Indiana Cybersecurity Hub

Traditions are a funny thing.

It wasn’t that long ago, or so it seems, the holiday shopping season officially started on Black Friday; a momentous occasion, we celebrated by camping out – in the middle of the night – to be the first in line to buy the hottest toy or high- tech gadget. Or we lost our minds jockeying past one another to try and get the last item on the shelf.

While it’s true, times have changed (a little) and with it, we get the opportunity to experience new traditions. In doing so, we’ve come to embrace technology as a way to make our lives easier, not only during the holidays, but with a lot of other things as part of our everyday life.

According to Adobe Analytics, Americans spent $9.8 billion in online purchases on Black Friday – an increase of nearly eight percent compared to a year ago. Add to that, although the doors to the stores were “closed” on Thanksgiving, according to the same report, we managed to spend $5.6 billion, in between carving our turkeys, gathering with our families, and watching football.

With all of this activity going on, cybercriminals are, once again, playing the role of the “grinch” (minus, of course, the change of heart and happy ending). By one estimate, nearly 75 percent of Americans experienced at least one type of holiday scam last year. As a result, $281 million dollars were lost to online shopping and non-delivery scams alone. According to Aura.com, there is some great information about a variety of holiday-themed scams you’ll want to avoid, including:

• Social media ads that lead you to fake online stores. Fraudsters use ads on social media to try to get you to go to fake stores that steal your money, credit card details, or personal information. In the worst case scenario, you could even become the victim of identity theft.
• Fake delivery notification texts. Scammers send fake text messages claiming that a package you’re waiting for has been delayed or that you need to pay a fee before it can be delivered.
• ‍Fraudulent charities that steal your money. Con artists create fake charities or GoFundMe campaigns to trick you into sending money or sharing your personal information. ‍
• Bogus deals on hard-to-find items or airline tickets. Many schemes take advantage of popular holiday items or inflated travel costs to get you to buy fake tickets or items.‍
• Fake surveys, giveaways, and other phishing emails impersonating well-known brands. Scammers send emails (as well as texts and phone calls) claiming to be from companies you know, such as Amazon or Walmart. These messages use social engineering tactics to steal your passwords, personal information, and financial details.

Even with all of that, there are plenty of steps you can take – before making a purchase or a donation – to stay protected, such as:

• Learning the signs of a fake or unsecured website.
• Researching retailers before you start shopping (and visit the Better Business Bureau’s Scam Tracker Website).
• Securing your online accounts with strong passwords and two-factor authentication.
• Watching out for scam phone calls.
• Only buying gift cards from trusted vendors (avoiding auction sites).

As it’s often been said, if a deal seems too good to be true, it probably is.

Trust your instincts and don’t let what seems like a good deal cloud your judgment. If it’s a donation, it’s OK to do some research to make sure the cause you’re supporting is real and the organization is a legitimate one. To learn more, visit the Better Business Bureau’s Charity Checker or Charity Navigator. The Federal Trade Commission also offers great advice for giving; everything from the five things to do before you donate to the tips highlighting the safest ways to donate on social media and crowdfunding sites.

If something does happen and you think you’ve been a victim of a scam, be sure to report it!

Here in Indiana, you can go to the Indiana Cybersecurity Hub website (that you’re on) and click on the link “Report a Cyber Incident”. The website features the steps you’ll want to take to report the cybercrime and the FREE resources that are available to help you.

Here’s hoping that you have a (cyber) safe holiday, as you click your way through to find something for everyone on your list!

By Joel Thacker and Tracy Barnes

The good folks at AAA announced this week that 55.4 million Americans will be traveling 50 miles or more -- in planes, trains and automobiles -- to celebrate Thanksgiving; a figure that includes 1.25 million Hoosiers, who’ll hit the road, take to the skies or ride the rails, beginning today through Sunday.

And whether your plans involve heading somewhere to be with family and friends, or you’re hosting everyone at your place, you’ll want to take just a little bit of time (we’re talking just a few minutes, here and there) to follow a few simple steps to stay cybersafe; tips that’ll help keep your mobile devices secure while, at the same time, protect your personal and financial information, regardless of where you’re at.

After all, cybercriminals, at this time of the year, you might say, are working overtime in an effort to try and steal our identity or gain access to our bank accounts or credit cards, by trying to run up all kinds of fraudulent charges. In fact, according to a report, published in 2021, researchers observed a 70 percent average increase in attempted ransomware attacks in November and December compared to January and February.

Instead, be sure to check out this “tip card” from the Cybersecurity Infrastructure and Security Agency (CISA) with what you need to know before you leave, as well as what to keep in mind once you arrive at your destination.

Before You Go:

• Update your mobile software. Treat your mobile device like your home or work computer. Keep your operating system software and apps updated, which will improve your device’s ability to defend against malware.
• Back up your information. Back up your contacts, photos, videos and other mobile device data with another device or cloud service.
• Set up the "find my device feature" on all your devices. This will help you find your phone, tablet or laptop, in case you lose or misplace it, and it might allow you to disable or remove any data from it, if it gets in the wrong hands.
• Keep it locked. It’s a good idea to get into the habit of locking your device when you are not using it. Even if you only step away for a few minutes, that is enough time for someone to steal or compromise your information. Be sure, too, to use strong PIN codes and passwords.

