Indiana Cybersecurity Hub

Additionally, there are a wide range of benefits to having a cyber compliance management system, including:

• Saving time and resources by automating compliance-related processes, such as policy management and security assessments.
• Helping to avoid more of the cost that can come from non-compliance, such as fines and penalties, and potential lawsuits. Also, it can minimize the costs associated with incident response and recovery in case of a security breach.
• Customers, employees and vendors feeling safer knowing you are looking out for them.
• Putting in place more efficient data management policies that will help “keep the lights on”, in the event of a cyber incident or cyberattack.
• Taking solace in the fact you’ve done everything you can to protect your business and that you will be ready and resilient for any issues that may arise.
• Protecting against having to take corrective actions and incurring penalties for noncompliance.
• Mitigating risk to survive and recover from a cyber incident or cyberattack.

The other way to create a greater measure of compliance is to offer cybersecurity training to your employees. In doing so, it offers several advantages, including:

• Awareness -- Cyberattacks often involve a substantial number of human mistakes. An effective security awareness training program will provide them with more of the skills and assurance they need to spot security hazards when they are presented and show them how to escalate problems. The better informed your staff is, the better they can defend your company, and the more proactive your cybersecurity measures will be. It will also help in avoiding downtime.
• Increase Customer Confidence: According to a Ponemon survey, 31 percent of consumers reported that after a data breach, they stopped doing business with the compromised firm. These figures demonstrate how crucial it is to keep a robust security posture. Customers will have more faith in a company and be more likely to do business with them if they are aware that the company is taking cybersecurity seriously.
• Threat Reduction: A cybersecurity awareness campaign is crucial in lowering the dangers that could result in data breaches and other cyber threats. Employees will be informed of information security best practices, apps, and technologies using a cybersecurity awareness program, including social media, email, and websites. Employees that receive cybersecurity awareness training are better informed about common social engineering threats like phishing and spear phishing. By assessing their knowledge about cyberattacks and how they react to phishing emails, this tool can be used to identify individuals who may benefit from more training.

Regardless of the real consequences that can occur as a part of any sort of breach, people must be aware of recommended practices to generate a higher level of security. This will also help in avoiding a situation, in which the company takes a hit to their reputation or the fallout that can come from having to deal with some negative press.

What’s more, by proactively initiating a cybersecurity compliance program, you’ll not only help in protecting your company from hackers and cybercriminals, but it'll also provide a safer, more secure work environment. For more information about cyber compliance, please visit www.lionfishcybersecurity.com or email me at jeremy@lionfishcybersecurity.com.

PERSPECTIVES FROM THE FIELD

The strength of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the Indiana Executive Council on Cybersecurity (IECC). Hence the name "Perspectives From the Field Series" in which we invite experts to discuss the real and challenging issues we are facing in the field and the proposed solutions from the experts to better the lives and businesses of all Hoosiers.

In the first installment of a two-part blog series, Jeremy Miller provides his perspective on what is cyber compliance and how it fits in today’s digital marketplace.

By Jeremy Miller

What is cyber compliance?

Cyber compliance refers to the process of ensuring that an organization adheres to industry regulations, standards, and laws related to information security and data privacy. Many different types of organizations may need to comply with various cyber security regulations and standards. Some examples include:

• Healthcare organizations, which may need to comply with HIPAA regulations that protect patient health information.
• Financial institutions, which may need to comply with PCI-DSS regulations that protect credit card data.
• Retailers and e-commerce companies, which may need to comply with PCI-DSS regulations if they accept credit card payments online.
• Companies that handle personal data of European citizens, which may need to comply with the General Data Protection Regulation (GDPR).
• Companies that operate in certain industries, such as defense or energy, which may be subject to regulations specific to their sector and industry standards such as ISO 27001, NIST or CMMC.

It's important to note that compliance is not only limited to large companies, small and medium-sized businesses may also be required to comply with the laws and regulations of their country or industry.

Why Should Cyber Compliance Be a Top Priority

It’s vital for businesses to be on top of their compliances for a variety of reasons, including:

• To protect sensitive data: Compliance with regulations and standards helps to ensure that an organization is taking the necessary steps to protect sensitive information, such as personal data and financial information. This can help to prevent data breaches, which can result in significant financial losses and damage to an organization's reputation.
• Being compliant for legal requirements: Failing to comply with regulations and standards can result in significant fines and penalties, as well as legal action. Compliance is important to avoid these risks and ensure compliance with laws and regulations.
• To maintain customer trust: Compliance with regulations and standards can demonstrate to customers and partners that an organization takes data security and privacy seriously, which can help to build trust and maintain positive relationships.
• Improving overall security posture: The process of achieving and maintaining compliance can also help to improve an organization's overall security posture. This can include identifying and addressing vulnerabilities, implementing best practices, and regularly assessing and testing security controls.
• To obtain cyber insurance: Many companies have cyber insurance that requires compliance with certain standards and regulations. Non-compliance can lead to denial of claims and can make companies more vulnerable to a cyberattack.

Overall, cyber compliance is an important aspect of protecting businesses from potential cyber threats and ensuring that they are able to operate in a secure and compliant manner. Furthermore, cyber compliance management and training can help a business to protect sensitive data, comply with legal requirements, maintain customer trust, and improve its overall security posture.

For more information about cyber compliance, please visit: www.lionfishcybersecurity.com or email me at jeremy@lionfishcybersecurity.com.

In part two of our special blog series, on Thursday, Feb. 2^nd, Jeremy Miller discusses the advantages of cyber compliance management and why it’s important to your business.

By Chetrice Mosley-Romero

If you have ever met me, you would quickly know that I LOVE “To Do” Lists. But when it comes to making out a “to do” list, if you’re like me, there’s always that ONE thing you forget about, right?

