity that have generated more attention, excitement and concern than AI and its tech savvy mechanism, you might say, machine learning.

Yet, for all of the talk about just how rapidly AI is advancing, it’s been around longer than people realize.

In fact, the idea of AI started in 1950 when Alan Turing published "Computing Machinery and Intelligence" and presented the question of whether a machine could "think for itself." Not long after that, in 1956, John McCarthy coined the term "artificial intelligence" while at the Dartmouth Summer Research Project on Artificial Intelligence. McCarthy, along with several other researchers interested in the project, gathered to create systems that could mimic the thought process of humans, including solving problems and improving learning. At the time, the research project brought some of the brightest minds in computing and cognitive science at the time.

There was a period in the 1970s and 1980s where AI advancements were stagnant due to limited advancements in computing power. However, increased data, more powerful hardware, and advanced algorithmic approaches have brought AI to the forefront to where it is today. The development of large language models like Gemini and ChatGPT in the 2020s marked a significant leap, bringing generative AI into the public consciousness and demonstrating AI's incredible potential for creativity and human-like interaction.

Here in Indiana, with cybersecurity and cyber resilience as a priority, AI is beginning to get a good amount of attention, as evidenced by the Hoosier State’s forming of an AI task force and information provided by the Indiana Department of Education that offers an overview of artificial intelligence (AI) in K-12 education. Focused on AI literacy, instruction and learning, impact, security, and resources, the guidance emphasizes the importance of responsible AI use, critical thinking, and preparing students for an AI-driven future while providing practical guidance for educators and school leaders.

Amid the progress that’s being made statewide and across the country, it’s important to keep in mind that one of the most significant benefits that AI offers is that it is constantly evolving through user interaction. In doing so, that interaction contributes to increasing the intelligence of the AI platform, which is beneficial for increased efficiency and automation for the user because each AI platform has its strengths and unique characteristics. Because of that, AI powers personalized recommendations and adapts to learning the user's needs, customizing their experiences.

Conversely, for all the benefits AI offers, it is certainly now without its challenges and concerns. For instance, in a report by Pew Research, 52 percent of Americans say they feel more concerned than excited about the increased use of AI. And just 10 percent say they are more excited than concerned, while 36 percent say they feel an equal mix of these emotions.

The share of Americans who are mostly concerned about AI in daily life is up 14 percentage points since December 2022, when 38 percent expressed this view.

As with any new technology, it’s safe to say that AI and machine learning are taking a permanent place in our digital lives. The impact that will come, as it progresses, is still, arguably, in our hands, as is the ability to embrace its benefits and the outcomes – for good – that it can provide for all of us.

It’s National Video Game Day.

The fact that it’s actually true reveals some interesting numbers about an activity that isn’t just for kids, especially when you consider:

• Globally, it’s estimated there are 3.32 billion active video game players.
• There are more than five million video games in existence, everything from Minecraft and Fortnite to MLB The Show and the other games we play on a PlayStation 5 or a Nintendo Switch to the games we can play on our phones that are advertised on TV.
• In 2025, it’s projected that the amount of revenue that is generated by gaming will reach $522.46 billion.

Unfortunately, amid all the fun we’re having with that kind of activity, cybercriminals are using phishing attacks to trick gamers into revealing their personal and financial information and their account credentials using a variety of tactics, including:

• Impersonation - Scammers pose as game developers, platform providers (like Steam or Roblox), or even popular streamers to gain trust.
• Fake Offers - They may offer free items, exclusive access, or "beta" testing opportunities to lure players into clicking malicious links or providing information.
• Account Verification Scams -Scammers may send emails claiming your account needs verification, urging you to click a link that leads to a fake login page.
• Browser-in-the-Browser Attacks - These attacks create convincing fake browser pop-up windows that mimic legitimate login pages, even displaying the correct URL, to steal credentials.
• In-Game Scams - Scammers may pose as other players, offering in-game items or upgrades for a fee, then disappear with the money.