While You’re Away:

• Avoid using public Wi-Fi networks. Open Wi-Fi networks at places such as airports present an opportunity for attackers to intercept sensitive information.
• Turn off Bluetooth when not in use. Cyber criminals have the capability to pair with your device's open Bluetooth connection and steal personal information.
  • Stop Auto Connecting. Disable remote connectivity and Bluetooth, as some devices will automatically seek and connect to available wireless networks.
  • Be sure to use the same process with your headphones, ear buds, or any entertainment system that you have in your vehicle.
  • This will allow you to disable these features so that you are able to connect wirelessly or with your Bluetooth network – when you want to.
• Be cautious when charging. Avoid connecting your device to any computer or charging station that you do not control, such as a charging station at an airport terminal, train station, or at a travel center or convenience store.
• Remember your physical security and be sure that you don’t leave your device unattended in public or any areas that are easily accessible (e.g., taxis, airplanes, and in your hotel room).

For all the fun experiences and memories that are created from being together with one another during the holidays, there’s a lot of stuff that can stress us out (like trying to decide if the homemade sugar cream pie we just baked, using Grandma Alma’s recipe, is as good as the original…).

Fortunately, it’s easier than that, and all we have to do is spend some of our screen time to better protect ourselves whenever we’re online. For more cyber-friendly travel tips, visit the National Cybersecurity Alliance and the Center for Internet Security and, as always, for the latest resources, best practices and more, for all things cyber in the Hoosier State, visit our Indiana Cyber Hub.

Happy Thanksgiving!

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, discusses the importance of protecting your personal information when it comes to websites that use cookies and what it means when data brokers collect information from you.

By David Dungan

“This website uses cookies”

How many times a day do you see a website that says something along those lines? Unfortunately, they are not referring to macadamia or chocolate chip.

Data brokers use web cookies (a small piece of code that attaches to your browser) to track what kinds of websites you visit and what you do on them. Data brokers also use these cookies to build detailed profiles of your interests and your personal identifying information (PII), including your gender, sexual orientation, and race, as well as major life events, and more.

These brokers then anonymize the information and put it into targeted interest groups to sell to advertisers. It’s a big business. It is estimated that the industry is worth $200 billion per year, with up to 4,000 data brokering companies worldwide.

How do they do it? In a matter of speaking, we provide it to them. By that, they use a few simple steps to obtain information, including:

• Your web browsing history - every time you use a search engine, social media app, or fill out an online quiz, you’re leaving an electronic trail.
• Public sources - This includes everything from birth certificates and marriage licenses to court records and census data.
• Commercial sources - In other words, your purchase history, what you’ve bought, when you bought it, how much you paid for it, and whether you used a loyalty card or coupon.
• Your consent - When you sign up for things like a rewards program, you may have given your consent for your data to be shared without necessarily realizing it (that is, unless you read the fine print).

Fortunately, just as we try to avoid giving into the temptation of eating our way through an entire box of Girl Scout cookies, let’s just say, too quickly, there are six best practices you can follow to better protect your privacy and security when using browser cookies. Among the steps you can take, includes:

• Clear cookies regularly.
• Adjust your privacy settings.
• Be careful when downloading apps or software.

Next time you see a popup asking you to agree to web cookies, it's a good idea to take a moment to carefully consider what that means and remember that it’s OK to deny any cookies you believe are unnecessary to prevent others from exploiting your personally identifiable information.

The message contained in today’s blog was authored by the Cybersecurity and Infrastructure Security Agency (CISA), with information provided by the Indiana Department of Homeland Security.

November is Critical Infrastructure Security and Resilience Month, a nationwide effort to raise awareness and reaffirm the commitment to keep our nation’s critical infrastructure secure and resilient.

Proactively protecting these resources is vital for preserving the safety and security of all Hoosiers. This year’s theme is “Resolve to be Resilient”. Weather is becoming more extreme, physical and cyberattacks are a persistent threat, and technology is advancing in ways that will change our future very quickly. We must prepare by accepting that it’s our responsibility to strengthen critical infrastructure and protect the vital services it provides.

We can do this by embracing resiliency and building it into our preparedness planning—and then exercising those plans. The safety and security of the nation depends on the ability of critical infrastructure to be able to prepare for and adapt to changing conditions and to withstand and recover rapidly from disruptions. This starts with building resilience into infrastructure investment.

One of the key components to creating an added measure of preparedness is by having a well-crafted Cyber Incident Response Plan (CIRP). In addition to helping define everyone’s roles and responsibilities, the plan should include a robust communications strategy that outlines how the information will be disseminated both internally and externally, in the event of a cyber incident or cyberattack.

Public-private partnerships, as evidenced by the work that’s been achieved over the past 7 years by the Indiana Executive Council on Cybersecurity (IECC), continues to play a critical role for leveraging our shared commitment by identifying vulnerabilities and mitigating risks through protective programs and training, as well as offering a wide range of best practices, resources, and tips, as featured on the Indiana Cybersecurity Hub website.

Attacks cannot be completely prevented from happening, but we can minimize their impact by building resilience into our infrastructure and into our society. For more information, visit CISA’s Critical Infrastructure Security and Resilience Month web page.

When it comes to making headlines, it might surprise you to know that, more and more, there are two things that are catching our attention these days -- education and cybersecurity.

More than that, these two topics are linked together tighter than Taylor Swift and Travis Kelce.

Our K-12 school communities influence the quality of life we experience in our cities and towns. And, by every measure, it’s safe to say that cybersecurity is an integral part of our everyday life.