And just about the time you walk through the door at home, or you’ve left the office for the day, you suddenly remember what it is you forgot to do, and in that moment, it drives you just a little crazy. We’ve all been there. Of course, most of the time, it’s easy to head back to the grocery store for that gallon of milk or open your laptop to finish sending that email but how about protecting your personal information? That’s one item that you could say is and should be on our “to do” list every day.

This week is National Data Privacy Week and it’s fair to say that being concerned about our personal data is certainly something that’s on our minds these days. According to the Pew Research Center, 79 percent of U.S. adults report being concerned about the way their data is being used by companies. Add to that, another Pew Research Center study found that 93 percent of Americans considered it important to be able to control who could access their personal data.

The fact is, our ability to keep tabs on our data – everything from our social security number and date of birth down to the number of steps we’ve taken today, as recorded on our Apple watch or Fitbit device – is a balancing act. It’s all about what we need to do as a part of our everyday life while, at the same time, trying to take advantage of the convenience that today’s technology affords us. In other words,  being able to do everything in a click or two without getting hacked or being the victim of a phishing attack.

Fortunately, there are a lot of great (and FREE) resources to help you.

For starters, if you want to learn more about what is data privacy, the National Cybersecurity Alliance (NCA) offers a great article that’ll help you understand more about it.

According to the NCA, there are also several key tips to keep in mind when it comes to protecting yourself, including:

• Knowing the tradeoff between privacy and convenience – Your data is tremendously valuable and it’s a good idea to make informed decisions when sharing it with a business or service.
• Adjusting (and managing) your privacy settings to fit your comfort level (err on the side of sharing less data, not more).
• Protecting your data – Turn on multi-factor authentication whenever it’s permitted and learn how to identify phishing messages.
• Creating complex passwords for each account or device and storing them securely in a password manager.

Here in the Hoosier State, we invite you to visit our Indiana Cyber Hub website for all kinds of cybersecurity resources, best practices, tips and even toolkits that you can download for FREE to help you stay safe whenever you’re online and protect your personal information.

If you’re a business owner, a non-profit organization or work in local government, there’s even a PII (Personal Identifying Information) guidebook (written by privacy experts) that you can use to help better protect yourself.

For more information, visit www.in.gov/cybersecurity.

By Chetrice Mosley-Romero

While it could be said that the three things we look forward to most when it comes to the start of a New Year is optimism, hope, and an affordable gym membership, there is another reason to celebrate in 2023.

And that’s the influence or advice we’ve received from someone we consider a mentor. Of course, it’s the perfect time, as January is National Mentoring Month.

From my own experience, the guidance I’ve received – over the course of my life – from people who’ve influenced me, both at work and in my everyday life, is immeasurable. Mind you, some of what I heard along the way, at times, might not have been easy to take or something (in that moment) I might've found to be a challenge. But to be sure, what I gained from it all is something I value, to this day.

What’s more, it’s enabled me to use those experiences and serve as a mentor to others.  That’s important, but not for the reasons you might think. A survey by Olivet Nazarene University, published in in a 2019 article in Forbes, reported that 76 percent of people think mentors are important, but it also revealed that only 37 percent of those surveyed said they have one.  It also found that just 14 percent of mentor relationships started by asking someone to be their mentor. Sixty-one percent of those relationships developed naturally.

Mentoring.org highlights the case not only as to why someone should become a mentor, but also provides important data about the realities involving the impact of someone who grows up without a mentor. It also illustrates what happens with young adults who DO grow up with a mentor. You can even sign up to become a mentor.

All of this is important for two reasons. Cybersecurity is one of the fastest-growing professions in the world and the opportunities, as it relates to hiring a diverse workforce, are truly unique. Because of that, there are some 750,000 available job positions in cyber in the U.S.; a figure that includes roughly 20,000 openings here in Indiana.

Secondly, the times have changed, and mentoring is not an activity that’s exclusive to someone who’s older providing their influence on a younger person, who is either in an entry-level position or, perhaps, is a high school or college student. The script has changed and there are many people – working in cybersecurity and other related fields – who’ve gained the requisite level of knowledge and experience (at a much younger age) and they’re able to pass along their experience to someone who’s older. That’s a trend that’s emerged, as people are deciding, as never before, to change careers, or they’ve decided to do something that requires additional training to gain the experience they need to pursue a job in cybersecurity in the long term.

In celebration of all mentors and all of us whose lives they’ve influenced, be sure, too, to visit our Indiana Cyber Hub website for more information about cyber careers, including job boards, training resources, and more!

By Indiana Office of Technology Outreach Team

When you travel the state of Indiana for a little over a year talking about cybersecurity with local governments, it is difficult to encapsulate the experience in short order.

The range of perspectives, the complexities of the challenges, and the dedication of the people you meet offer subjects that could be discussed at length.  More narrowly focused topics, such as ransomware and business email compromise (BEC) threats, as well as access to IT and cybersecurity expertise, together with the significant penetration of cybersecurity insurance, cultural inhibitors to governance and ownership, and many others would illustrate the varied strategies that have evolved to protect local government data and services.  It was an educational and rewarding experience.

Before diving headlong into our experience, we must say that Indiana is a beautiful state and Hoosiers are the most welcoming individuals.  Visiting with state and local government representatives from 92 counties required some serious time and mileage; thankfully, the scenery and hospitality made the long drives enjoyable.

Local government officials are aware of the threats they face and seem to take the challenge seriously. We found a collective theme of constraints: funding, tools, expertise, and, at times, executive cohesiveness. Still, the capabilities in place with most local government operations are beyond what many assume, and they are checking many of the important boxes.  At the same time, in a day and age when even the best run organizations are breached, much work remains to be done at the local level.