Fortunately, just as there are a lot of strategies, we can use to win the game we’re playing, there are some steps you can take to protect yourself when you’re online, including:

• Be Skeptical - Question any unsolicited emails, messages, or offers, especially if they seem too good to be true.
• Verify Links – Be sure to carefully examine the sender's email address and the URL of any links before clicking. Look for misspellings, unusual characters, or different domain names.
• Use Strong Passwords and Multi-Factor Authentication - Create strong, unique passwords for your gaming accounts and enable multi-factor authentication whenever possible.
• Stay Updated - Keep your gaming platform's software and your operating system up to date with the latest security patches.
• Report Suspicious Activity - Report phishing attempts to the gaming platform or service provider and warn your gaming community.
• Be Cautious with Information - Avoid sharing personal information like your address, phone number, or date of birth in public forums or chat.
• Educate Yourself - Stay informed about the latest phishing tactics and security best practices.

Regardless of the type of gaming you’re into, you just want to have fun, right? Yet, as we’ve learned with everything else we do online, there are risks, even if we think we’re going up against our friends, turning back the clock to play a game of Donkey Kong, or dusting off our ATARI Home Pong console for some (now) vintage video gaming.

Even with that, you don’t have to use any cheat codes to keep your gaming experiences safe and secure. Instead, be sure to stick to the best practices that are recommended and just as you would when you’re in the game, trust your instincts to make sure it’s “game over” for any would-be cybercriminals or scammers.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name, “Perspectives from the Campus”, we invite experts – immersed in the pursuit of educating their students – to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In today’s blog, David Dungan, who serves as the executive director at the Center for Security Services and Cyber Defense at Anderson University, discusses some of the steps all of us can take to avoid being the victim of a phishing attack.  He’ll also examine the different types of attacks that cybercriminals are using and why it’s important for us to keep in mind that there’s a few things we shouldn’t do when it comes to protecting our personal and financial information.

By David Dungan

In 2000, there were approximately 361 million people with internet access worldwide; a figure that accounted for roughly six percent of the global population.

Fast forward a quarter century and that number has increased (extra) exponentially, you might say, to 5.64 billion people; a more than ten-fold increase that represents 68.7 percent of the world’s population

Of course, just as we’ve gone from accessing the internet to relying on it to help guide a lot (more) of us through many aspects of our daily life, it’s safe to say that the sophistication and frequency of phishing attacks have increased rapidly. So much so, that 1.2 percent of all emails sent are malicious. And, if that doesn’t seem like a lot, it adds up to 3.4 billion phishing emails every day.

Generally speaking, phishing attacks are used to gain login access by taking up a different identity and pressuring the victim; a scam that is engineered either by eliciting someone’s trust or generating fear by applying undue pressure. Phishing attacks are also designed to gain access to entire enterprise networks simply by stealing the personal information of a single user.

In addition to fraudulent emails, these attacks occur using text messages, and even apps like Microsoft Teams or WhatsApp to trick users into revealing their information. It is essential to understand how to mitigate phishing attacks, as we’ve come to realize, collectively, that they’re not going away. That’s both because of reasons related to human nature and the rapid rate at which technologies are being created.

Some of the more common types of phishing attacks include:

• Email phishing
• Malware phishing
• Spear phishing

Phishing attacks can be difficult to detect and combat, so knowing how to avoid a potential attack is important. There are a couple of best practices that users can do to mitigate and overall reduce the chances of being attacked. The best anti-phishing practices include strong multi-factor authentication, awareness of what phishing attacks are in our educational systems and news, setting up internal email protection, and enabling database shutdown features for company systems. Additionally, making sure the spam filter is activated can as well. These methods can go a long way toward measurably reducing the likelihood of a phishing attack.