Three years ago, as we were trying to figure out how we were going to get all of our students back in the classroom while still dealing with a national health crisis, the Indiana Executive Council on Cybersecurity -- together with the Cybersecurity Infrastructure and Security Agency (CISA) and the Indiana Department of Education (IDOE) -- created the Cybersecurity for Education Toolkit.  Filled with a wide range of best practices, tips, and resources, it was designed not just for teachers, students, or administrators.

Instead, the free-to-download guide was geared for everyone in a school community, including staff and school board members and superintendents, as well as the rest of us, regardless of whether or not you had kids in school. Knowing that many families were working from home while, at the same time, sharing space with their kids, some of whom were taking classes online, the guide served as a helpful tool to keep families secure whenever they were online.

Now, just as the school year began in early August throughout Indiana, the IECC worked closely with our partners at CISA and IDOE to produce a sequel -- Cybersecurity for Education 2.0 Toolkit.

Offering an even greater variety of easy-to-understand information, the benefits of the Toolkit are intended to build on everyone’s knowledge about cybersecurity and the importance of practicing good habits as it relates to:

• Students protecting their schoolwork and their identity/personal information.
• Teachers and staff managing their lesson plans while keeping their student’s data secure (including their grades and assignments).
• Superintendents and administrators protecting their students and keeping their facilities and critical systems protected
• Parents and families learning more about cyber with useful tips and free resources
• School Board Members using it to help with conducting its business on behalf of the school corporation and community it serves.

Best of all, the Toolkit is formatted as a PDF that can easily be saved as a Word document to enable you to cut and paste, copy and/or repurpose all of the materials as needed to share with your colleagues at school, or as information to be provided to your students, or a family can use at home.

Among the resources that are included are the four tips from CISA that administrators, teachers and students should follow for keeping anyone who relies upon computers in your school district to be safe.

There are articles that offer cyber-friendly tips for students of every age group from elementary school to high school. There’s even a guide on how to best protect yourself on social media. And, as many people continue to work remotely, there’s list of questions to consider when setting up a network at home featured in the Toolkit.

If you’re an administrator or a superintendent, there is a wealth of trusted state and federal resources to help guide your school corporation’s approach for being cyber safe for everything from your technical infrastructure to improving your cybersecurity posture, including:

• Indiana Cybersecurity Hub - State of Indiana Cybersecurity Website
• IDOE School Cybersecurity Moodle Community
• CISA Shields Up
• CISA.gov - Partnering to Safeguard K-12 Organizations from Cybersecurity Threats
• MS-ISAC
• K12 Six

At a time when a student’s school file, with enough personal information to steal someone’s identity, is worth as much as $1,000 on the dark web, the connection between cybersecurity and education, is unprecedented and more important than ever.

In addition to the Toolkit, the Indiana Cyber Hub website offers information for teachers and students, including resources for cyber and IT internships and there’s a link to a cyber careers page for anyone wants to turn their knowledge into a full-time job.  Check it out today!

When it comes to our ‘personal’ cybersecurity, the threats, and incidents -- from cybercriminals and nation-state actors -- are more prevalent than ever.

As recently as this past Sunday -- in an episode of “60 Minutes” -- we heard from five of the world’s foremost intelligence experts about some of the threats posed by China and the Cybersecurity Infrastructure and Security Agency (CISA) has identified Russia as a “top cyber threat”.

Of course, while it’s true that some of the percentages still continue to rise, it’s a great time to continue the conversation on how we can protect ourselves.

Thankfully, there are steps we can take to prevent a breach of our own personal information. One of the ways to do this is to keep all our device's software up to date. By now, we’re familiar (used to?) with all those annoying little pop-ups that appear at the top of our screens saying that a software update is ready to be installed. But these notifications are vital. Providers release these updates, as a way to continually fix or upgrade the systems and their elements. The “updates” help us do several things, including:

• Improving the performance of our devices
• Providing security updates
• Fixing design 'bugs' and protecting us against vulnerabilities that have been identified as needing to be repaired (also known as "patches")

All updates to the software programs we use are to our benefit. If you don't install them, it limits your ability to be fully protected. There are three ways to ensure these updates are being installed.

• Keep track of your notifications
  • Watch out for notifications from your settings app. Your device will tell you when an update is ready to be installed and that’s when you want to make sure that you follow through with the update (it rarely takes more than a few minutes).
• Update your devices manually
  • If you see the notification, and can’t trust yourself to come back to it, then update it immediately and take the time away from your device to decompress and “take a break” away from technology. Time away from a screen is never a bad thing, and you can be content that when you come back to it, you will be better protected.
• Turn on your automatic updates
  • If you do not want to update your devices manually, you always have the option to have your device, do it automatically. Doing this will tell your device to update to its latest version around your usage schedule so it doesn’t interrupt you, making it as painless as possible.

To keep yourself protected, it’s a good idea to make sure you understand the needs of your device. Providers will always make things easiest for you to do something, so that you won't have to think about it beyond leaving your device alone for a set amount of time.

If you want to learn more, be sure to check out these tips from CISA on keeping your devices updated along with a handy “how to” tip sheet to help fix any unwanted security risks.

Remember, too, October is Cybersecurity Awareness Month and it’s the perfect time to use these best practices every day as a way to stay secure and better protected whenever you’re online.

Additionally, remember that there’s a LOT of personally identifiable information that you’re already sharing -- including your date of birth, your phone number, and your address -- and that’s just the beginning. There’s also references to where you work and all of that is out there, along with the information for your family members and your friends. Don’t forget, too, there’s lots and lots of pictures and videos that you’re in.