We pursued our listening tour with three primary objectives.  First, we wanted to better understand the cybersecurity environment statewide.  Second, we needed to build and strengthen relationships and lay the foundation for an integrated cybersecurity community. Third, we sought to gather information that would help us craft a “whole of state” cybersecurity plan.

We found the environments to be as diverse as expected, consistent with some general assumptions, and different with each organization.  We put a good foot forward toward building the trust imperative for an integrated cybersecurity community.  We followed up on every question, and, more importantly, we responded with action to the needs expressed.  Through the year, the Indiana Office of Technology (IOT) added to the portfolio of services the state could offer to offset locals’ costs and constraints (e.g. – secure email, cybersecurity training).

Finally, we’ve incorporated what we learned into our draft of the State’s whole of state cybersecurity plan for the federal State and Local Cybersecurity Grant Program (SLCGP). Getting each local government to where they want and need to be, will be a long process, in which we hope the SLCGP funds can assist.  Our traveling efforts were a solid step to that end. Success is difficult to measure for this particular effort; however, openness to our message by the local governments, executive support for the necessary resources, and empathetic team members eager to help resulted in the request of a 2023 Listening Tour. We expect this coming year to be even more productive in terms of advancing the cybersecurity capabilities of local governments, and we look forward to enhancing our relationships with local officials and their IT teams – the real protectors of Hoosiers’ data.

By Chetrice Mosley-Romero

You cup the dice into your hands, shake them around (perhaps wishing them good luck), and finally roll them onto the board. Pandemonium breaks out! The dice has decided the fate of every player on the board. Whether it be Dungeons and Dragons, Yahtzee, or Monopoly, everyone is sure to have a good time when playing games with dice.

Recently, these games have been moving online and people are able to play dice games with people all over the world. However, having these games online exposes dice enthusiasts to cybercriminals looking to take their private information.

In just this past year, there were major data breaches against Roblox, Neopets, and Bandai, with Neopets exposing the data of 69 million players. There was also a data breach in 2019 where more than 200 million online gamers had their data stolen. Is there anything online dice game enthusiasts can do to protect themselves? Thankfully there are ways to mitigate the effects of data breaches on you!

In celebration this week of National Dice Day, here are some online gaming tips from the National Cybersecurity Alliance that will help you stay safe and protect your personal information, allowing you to focus on just having fun.

• Do Your Research – Mobile gaming makes up approximately 45 percent of the global games market. But just because a game is available on a trusted app store, it doesn’t mean it is a safe app to download. Before downloading any new gaming app on your device, make sure it’s a legitimate app. Check out the reviews and look it up online before downloading it.
• Think Before You Click – Cybercriminals will often try to entice gamers into clicking links or downloading malicious files by offering cheat codes, hacks, or other ways for you to gain an advantage over competitors; this is especially true if it comes from a stranger or it’s something you weren’t expecting. If the offer seems too good to be true, chances are it is.
• Protect Your Privacy – As part of your gaming profiles, the more personal information you post, the easier it may be to steal your identity or access your data. Be cautious and if a stranger asks you to share this information, say “no”. The same is true if they ask you to share a photo or turn on your webcam.
  • Avoid using geo-tagging features which can reveal your exact location. A better option is to disable this function before you start playing.
  • Playing with people you don’t know or aren’t a part of your friend group? Use a safe game name, such as Superstar55 or Catsby90. Don’t use your first or last name in your usernames and use an avatar instead of an actual photo.

It’s also a good idea, as with a lot of things you’ll want to do whenever you’re online, is to:

• Always use a secure wi-fi connection.
• Create long and strong passwords (at least 12 characters long) and if you’re a real gamer, who enjoys playing on multiple gaming platforms, consider using a password manager.
• Use two-factor or multi-factor authentication on all your gaming devices.
• Secure your payment data
• Make sure all the internet-connected devices you’re using to access online games on – including personal computers, smartphones, and tablets -- are updated with the latest security software. Setting up automatic notifications are always good and if you’re playing an app-based game on a device, make sure it is updated regularly.

Of course, as adults, anything that involves a game that can’t be played at the kitchen table or involves handing out “play money”, it’s a good bet you’re going to ask questions, right? One way to learn what it’s all about is to have your kids teach you how to play whatever games they’re playing. It’s a great way to spend some time together and, who knows, you might actually win a game or two (but, if you’re like me, probably not).

Online gaming shouldn’t feel like you’re rolling the dice with your cybersecurity, waiting to see whether or not your private information will be leaked online by hackers. By following these tips, your dice rolls for increased privacy are sure to be natural 20s, just like in Dungeons and Dragons!

By Chetrice Mosley-Romero

One of the realities of the holiday shopping season (besides the fact that it feels like some retailers started celebrating “Black Friday” back in September) is that cybercriminals are always working on a new scam so they can go shopping with your money.

That’s a LOT of cash when you consider:

• Just last week, according to Adobe Analytics, U.S. Black Friday online sales hit a record $9.12 billion. Add to that another $9.55 billion in weekend sales, and Cyber Monday took the top spot as the busiest of all shopping days, with sales coming in at $11.3 billion. Throw in the fact, too, that fully 48 percent of these sales were completed using our smartphones. In making those registers ring, 196.7 million people shopped in stores and online between Thanksgiving and Cyber Monday.

As you look back over your receipts, it’s important to keep in mind, too, how much of what we spend is lost. According to the Internet Crime Complaint Center’s (IC3) 2021 report, non-payment or non-delivery scams cost people more than $337 million. Credit card fraud accounted for another $173 million in losses. In a non-delivery scam, a buyer pays for something they find online, but those items are never received. Conversely, a non-payment scam involves goods or services being shipped, but the seller is never paid.