Users also need to know common phishing tactics that attackers use to gain victims' trust, including:

• Emotional manipulation
• False Trust
• Perception of Need

When it comes to phishing attacks, knowing what not to do is just as important as knowing what to do. For example, over-reliance on software could result in users who don't know how to properly respond when a threat happens. Never assume that your security knowledge is perfect. There is always something new to learn. Secondly, be sure not to leave inactive accounts open. Attackers target these accounts as a pivot point to gain trust quickly when gaining access to another account. Alternatively, if you are a business owner, ensure you close the accounts of previous employees or vendors that you no longer work with, as their accounts can be used for the attacker's benefit as well.

As phishing attacks evolve, the best protection is a combination of smart habits, utilizing and orienting everyday tools that we already have to behave more securely, and having constant awareness that computer risks in general are ever evolving. Staying informed, cautious, and consistent is key to keeping yourself and your loved ones safe.

A package of chewing gum.

Fifty-one years ago this week, a 10-pack of Wrigley’s Juicy Fruit Gum, sold at a Marsh Supermarket grocery store in Troy, Ohio, was the first retail item scanned with packaging that featured the black and white stripes of what we now know as a Universal Product Code (UPC).

It’s from that little bit of history, you might say, that we’ve come to celebrate National Barcode Day. With it, of course, we’ve gained the convenience of scanning our own items, but it’s also provided cybercriminals and people engaged in what is known as Organized Retail Theft (ORT) with an unprecedented opportunity to disguise all kinds of mayhem and malware in barcodes and, more recently, QR codes.

Broadly defined, there are five types of retail-related crimes that are trending that include:

• Using stolen or cloned credit cards to obtain merchandise
• Changing bar codes to pay lower prices
• Returning stolen merchandise to obtain cash, gift cards, and/or store credit
• Reselling merchandise using:
  • Online auction sites
  • Flea markets
  • Retailers
  • Pawn shops
  • E-commerce marketplaces
• Gift card theft/altering gift cards to steal the funds added to the cards when they are later purchased by legitimate shoppers

At the same time, barcode theft occurs primarily in two ways:

• Barcode swapping, also known as “price switching” refers to a method of retail theft where a customer attaches a barcode from a cheaper item to a more expensive one; it’s a crime that has been occurring more frequently at self-checkout kiosks, where employees may not be closely monitoring each transaction.
• QR code theft, also known as quishing, in a retail setting is not done through a physical theft of the code itself, but by using them to redirect shoppers to fraudulent websites designed to steal their personal information or financial data.

Criminals will create fake QR codes that appear to be legitimate, and they place them on packaging, in-store displays, or even on top of existing QR codes. Some of the situations are simpler, such as placing a fake menu on a restaurant table or a fraudulent payment link at a parking meter.

As with a lot of online fraud, there are steps you can take to avoid being scammed, including:

• Being cautious and making sure that you don’t scan codes you weren’t expecting or that look out of place.
• Looking for signs of tampering, such as stickers, overlays, or misspellings in the URL the code leads to.

It’s a good idea, too, to verify the website address carefully after scanning it, making sure it is the legitimate site you’re expecting to visit. And instead of scanning QR codes to download apps, use the app store for your device.

As always, if you encounter a fraudulent QR code, or you’re at a retail store and you believe that the UPC code is not the correct one for that product, be sure to bring it to the attention of the business owner or the authorities to help prevent others from falling victim to the scam.

There’s a lot of trusted sources out there, with additional information to help you stay safe when it comes to checking a price or downloading a QR code for that “free trial” that was featured last week during a broadcast of the NBA Finals. (Spoiler alert: it was an offer to try out YouTube TV and it was legit).

There’s a popular phrase I’ve heard some people say – before heading out to their favorite store – that “you don’t know what you need, until you look” (or, in this case, shop). And while that may be true or, at the very least, should be considered good advice, you’ll want to make sure your experience with QR codes and barcodes is a memorable one, whether you’re buying a cool new stereo speaker or a pack of gum. Here’s hoping you can scan fearlessly!