Protecting all of that may seem, at times, more than a little overwhelming when you stop and really think about it. But that’s why that when you’re posting anything that you’re mindful of who you’re tagging (and that goes for your accounts, too) and who’s tagging you in their photos, videos, and posts. Among the other things you can do is to disable the cookies on websites that you visit

If you're wondering just how easy it can be to have your accounts compromised, a dedicated cybercriminal may be able to find your location based only on a photo. Moreover, anyone can figure out what kind of house you have, the brands of products you buy, your relative wealth, and more. That’s why it’s also important, in all situations, consider what someone who doesn't like you may do with the information.

One of the other things to consider are the private messages we send. Despite what we might think, private messages are not always just between you and your contact. While they may not be accessible to the general public, companies like Meta (i.e., Facebook, Messenger, and Instagram), Alphabet (i.e., Gmail, Hangouts), Apple, or X/Twitter possess the capability to access your private messages or data on their platforms, and gain information about you from what you're posting.

To learn more, there's a wide range of cybersecurity best practices, free resources and tips from trusted sources, such as CISA, National Cybersecurity Alliance, and the Indiana Cyber Hub.

At the end of day, the path we follow -- as part of our everyday life -- takes us to the experiences and adventures that define us, but if we take just a few precautions, it’ll help make sure that the digital footprints we create and leave behind are genuinely ours.

By Joel Thacker and Tracy Barnes

If you think about it, a cybercriminal is a lot like a teenager, who has a knack (at least, every once in a while) for wearing out Mom or Dad to get something they really want.

At first, they might try to reason with you with a request that seems simple enough. Yet, as you take some time (maybe just a minute or two…) to learn more about what they’re planning (and what they’re really asking you for), that’s when their scheme starts to fall apart. Soon after that, you find yourself saying, “wait a minute”, before, of course, you’re suddenly responsible for ruining their life, weekend and/or they’re night out.

Depending on your age and generation and, regardless of how you might’ve been raised, admit it…you were once that clever teen, or you’ve come away with just a little bit of satisfaction knowing that your kid wasn’t able to pull one over on you.

In the cyber world, it’s kind of the same thing.

The request is an email, a text message, or even a phone call. What’s more, whoever it is, might be someone you think you know -- a family member, a co-worker, or even your boss. The fact is, for most of us, it’s human nature; we want to please someone by doing what they’ve asked us to do. Or we want to feel as though we have the ability to take someone at their word.

October is Cybersecurity Awareness Month and, for all of us, one of the reasons to celebrate is there’s,  actually, a lot of things we can do to make our lives easier and protect ourselves whenever we’re online.

Following on the theme, “Secure Our World”, this week’s focus is to enable MFA, also known as Multi-Factor Authentication.  Whenever we log into our accounts, whether it’s our checking account, or we’re spending some time on Instagram, we are sharing our personal information and confirming our identities. MFA provide us with an extra level of security, simply by entering a code that is texted to our phone or mobile device, or it’s one that is generated by an authenticator app.

Even if our passwords are compromised, an unauthorized user won’t be able to meet the second part of the requirement. Because of that, you’re able to experience that “wait a minute” moment and, instead, ruin the plans that a cybercriminal had for your money or to use your identity to steal from someone else.

The Cybersecurity Infrastructure and Security Agency (CISA) offers a great video to learn about all of the benefits MFA can provide and the fact that you don’t have to be some sort of tech expert to set it up on all of the accounts that it’s available to install it on.  There’s also a handy tip sheet that’s free to download to get you started.

To learn even more about all things cyber, including here in Indiana, we invite you to keep coming back to the Indiana Cyber Hub website for all of the latest FREE resources, best practices and tips for all Hoosiers, businesses, and local government, including our schools. You can also sign up today to subscribe to our blog (it’s FREE) and we invite you to follow us on social media on Twitter/X, LinkedIn and Facebook.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, joins in the celebration of Cybersecurity Awareness Month and shares his perspective on how three rules of running can be applied to the responsibility of running a cyber-safe company.

By David Dungan

Cybersecurity and running can both be uncomfortable, especially with little training. It is not always easy to push yourself during a race when others are far ahead or when your sides are cramping from exhaustion. Nevertheless, you finish the race in your own time, celebrating because you have accomplished your goals. The practice of managing a company’s cybersecurity practices offers some similarities that most of us can appreciate; even if we’re the type of person whose experience with running is tuning into the Olympics to see who wins the gold in the 100-meter race.

After all, it can be exhausting keeping up with the newest trends. There’s also the challenge of keeping up with others, who have more resources; defined by an ability to implement cybersecurity policies that are more extensive, or because they’re able to invest more heavily in the latest software. More than that, there’s three rules of running -- preparing for the race ahead, keeping personal goals and priorities in mind, and staying engaged during the race -- to run our own cyber-safe companies.

Preparing for the race ahead

Companies and runners occasionally have difficulties determining where to start when they begin training or when they’re trying to reach a goal. Fortunately, government agencies offer resources such as self-assessments to identify how much you and your employees know about cybersecurity and how well your company is positioned with its information security. One of the best examples that’s available is the State of Indiana’s Cybersecurity Scorecard. In less than 15 minutes, the Scorecard is an online tool that will provide you with a score - and a report - of where your organization stands with its cybersecurity. What’s more, it’s FREE and was created, specifically, for the office manager, executive or IT manager to complete. Like with running, you don’t have to be an expert to do the assessment, and it gives you some valuable information to begin a conversation with your leadership or staff. In that sense, it compares favorably with the type of assessment (and feedback) that a coach, or someone who’s a more experienced runner would give you -- ahead of your next race. Companies can also learn about best practices and government standards with supplemental resources to begin addressing potential security flaws and vulnerabilities.