Fortunately, there’s a lot of free resources, with helpful cybersecurity tips – from sources you can trust – that are designed to make your online shopping experience easy, but more importantly, safe, and secure, including:

• Learning more about cyber from why it’s important to take precautions and how attackers go after online shoppers to ways you can protect yourself is the mission of the Cybersecurity and Infrastructure Security Agency (CISA) and their website is filled with all kinds of great information, tips and best practices.
• Avoiding “fly-by-night” websites and resisting the temptations of “free” offers are among the tips Regions Bank offers as part of its advice on how to handle Five Common Online Shopping Scams.
• PRO TIP: No online retailer needs your Social Security Number or your Date of Birth to make a purchase. Making sure that you don’t overshare your personal information and always looking for the “lock” when visiting a website that you intend to use a credit or debit card for making a purchase are at the top of PC Mag’s 14 Tips for Safe Online Shopping.

Here in Indiana, cybersecurity is a top priority and there’s always lots of FREE information for Hoosiers of all ages, including cyber tips for individuals and families, as well as businesses, local government, and schools on our Indiana Cyber Hub website and be sure to follow us on LinkedIn, Twitter and Facebook.

Happy Holidays!

By Chetrice Mosley-Romero

As the Cybersecurity Program Director of the State of Indiana, I am encouraged that a career in cybersecurity is among the fastest-growing categories in technology – not only here in Indiana, but across the country and around the world.

Over the last 10 years, Forbes notes that cybersecurity jobs worldwide grew 350 percent (2013-2021). In the United States, there are approximately 750,000 open cybersecurity jobs, but only enough qualified workers to fill 400,000 of them.

By any measure, that’s quite a gap to try and fill. That being said, as someone who’s worked in cybersecurity for several years now, but whose background and experience is in communications (not technical), it’s my belief that the cybersecurity field is set up, you might say, for the kind of progress we’re seeing with STEM/STEAM careers that’s occurred within the past 20-30 years.

With this month being National Career Development Month, here are some reasons cybersecurity is emerging as a career to consider, including:

• People are deciding – for a variety of reasons – to change jobs or switch careers at a rate we haven’t seen since the 1970s and the path for making that kind of transition is as wide-open as it’s ever been for people ranging in age from their late teens to their 50s or 60s (and older…).
• In terms of education, nearly a dozen colleges and universities in the Hoosier State offer cybersecurity degree programs as part of their class offerings. Opportunities are starting to grow among K-12 schools and competitions, such as CyberStart America, are helping to introduce cyber as a career to high school students to consider pursuing once they graduate.
• At the same time, a growing number of organizations – educational, vocational, and military, as well others in both the private and public sectors – are offering programs with real-world training (that doesn’t require a degree) and on-the-job experience that can lead to someone earning an entry-level salary in the range of $40,000-$50,000 in as little as six months.
• Because of the urgency that exists to fill these positions, the opportunity for creating a diverse and inclusive workforce is greater than ever. Additionally, the opportunities for finding a meaningful career includes people who’ve been diagnosed as neurodiverse; creating a career path for someone whose performance is not defined by the fact they are managing a condition, such as autism, attention deficit/hyperactivity disorder (ADHD) or dyslexia, as part of their everyday life.

Whether you’re a student, a parent, or an employer, you are invited to visit the cyber careers page on our Indiana Cyber Hub website. There, you’ll find links to all kinds of FREE resources, covering everything from job boards to educational information that’s designed to help you find schools and/or organizations that are offering degreed programs and where to go to find a wide range of training.

Who knows, maybe as the world of cybersecurity continues to grow, we can find a way to celebrate cyber as part of STEM Day and that we’ll not only keep adding – and filling – job positions in cyberspace, but we’ll find ways to add cyber as an option in more and more classrooms and communities across Indiana.

By Chetrice Mosley-Romero

October is Cybersecurity Awareness Month and this year’s theme is “See Yourself in Cyber” and demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people.

The celebration comes as Indiana’s ascension in cybersecurity collaboration – as a top-tier state nationally – is continuing to rise at a rapid, yet steady pace; progress driven by the unprecedented release of a second, three-year statewide strategic plan and the success that’s being achieved with two unique programs focused on partnering with local government and municipalities while providing a greater level of training and resources for the benefit of all Hoosiers.

Local Government Focus Features Community Conversation Tour, Cyber Ready Pilot Program

As part of the state’s ongoing commitment to supporting local government, the Indiana Office of Technology (IOT), led by Tracy Barnes, Chief Information Officer for the State of Indiana, is continuing with its 92-county community conversation tour. At each stop, IOT representatives have met with county, city, and town officials to discuss various information security topics and the free and low-cost services available to local governments from IOT. To learn more, visit: https://on.in.gov/IOTlocal.

A second local government initiative is the Cyber Ready Communities (CRC) pilot program. As the State of Indiana’s Cybersecurity Program Director, it is my pleasure to visit and work closely with local government leaders in four Hoosier communities – Jasper, Ind., and Dubois County; Nashville, Ind., and Brown County; Kokomo, Ind., and Howard County; Carmel, Ind., and Hamilton County.

The CRC program is centered on achieving two goals. Primarily, the purpose is to work closely with the communities to be cyber ready at every local government department level by changing the cybersecurity culture and connecting those communities to additional state, federal, and private partners, resources, and services. The second goal is to help inform the IECC (Indiana Executive Council on Cybersecurity) and state leaders as they continue to develop additional programs to help in partnering with local governments.