Focusing on personal achievements and goals

Not everyone will run a race at the same pace, and the same is true for cybersecurity and how it’s used within a lot of companies. Each company’s resources will vary due to its relative size or industry, so companies should do the best they can with the resources they have available and focus on their own policies and standards like a runner might focus on achieving a personal record. Internal policies and standards alongside external compliance standards should set the goals for each company. Not all businesses will be required to meet every compliance standard, so it is important to distinguish between what’s necessary (and not absolutely required), so as to avoid investing in products or resources that are either too expensive or won’t be fully utilized in a way that makes a difference.

Staying engaged during the race

One of the more difficult aspects of maintaining a cyber-safe company is keeping the interests of employees and other stakeholders while implementing security awareness training. For some people, no matter how much you feel as though you’re challenging them, learning best practices or new policies can be overwhelming and, well, a little boring.

To avoid that, runners often stay engaged by listening to music or a podcast during their run. Companies can utilize similar tactics by implementing a variety of educational materials such as knowledge assessments, videos, posters, and polls. We can learn in a variety of ways, from employee feedback to continually improve training lessons and measuring knowledge retention to ensure everyone is aware of their roles in a cyber-safe company. Additionally, it is important to celebrate any step that’s made towards running a cyber-safe company, as it incentivizes the collective efforts of a company and promotes a culture of security awareness. People will feel more invested if you celebrate their accomplishments and the progress they’re making.

Running enthusiasts of all ages experience different challenges, and the same can be true for companies. However, no matter a company’s size or industry, it is vital to keep running a cyber-safe company to prevent injury to a company’s vital information, while at the same time, protecting its customers, critical systems, and its reputation due to a potential cybersecurity incident or a cyberattack.

No matter someone’s reason for running (a cyber-safe business), it is always a step in the right direction when you proactively plan and prepare for ensuring what challenges are out there to keep you and your company on the right track.

By Joel Thacker and Tracy Barnes

While it might not possess the glamour and tradition of the Macy’s Thanksgiving Day Parade, or generate the kind of promotional opportunities we often see with the Super Bowl, Cybersecurity Awareness Month is an event that’s not only worth celebrating, it’s one that deserves our attention year round.

Following on the proclamation, on Sunday, by Indiana Governor Eric Holcomb designating the month of October as “Cybersecurity Awareness Month”, Indiana is continuing in its cyber readiness to keep all Hoosiers safe and secure and protect our critical infrastructure that’s essential to everyday life.

In its 20^th year, the Cybersecurity Infrastructure and Security Agency (CISA), in partnership with the National Cybersecurity Alliance (NCA), announced this year’s theme is “Secure Our World”; it is an ideal illustration of the significance that cyber possesses for all of us.

And, just as we don’t limit ourselves to a single day, week, or month, to remind each other to be thankful of our family, friends, and co-workers, it’s important for each of us to continuously follow a few simple habits and “stay safe” behaviors whenever we’re online, whether we’re at home, at work or at school. And it’s especially true whenever we’re on social media or engaging in anything that involves our personal or financial information.

Keeping ourselves secure is achieved by focusing on four simple -- yet critical -- actions; steps that all of us should implement and continuously strengthen, including:

• Recognize and report phishing
• Use strong passwords
• Turn on multi-factor authentication
• Update software

Here in Indiana, cybersecurity continues to be a priority and the progress we’ve achieved comes at a critical time, as the severity and frequency of a cyber incident or cyberattack includes not only data breaches, but it’s also crossing over to more sophisticated attacks on the physical operations of water utilities, hospitals, schools, and local governments.

To help stay at the forefront of being prepared, the Indiana Cybersecurity Hub website features a wide range of FREE resources, best practices and tips, as well as free-to-download toolkits involving emergency management, education, and healthcare (and more) that have been developed by professionals to help build on your cybersecurity awareness. There’s even an Indiana Cybersecurity Scorecard to give you a good idea (in less than 20 minutes) of your organization’s overall cyber posture.

To keep it all moving forward, the Indiana Executive Council on Cybersecurity is continuing in its work, as outlined in the state’s cybersecurity strategic plan, positioning the Hoosier State nationally as a top-tier leader, among all states for cyber governance.

We invite everyone to join in the celebration of Cybersecurity Awareness Month and use the opportunity to connect with our family, friends, and co-workers and do our part to help keep one another safe whenever we’ve online. And, be sure to visit the Indiana Cyber Hub online for the latest cyber information on Twitter/X, LinkedIn and Facebook.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, shares some important information regarding four cyber threats and what you need to know to stay protected.

By David Dungan

When it comes to cyber threats, it’s a matter of trust.

For a scheme or a scam to be successful, cybercriminals are relying on the notion that we will trust whatever it is we’re seeing or being asked to do in an email, or what we’re doing when we’re setting up a device at home (products we now refer to as the “Internet of Things”) and that it’s OK and, otherwise, is considered safe and secure.  Unfortunately, as we’ve discovered, that’s simply not true.

This year, there are four cyber threats that have emerged as providing the greatest risk for consumers and while they’re not new, it reminds us of the importance that comes with protecting ourselves when we’re online.

IoT Insecurities

The beloved Alexa, a smart tv, and the newest cars all have one aspect in common: these products are considered a part of the “Internet of Things” (IoT) because they are devices connected to the internet or a network that can automatically collect and transmit data.

The Open Worldwide Application Security Project (OWASP) has reported on several top risks involving IoT, including weak passwords, outdated components, lacking update capabilities, and insecure privacy protections. Attackers can also use infected IoT devices as bots for Distributed Denial of Service (DDoS) attacks to disrupt or degrade a network.

Before you buy an IoT device, it’s a good idea to do some research before purchasing it, so as to help avoid purchasing a device with some known exploits. If the devices have update capabilities, be sure tto install these as soon as possible.

Ransomware

Ransomware is malware that affects devices or a network of devices by holding the system and its files “hostage” by demanding the user pay for access to their own devices and data. Victims can get ransomware through spam, malicious advertising, or forms of phishing. Fortunately, there are steps that you can take to mitigate the risks of cybersecurity attacks, such as maintaining backups, frequently updating systems, utilizing secure configuration settings, implementing antivirus software, and educating yourself about any potential risks. In the event that you or your company are a victim of a ransomware attack, the Cybersecurity Infrastructure and Security Agency (CISA) offers a Ransomware Response Checklist to help you respond and recover.

Pig Butchering Schemes

Pig butchering schemes occur when the attacker works to gain the victim’s trust before manipulating the victim to willingly invest in the attacker’s false investment scheme. Once that happens, the attacker disappears with their pilfered funds, leaving the victim broke and heartbroken.

You can distinguish pig-butchering schemes by noting if the attacker sends unsolicited messages, is an unknown contact, refuses to participate in video chats, requests financial information, or invites you to invest in their newest vague financial scheme, makes an irrational claim, or insists with urgency that you need to make the investment.

A good rule of thumb is to give yourself time and scrutinize the legitimacy of any supposed investment opportunities.

Phishing Scheme Variants

Phishing scams utilize online interactions to trick individuals into revealing sensitive information regarding themselves or their financial information. Smishing can occur through text messages, vishing through phone calls, or social media attacks. This can result in divulging sensitive information for future attacks, extortion, or an attempt at financial fraud of an individual or an organization.

These phishing schemes all have an underlying solution: do not interact with suspicious calls, text messages, emails, or fraudulent interactions online.

In Indiana, whether you are an organization experiencing a cyber incident or cyberattack, or you’re an individual who is a victim of identity theft, you can visit the Indiana Cyber Hub website’s Report a Cyber Incident page featuring a step-by-step process that’s easy to follow. The Consumer Protection Division of the Indiana Attorney General’s Office also offers a variety of free resources to help you. And the Indiana State Police Cyber Crime Unit also provides law enforcement officers to assist in criminal investigations involving the use of digital media as an integral part of the crime.

If you or someone you know is the victim of identity fraud or cybercrime, the FBI’s Internet Crime Complaint Center is another essential reporting tool to submit suspected cybercrimes. This helps to prevent internet crimes by promoting the sharing of information about threats.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, shares his expertise as it relates to the growing issue of email scams - including the tactics cybercriminals use to try and steal our personal and financial information and the steps we can take to protect ourselves.

By David Dungan

If we can agree that sending and receiving an email is one of the most effective and beneficial ways to communicate with one another (that’s ever been created...), it probably explains as to why it’s become a primary tool for cybercriminals to steal our money, credentials, and other sensitive information.

In 2020, people ages 21 and under lost roughly $71 million, and since January 2020, businesses have collectively lost $3.1 billion to business email compromise (BEC). Not only have email scams resulted in financial losses, but it has also resulted in identity theft and damage to the reputations of many companies. What’s more, it’s caused us to experience a collective lack of trust in using email to communicate with one another.

Tactics Involved with Email Scams

Attackers use various kinds of tactics within email scams: impersonation, email spoofing, malicious links, and fake invoices. Attackers often impersonate a third-party vendor, a customer, an employee, or a CEO to establish trust with the victim, or create a sense of urgency in an impersonation attack. This typically causes the victim to act quickly without considering that the email may be a scam.

Malicious links are links created to distribute malware like ransomware. Once the victim clicks on the link, they can be redirected to a spoofed website that the attacker created, recording the victim’s credentials if they input their login information, or downloading malware onto the victim's machine.

Invoice scams are when attackers send fake bills for goods or services that the victim never ordered. The victim may not look at the details of the invoice and pay it, potentially exposing confidential banking information. Instead of the money going to the real third-party vendor, the money is sent to the attackers.

How to Spot Email Scams

There are numerous tactics used to decipher email scams from legit emails. Follow these “red flags” to help you decipher the difference:

• The email claims that you must log into a website, or your account will be closed, with a link to an attacker-controller website.
• The email claims that your payment or personal information is invalid, and it must be sent to the attacker either through email or on a website.
• It attached invoices for a payment that you know you did not make.
• It conveys a sense of urgency or confidentiality.
• It claims that you could receive a government refund and asks for sensitive data such as a social security number, address, and banking information.
• It requires you to submit private data to obtain free products, coupons, or money.

How to Protect Against Email Scams

You can protect yourself and others from email scams by educating employees on the tactics used by scammers, installing email filters and email defenses, updating operating systems, and installing security software enforcing MFA (multi-factor authentication), as well as backing up data, and installing firewalls that contain web isolation technology.

As email scams continue to increase, it is important to use these practices to avoid becoming a victim of these attacks. You can also utilize an email provider that has fraud prevention built into the system.