Emergency Manager Cybersecurity Toolkit  

The centerpiece of all things cyber in the Hoosier state is the Indiana Cybersecurity Hub website. Featured among the many resources, best practices and tips that are available for free on the website, there is a great deal of “hands on” information, designed to provide local governments for being prepared, including the Emergency Manager Cybersecurity Toolkit; a free, downloadable “playbook” designed to help take out some of the complexities related to cyber and provide an invaluable resource with the tools to help local governments prepare for an cyber incident.

IECC Strategic Plan

Within the past year, the IECC presented to Indiana Governor Eric Holcomb, the 2021 Indiana Cybersecurity Strategic Plan – highlighting the cyber policies and initiatives that the Council are, now, actively working on and focused on completing in the years ahead. As a part of that work,  the Council also completed the State of Cyber Report – 2017-2021– outlining all the cybersecurity policies and initiatives that have been completed since 2017 in Indiana by the Council, as well as throughout the state by colleges and universities and small businesses. The Council completed nearly 80 percent of the deliverables and objectives as part of its “first of its kind” 2018 strategic plan.

For additional information regarding the latest cybersecurity news and trends, visit the Indiana Cybersecurity Hub website and follow us on LinkedIn, Twitter and Facebook.

Cyberattacks and online threats are an increasingly significant and widespread problem for K-12 schools and districts. A growing dependence on technology for learning, the presence of sensitive student data, and increasingly complex and deceptive cyber criminals have made the K-12 community particularly vulnerable over the past several years. Impacts from such attacks can affect a school’s financial security, educational obligations, and ability to provide a safe, secure environment for students and staff.

Cybersecurity Awareness Month, recognized each October by the Cybersecurity and Infrastructure Security Agency, the National Cybersecurity Alliance, and other organizations throughout the country, provides an important opportunity for the K-12 community to become more educated, empowered, and equipped to take action against cyber threats. This year’s campaign theme – “See Yourself in Cyber” – illustrates that while cybersecurity may seem like a complex issue, everyone can play a role in staying safe online.

For students, teachers, and staff, taking action can mean enabling basic cyber hygiene practices. School communities can get started with these four simple steps:

1. Enable Multi-Factor Authentication: Multi-factor authentication (MFA) is a layered approach to securing online accounts that requires users to provide two or more authenticators to verify their identity. Enabling MFA can make users significantly less likely to get hacked.
2. Use Strong Passwords: Passwords are the most common means of authentication. Create passwords that are long, unique, and randomly generated, and use a password manager to generate and store passwords across multiple accounts.
3. Recognize and Report Phishing: Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. Reduce the risk of phishing attempts by ‘thinking before you click,’ enabling strong spam filters, and training staff to recognize and report suspicious activity.
4. Update Your Software: Outdated software can contain vulnerabilities that can be exploited by threat actors. Install updates on school devices as soon as possible and/or enable automatic updates to protect your systems.

Learn more about these action steps with this cybersecurity infographic from SchoolSafety.gov. This one-page overview can be printed and shared to help promote cybersecurity best practices within your school, and to encourage all members of the K-12 community to ‘see themselves in cyber.’

Visit SchoolSafety.gov to access additional cybersecurity resources and guidance and follow @SchoolSafetyGov on Twitter for other timely school safety updates.

SchoolSafety.gov Disclaimer  ​​​​​​
The U.S. Department of Homeland Security (DHS), U.S. Department of Education (ED), U.S. Department of Justice (DOJ), and U.S. Department of Health and Human Services (HHS) do not endorse any individual, enterprise, product, or service. DHS, ED, DOJ, and HHS do not mandate or prescribe practices, models, or other activities described in this communication. DHS, ED, DOJ, and HHS do not control or guarantee the accuracy, relevance, timeliness, or completeness of any information outside of those respective Departments, and the opinions expressed in any of these materials do not necessarily reflect the positions or policies of DHS, ED, DOJ, and HHS.

By Joel Thacker

October is Cybersecurity Awareness Month, and the cyber risks to our way of life have never been more serious.

The theme this year is “See Yourself in Cyber.” Those who stay diligent to avoid scams understand how important individual responsibility is in this fight. Nearly 90 percent of cyberattacks are due to human error, that one person who mistakenly opens an attachment at work, putting an entire organization at risk. It happens every day, but it does not have to be that way.

Corporate data breaches reached an all-time high in 2021 as more people worked remotely and normal safeguards from workstations went by the wayside. In the U.S., the average breach cost companies more than $9 million, with the most expensive occurring in health care. Again, human error led to multimillion-dollar losses.

With more employees back in the office, training has been amplified, and we are hearing more conversations about how we can protect ourselves. The conflict in Russia and Ukraine has presented new and daunting challenges from the cyber world, and players such as China, North Korea and Iran continue to exploit opportunities.

Just this month, an Indiana utility company was hit with a ransomware attack. This is a local problem with local solutions. This is our problem.

The Indiana Office of Technology offers any municipal body a multitude of free or low-cost services to protect government entities from cyberattacks. One key advantage IOT offers for free is online training to all local government employees through its KnowBe4 platform. A full offering of state services can be found on the IOT Local Government Services website.

Additionally, the Indiana Department of Homeland Security soon will administer Indiana’s portion of the $1 billion allocated across four years for cybersecurity as part of the Infrastructure and Investment Jobs Act. Details are still coming together on how many dollars will be coming to state, local and tribal governments in Indiana, but 80 percent of the allocation is earmarked for local government, including rural areas.

The State and Local Cybersecurity Grant Program was announced on Sept. 16. It is not yet open for applications, but information about how to apply will be provided in the coming weeks.

Momentum continues to increase for the U.S. to protect itself, its infrastructure and its citizens from the new frontier of online crime. The government is doing its share to better position each state according to its needs.

Each one of us must take ownership of cyberthreats and do our part to protect one another.

By Heidi Leonard and Erik Miner

“You’ve been compromised.”