There are also a wide range of free resources, best practices and tips that can help you stay safe, such as the Federal Trade Commission and CISA (Cybersecurity Infrastructure and Security Agency) offers an easy-to-use guide for recognizing and avoiding email scams that includes everything from get-rich-quick schemes and health and diet scams to important information on how the scams work with real world examples that you might have already seen in your inbox.

Remember, too, that it’s OK not to click on any link, especially if you’re not sure about the source, the offer or what someone is asking you to do. Cybercriminals are relying on you to act on your feelings -- such as curiosity and the desire to please others -- to get what’s yours and that’s true whether you’re at home, at work, or at school.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, shares his knowledge and expertise on how social engineering has evolved and the steps you can take to avoid it.   

By David Dungan

Social Engineering manipulates people into doing one’s own bidding, likely by performing a specific task or giving up sensitive information. The attacker’s plan tends to follow a guideline of gathering information about the victim, establishing a relationship with the victim, exploiting the victim to do the attacker’s bidding, and then the attacker moves on to accomplishing their goal.

Before the Technology

Many reference the story of how the Greeks infiltrated Troy using the Trojan Horse or the biblical story of the snake tricking Eve as proof of social engineering.

However, the introduction of technology such as phones and computers has made this process easier by eliminating human interaction and allowing individuals to trick automated authentication processes.

Forms of Technology Exploitation

Phones were one of the first techniques to make the practice of social engineering easier through the removal of face-to-face interactions.Vishing is the process of social engineering using phones. Attackers will pose as individuals, such as a bank official, and will call or leave a voicemail message to lure the victim into sending sensitive information through social engineering. Smishing is another way attackers can socially engineer mass quantities of individuals through sending texts, posing as authentic entities with malicious links.

What's more, it's become a (very) big issue, as the Federal Trade Commission says nearly 200,000 people have been targeted this year alone. And, last year, people lost a total of $2.6 billion to imposter scams.

Phishing can target numerous individuals at once through a mass email. Phishing is where an attacker attempts to convince a victim into divulging information, such as tricking someone into thinking they won the lottery and need to provide sensitive information to claim their prize; or attackers may urge an individual to download malware onto their computer, masking the download as an important file or update.

Social Media

Social Media has made it easier to social engineer individuals through the collection of information on victims, different mechanisms to attack, and attackers being able to exploit a broader audience.

Many individuals often leave a digital footprint on social media, disclosing information such as their full name, city, country, birthday, etc. Attackers can use this information while researching a victim.

Additionally, attackers can harvest data by creating fake log-in pages for social media, collecting the victim’s username and password.

The Future of Social Engineering

Mitnick Security predicts deepfakes will be the newest technology to trick victims into giving up information by faking audio and video of real individuals. Additionally, they predict attackers will leverage social media credentials since numerous web applications will allow individuals to verify themselves through social media authentication measures.

We can protect ourselves against social engineering by not giving out personal information to unsolicited requests, not sharing information with individuals we do not know and trust, or on untrustworthy platforms. If you are skeptical of the legitimacy of a message, such as if the message were from the company it claims to be from, contact the company yourself and do not reply to the message. Similarly, do not open emails or text messages that do not seem legitimate or click on links or attachments in those emails/text messages.

Experts recommend if someone clicks on a malicious link or divulges personal information, they should notify the IT team (if applicable), disconnect the device from their network, change their passwords, scan the networks for malware, notify credit agencies of potential fraud, check for identity theft on bank statements and other financial statements, and contact the agency the attacker imitated to inform them of the incident.

Overall, social engineering is based on the same principles, just carried out through different means. It is meant to take advantage of the vulnerabilities of humans. Therefore, we need to consider the humans behind the computers when protecting against attacks through comprehensive user training and using spam filters whenever possible to prevent human contact with social engineering tactics. To learn more, the Cybersecurity and Infrastructure Security Agency (CISA) is a great resource that’ll help you make sense of it all, and better protect yourself against these types of attacks.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, discusses three ways that cybercriminals use to target high school students and shares some helpful tips on keeping your digital life safe and secure.

By David Dungan

Whether you’re a senior, preparing for what’s ahead after you graduate, or you’re a freshman, who’s just trying to figure out where your first class is at, being a high school student is tough enough without having to worry about a cybercriminal stealing your personal information.

According to a study, released earlier this year, found that a student’s personal information is valued at $1,010 on the dark web - that’s one student. The fact is, a cybercriminal can acquire and utilize a student’s credentials for a wide variety of goals, and this often makes high school students a target. Typically, there are three common ways cybercriminals will use to try and steal a high school student’s personal -- and financial -- information, including: botnets, ransomware attacks and impersonation attacks.

• Botnets - Cybercriminals add high school students to a botnet by redirecting them to malicious links, promoting ,malicious software, or harvesting students' data in "free" online tools. These mechanisms infect the high school student's machines, making them part of a larger bot-network. Botnets can have repercussions for the user, such as having the user blocked from certain websites due to their account being connected to malicious activity or becoming a suspect for illegal activity.
• Ransom Attacks and Ransomware - Ransom attacks are schemes involving credentials or sensitive information of the user falling into the attacker’s possession, which the attacker uses as leverage to exploit that user. Some attackers may use ransoms to coerce students into using their parents’ credit/debit cards to pay the ransom. Ransomware attacks occur using malware that prohibits a user from accessing their own digital accounts, files, media, online storage, and other forms of data.
• Impersonation Attacks -- An impersonation attack is a general use term for methods of deception that allow a threat actor to gain access to information that would otherwise be inaccessible to them. Two types of impersonation attacks relevant to students include spoofing and form jacking.
  • Spoofing is a type of impersonation attack that involves a threat actor pretending to be from an entity they are not, while form jacking involves an attacker stealing a user’s data through the user’s direct connection to a website or portal.
  • Students are at the greatest risk of form jacking due to the sensitive nature of the information, shared, for example, when registering for school, as students frequently fill out documentation requesting their full names, date of birth, Social Security numbers, as well as family information, and other details related to such things, as jobs or even scholarships.