Those three simple words keep business owners awake at night. And for good reason.

The Association for Financial Professionals estimates that 71 percent of companies have received fraudulent attempts during the past year.

Ensuring the secure transfer of funds is essential for any organization. The AFP survey also identified real estate as one of the three most often-targeted industries by criminals (in addition to construction and commercial services). It also points out where business fraud is on the rise, increasing more than tenfold over a two-year period.

The factors behind this high-risk industry gives us pause and think of state and local governments, given the common factors real estate firms share with many cities, towns, and schools:

• They involve large dollar transactions.
• They have easy access to public records.
• It is easy to impersonate someone via email; and, in both industries, there is oftentimes a lack of strong authentication processes.

The public sector houses some of the hardest working professionals we’ve had the pleasure of working with. However, it is an industry subject to potential turnover framed by heavily scrutinized budgets. It is key for staff to be armed with fraud education and cybersecurity resources such as multi-factor authentication and other fraud prevention tools.

When you add the current strained and volatile economy to the risk profile of many municipal governments, it could be argued that the risk of fraud schemes will only increase in 2022 due to distraction, unpredictability, and chaos. Extra vigilance is required by Hoosiers in today’s economy, and we should all task ourselves with mitigating cyber risks both at home and at work.

At Regions, we recommend that organizations implement a multi-layered approach, leveraging education and information sharing with an internal process driven by best practices, along with utilizing external resources.

• Begin by talking with your banker about the best safeguards against fraud, including products like Positive Pay and ACH Alerts. Be and stay curious.
• Carve out regular time to educate yourself and your team on current fraud strategies (they never cease to amaze us).
• Create an internal team to conduct a thorough IT/infrastructure assessment to identify any potential points of compromise.  Document your process and plan – you can leverage these free resources to help you.
• Implement an anti-fraud training program and internal controls using Stop-Call-Confirm and dual approvals to be more proactive. By adding some intention and dimension to your business practices, you are bound to reduce your risk, no matter your industry, something that allows all business owners to sleep more soundly each night.

Unfortunately, fraud isn’t going away because when big money is involved bad actors want a piece of the action. Protect yourself and your organization with ongoing education, training and multi-layer protections that make access difficult for scammers.

By Joel Thacker

As we move from September’s National Preparedness Month to October’s National Cybersecurity Awareness Month, it is important to remember how the two connect and what we can do to keep yourself and your loved ones safe and healthy.

As the Executive Director of Indiana Department of Homeland Security, the #1 piece of advice I give people when preparing for an emergency or a disaster is to have a plan. And, just as you need to make certain you go to a safe location in your house, in the event of severe weather, or you decide on a safe meeting place if there’s a fire or a flood, it’s important for you to include a cybersecurity plan that helps protect everyone, regardless of the situation.

The National Security Agency offers a list of best practices to keep your home network secure, such as updating your operating systems and safeguarding your mobile devices, as well as some helpful tips designed to help you stay whenever you’re online – including taking precautions on social media to using different devices for different activities for protecting your personal information. With National Cybersecurity Awareness Month, USDHS Cybersecurity & Infrastructure Security Agency also features four things you can do to help improve your cyber hygiene and stay better protected.

* * *

In addition to being prepared at home, our cities, and towns – across Indiana – have to be prepared for any emergency, in order to protect everyone they’re dedicated to serving, as well as making certain that the critical infrastructure systems that are a vital part of local government are maintained safely and securely.

Among the resources that are available includes the Emergency Manager Cybersecurity Toolkit. Developed by the Indiana Executive Council on Cybersecurity (IECC), is a free, downloadable resource for emergency managers that includes four key sections, including:

• A survey to assist emergency managers in planning with their partners they work with to develop emergency and continuity of operations plans;
• A cybersecurity incident response plan template; a training and exercise guide and;
• Additional resources for navigating a range of different cyber incidents and threats.

While there really is no perfect plan or guide to use when planning for an emergency, nothing more is important than protecting our families and our communities. For more information, visit the DHS website on how you can get prepared and the Indiana Cyber Hub website at: www.in.gov/cybersecurity.

By Chetrice Mosley-Romero

Every year, it feels more and more like we’re living in a science fiction world because of all the technological advances we benefit from in our day-to-day lives. This is especially  true for parents to watch over their babies with smart baby monitors.

If you are anything like me, when I became a new mom I was OBSESSED with this baby who  made my whole heart full. So as a new mom, I was consistently checking on my little one at night. But with the extra convenience (and peace of mind), it can come at a cost if you don’t take a few steps to protect your little one.

It might surprise you to know that baby monitors have been notoriously weak in security, and I’ll tell you how and why it’s an issue. For some context, last year, there was a critical vulnerability that was found in more than 83 million smart devices, which included baby monitors. There were even more examples of smart baby monitors with critical vulnerabilities last year and in 2018 and probably much more that went undiscovered! A common theme is that some of the monitors were rushed into market at an affordable rate, which comes at the cost of not designing in enough security measures into the product itself. Because of this, it exposes people to some issues involving their privacy (including the use of any cameras) and their home network being compromised. This just adds to the stress for new parents, who are just looking to take care of their children. That being said, here are some helpful tips you can use to protect your smart baby monitor!

Secure Your Wireless Router

Your router is the (digital) front door to your home and that includes any, if not all, of the smart devices that are connected to your network – including your baby monitor. The first thing you’ll want to be sure is to keep your router secure, beginning with a strong password (when you set it up), and to keep the router’s firmware updated, disable any remote router access, maintain strong passwords, and never leave your WiFi network open.

Create a Strong Password for Your Baby Monitor

Your password is the first line of defense for your baby monitor. Make sure they’re at least 12 characters long using a combination of uppercase and lowercase letters, numbers, and special symbols. Also, be sure to change the default password – before turning it on -- as some of these passwords are commonly known to would-be cybercriminals.

Update Firmware for Your Monitor’s Camera

As with all of your devices, it’s important for you to go through and make sure that you’re completing updates to your firmware, as it will help protect you and guard against any vulnerabilities the vendor may discover over the life of the product.

Register Your Monitor

Registering your monitor, with the manufacturer or retailer, will help you stay current with any security updates. If a security vulnerability is found after being sold, the vendor may send out a recall notice or software update.

Disable Remote Access to Your Monitor’s Camera

While it’s convenient for watching your baby through the internet, it also gives others the potential to use the camera to monitor your home and your baby as well. Removing it from the network will prevent others from easily spying on your house and protect your baby.

As we grow more technologically advanced, we become more exposed to security vulnerabilities. By following these tips, you can stay ahead of the curve in protecting your family's privacy, your baby, and your home. If you’re interested in following more tips, be sure to check out our blog here and our cyber tips here!

From October 2021 to April 2022, hundreds of Indiana students participated in CyberStart America, an interactive, national competition to help high school students understand the many advantages that come with a career in cybersecurity.

The competition involves an easy-to-follow platform that allows them to learn technology security basics through a series of gamified competitions.

Indiana clinched a Top 10 spot among all states that participated in this year’s competition with more than 700 students from 84 schools across the state who participated. While 105 Hoosier players qualified to apply for National Cyber Scholarship Foundation scholarships, ultimately 51 Hoosier students ended the game with scholarships to continue their education in cybersecurity. Indiana also moved into the number 10 spot nationally in 2022 after placing 11th in last year’s competition.

Cybersecurity continues to be an in-demand skill, and the need for trained industry professionals is not slowing down for the foreseeable future, which makes the need to find these future professionals so necessary. According to the Bureau of Labor Statistics, the rate of growth for jobs in cybersecurity are expected to grow by 33 percent by 2030, much faster than the average. With so many jobs available, and the need to fill them so dire, more K-12 schools are offering lessons, classes, and degrees in cybersecurity.

This year's top-performing schools and their scholars were:

Noblesville High School (4 scholars, 1 remained anonymous)

• Ellie Hohmann, Trace Downs, Aj Einterz

Carmel High School (3 scholars)

• Oren Jensen, Alex Anderson, Irene Liang

Hamilton Southeastern High School (3 scholars)

• Sandilya Kambhampati, Aryadeep Buddha, Anish Kambhampati

The state of Indiana congratulates this year's winners and looks forward to all their future successes. For more information about CyberStart America, visit: www.cyberstartamerica.org and if you’d like, you can register and sign up to receive updates as to when the next CyberStart America intake is open for registration.

PERSPECTIVES FROM THE FIELD SERIES

The strength of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the Indiana Executive Council on Cybersecurity (IECC). Hence the name "Perspectives From the Field Series" in which we invite experts to discuss the real and challenging issues we are facing in the field and the proposed solutions from the experts to better the lives and businesses of all Hoosiers.

In the latest installment of our series, we go to Kevin Mabry – founder, president and CEO of Sentree Systems Corporation, a data security consulting firm dedicated to helping small- and medium-sized businesses –  who shares his perspective about the impact cybersecurity scams – such as Business Email Compromise (BEC) – are having on organizations – of all sizes – and what companies can do to protect themselves.

By Kevin Mabry

Every day, when a business opens its doors, which, these days, can be defined as simply turning on its computers or its digital networks, it’s not unusual for a problem or two to come up.

And regardless of the type of business you’re in, there’s a good chance that the health and well-being of your cybersecurity is at (or very close to) the top of the list of your priorities. When it comes to the types of threats that are out there, Business Email Compromise (also known as Email Account Compromise) is rapidly emerging as one of THE most prevalent and sophisticated scams worldwide.

According to the FBI, the BEC/EAC scam – between July 2019 and December 2021, accounted for a 65 percent increase in terms of the amount of exposed losses (that includes both the amount of actual and attempted loss in US dollars). What’s more, this type of cybercrime – at a cost of more than $43 billion – has been reported in all 50 states and 177 countries, with more than 140 countries receiving fraudulent transactions.

Yet, for all of its complexity, a BEC/EAC begins with a bad actor who gains access (to a company’s email system) by making it appear as though they are the CEO, owner, or some other executive.

Recently, there was a company in the financial services industry, in which someone tried to log into the owner’s email (from overseas) during a time they were not in the office.

Fortunately, the company was alerted to the issue (by having their systems monitored externally, reviewing all of their logs and events coming in from any devices or emails) and they were able to confirm that the person was not using their email at the time. In doing so, they were able to stop the attack from occurring.

There are other ways to help protect your company and minimize the potential risks associated with a BEC/EAC that includes:

• Changing the password of the owner’s (or other executives) email address(es);
• Use their password vault to generate it and store it in the vault;
• Turn on 2FA (2 factor authentication) for all emails.

If this incident had been successful, they could have sent a request to one of the other staff members to release or send an ACH transfer payment to a false account.  This type of action is very difficult and, often times, is almost impossible to reverse.  The client would have simply been out of that money and on the hook for the amount. As you might expect, the company was very pleased with the action that was taken.

Therefore, it is very important to have the right security tools in place, not just more security tools.  We just can’t say that “if only” they had an EDR, XDR or just an antivirus and a firewall, they would have never gotten the insight to stop this attack.  Rather, it’s a better solution to have someone – or a team of someones – working together as a team for monitoring everything that’s occurring in your environment.

Changing our mindset away from “set it and forget it” when it comes to data security, is a better approach. Otherwise, there’s simply too much at stake.

By Chetrice Mosley-Romero

There is nothing better than on a nice spring, summer, or fall day than to go to a weekend farmer’s market here in Indiana with my family. In fact, with more than 8,000 farmers markets across this country (according to the U.S. Department of Agriculture), it is no wonder that this is a popular thing to do nationally.

But as I was enjoying my local market this past week, which was extra busy since it was National Farmers Market Week, it made me realize how important it is to be sure we are educating our local farmers and small businesses as well as the customer in how to best secure our information.

Credit Card Sales

While farmers are out collecting their produce, it’s important to know that everyone’s information is protected before, during, and after the sale.

It has become quite commonplace to see or use credit card readers at farmers markets. There are many different types, but most of them are connected to the seller’s phone or tablet. This opens up the thought in some people’s minds that their information could be compromised. Generally speaking, these card readers are secure for completing your transactions, but it’s always a good idea to provide customers with a receipt, or if you’re buying an item, to select the option to have a receipt sent to you in a text or an email.

Protecting Your Business

Recently, the FBI issued an alert to the food and agriculture sector stating that ransomware actors were on the hunt to disrupt their seasons. Additionally, 43 percent of cyberattacks involve small- to medium-sized businesses. Since cybercriminals see these industries as lucrative, easy targets, it is important that farmers and small businesses take a few steps – ahead of time – to make sure everyone has a safe shopping experience.

The federal government’s Cybersecurity and Infrastructure Security Agency (CISA) offers a plethora of information on ransomware attacks and ways to protect yourself or your business. To get started, there’s four cybersecurity tips you can follow to help your farmer’s market business and ensure your customer’s information stays safe includes:

• Implementing multifactor authentication (MFA) on your accounts
• Updating software and turning on automatic updates
• Thinking before you click
• Using a password manager

Multifactor authentication

This is a security enhancement that allows users to present two forms of credentials when logging into their various accounts. These credentials can include anything from a password, smart card, or even their fingerprint or face. It fully aims to add an additional layer of security, so that it is harder for cybercriminals to access your personal information.

Software updates

Updating your software is wildly important for a variety of reasons. They help patch security flaws and protect your data. Having hackers take advantage of weaknesses found in your software is the last thing you want to worry about. Make sure that you are being proactive when it comes to updating your software.

Think before you click

Hackers often times use phishing and other methods to target users. These methods are designed to trick unsuspecting individuals into giving confidential information to them. Often times, they will take credit card numbers, Social Security numbers, passwords, etc.

Password managers

Managing your passwords can be hard sometimes, but using a password manager is a good way to keep your passwords unique, strong, and safe.

To learn more about the latest cybersecurity tips, best practices, resources and more, visit our Indiana Cyber Hub website and follow us on social media on Twitter and Facebook.

By Chetrice Mosley-Romero

One thing we all wish for is for something to make our lives easier. To simplify things.

We’re already stressed by school, work, and taking care of our families that, at times, it can feel as though you don’t have enough energy left to worry about something like making strong and secure passwords for all our accounts.

Passwords that are strong and unguessable can be hard to remember and it’s more than a little frustrating when you forget your password. At the same time, using personal information, including our name, birthday, or other family member’s names, to create a password (and then re-using them) has made it much easier for cybercriminals to hack into your accounts.

So much so, it leads to the kind of data breaches you hear about in the news on an almost daily basis. Thankfully, there’s a better solution that’s both convenient and secure. What is it? A password manager!

We have all been told that a password should be complex and at least 12 characters in length using a combination of uppercase and lowercase letters, numbers, and special symbols (i.e. punctuation); maybe even a phrase within it. The longer it is, the more protection it provides for you to be avoid being a victim of identity theft or someone stealing your money or account information. But if you are like me, I have countless accounts online for work, kids, finances, social media, medical, and so on. So coming up with a different password for every online account I have can be daunting to say the least. So why work hard when you can work smart AND be more secure?!?

Here’s how it works: A password manager is a program that generates and stores all passwords in a safe location. You can think of the safe location as a vault. Having this vault is designed to help you manage all of the passwords you rely on and use to protect your accounts – with a single, master complex password.

If you are looking into getting yourself, or your family, a password manager, you have a lot of options to choose from. There are three types of password managers called offline, online, and stateless. The most popular and widely used password managers are online, so we’ll focus on that as an option that’s out there for you to consider.

Keep in mind, too, as with a lot of things, there are ‘free’ versions of some of the more popular password managers that you can download and use, but many of these providers also offer a wider range of services at a cost – depending on the number of accounts you need (or can afford based on your budget) and how much security is required.

Also, be sure you are using a company with a stellar reputation. The password manager I use, for example, is not only great, but also very honest with me (and it’s millions of users) when they suspected a cyber breach. (Even the best can get hacked.) But they responded fast and with integrity. That means as much to me as their secure systems.

An Added Bonus to Family Accounts! Many password managers allow for you to set it up on your kid’s devices, in which you as a parent will have access to in case you need to check in on their accounts. Moreover, many use the family accounts for aging parents as well so that if that if they get sick, you can take care of their affairs and have access to their accounts in a secure way.

As a starting point, here’s a list of 7 password managers to consider from our good writers at CyberNews.com, including:

• LastPass
• Dashlane
• LogMeOnce
• Bitwarden
• RememBear
• 1Password
• Keeper

You can also google “password managers” for more options but be sure you are researching the company before subscribing and use a strong master password.

Being secure doesn’t have to be inconvenient and frustrating. With tools like a password manager, you can simplify your life, enjoy some well-deserved peace of mind, and keep your accounts safe from cyber attackers.

More cyber tips can be found at https://www.in.gov/cybersecurity.