To protect yourself, high school students should begin safeguarding their internet usage by practicing good habits of digital security, such as:

• Never sharing personal information with anyone or any place you do not trust.
• Using secure web pages by searching for “https://” instead of “http://” in front of a web address.
• Web browsers will also display a lock in the web address bar to denote a secure web page.
• Ensuring the validity of unknown email addresses by checking with official sources first.
  • If something seems illegitimate, contact the assumed sender to ensure they sent the email that was received.
• Using two-factor/multi-factor authentication.

There is no definitive way to absolutely prevent someone from becoming a victim of identity theft, but practicing cyber-safety goes a long way toward preventing and/or reducing the extortion of data, so as to help high school students focus on what matters most to them.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the third installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, discusses some of the methods cybercriminals use to try and steal your personal and financial information and he’ll share his expertise on what you need to know to stay safe, whether you’re at home, at work, at school, or you're on social media.

By David Dungan

By now, with all the advancements we’ve made with cybersecurity, you might think we’ve figured out how to keep our passwords from being hacked.

Yet, for all of the progress that’s been achieved, passwords are bypassed through the use of password-cracking​​ tools, scamming techniques, and other methods of social engineering. Too often, a cybercriminal only has to use some social skills for an unaware person to deliver the requested information effortlessly.

Social engineering attacks are difficult to circumvent due to the craftiness of modern attackers. These include tactics such as phishing, pretexting, baiting, and scareware. Let’s take a closer look at what we’re talking about, what you should look for, and some tips you can use to better protect yourself, including:

• Phishing
  • Phishing attacks target victims for personal identifying information (PII).
  • The goal is for the attacker to manipulate the victim into releasing crucial information critical to business security and personal security. This usually pertains to social media, finances, and other assets.
  • Phishing attacks usually occur through email but can also be carried out through other communication-focused platforms. Smishing, or SMS phishing,is a branch of phishing that involves the attacker disguising themself as a reputable organization through text messages.

• Pretexting
  • Pretexting is a social engineering attack where the attacker pretends to be a trusted official, family member, or friend of the victim. The attacker attempts to acquire background information on the victim to know some of their real-world connections and relationships to carry out their attack. Attackers can find this information online and on social media such as Facebook.

• Baiting
  • Baiting is an attack used to persuade targets to fall for malicious media.
  • Digital baiting refers to media sent over the internet, sent to victims, and marked as important documents or luring media files. These files are typically embedded with malware capable of harming a user’s device, as well as stealing personal information.
  • Physical baiting involves the attacker providing a storage device such as CDs or USBs to a target hoping the target connects this device to their system. This would give the attacker access to private information of the company/individual, and potentially spread the malware across the network.

• Scareware
  • Scareware is a tactic that uses fear to manipulate targets via phone calls, messaging, or online into disclosing private information, downloading hazardous material, or even visiting unsafe websites.
  • Bad actors can either convince the target to release this information or simply extract critical data through the use of malicious software should the target downloads the malware. This is a huge issue for personal and business security since the stakes are always high.

The most strategic way of combating password breaches is by staying up to date on new methods cybercriminals use. Among the organizations that promote cyber-awareness include Cybersecurity Infrastructure and Security Agency (CISA) and the National Cybersecurity Alliance. These organizations provide timely updates on new cyber threats and tech updates. There are also articles out there, with some easy-to-follow reminders to help you stay protected whenever you're online.

By Jason Starkweather

Like many schools and businesses alike, we are constantly looking to improve our cybersecurity posture… keeping the ‘bad guys’ out is more and more of a challenge, with large-scale data breaches hitting the news almost daily.

During the fall of 2021, we partnered with one of our trusted vendors and completed a network security assessment as part of our network security roadmap.  A few weeks later, we were running a trial of a next-gen antivirus solution in a few of our buildings, when we received an alert in the middle of the night that there was suspicious activity on our network.  We investigated, found the affected PC, and remediated.  The next night, another alert on a different PC.  Another remediation.  We decided to expand our two building anti-virus trial to all buildings for more complete visibility into what was happening.  Night three, I was waiting.  Sure enough, around the same time of night, another alert.  Upon further investigation, we thought it was best to take the entire school district of over 10,000 students and 1,200 staff members offline as we and our vendor partners determined the extent of the intrusion.

If you’ve not had a discussion of what a total technology shutdown would look like in your district, I would highly encourage you chat with your administration team and include that information in your disaster recovery plan.  For us, it was important to be the ones controlling access, as we were not sure what would come if the game of cat and mouse were to continue.  While our teachers rely heavily on technology for their daily instruction, this event encouraged them to return to some of their earlier teaching practices and school remained open and teaching continued during this event.

The proactive nature of our ‘technology lockdown’ allowed us to control what services remained online during our investigation.  Thinking back, I cannot imagine not having this option. Accommodations were made for some of the operational functions (payroll, bus routing, nutrition services) to continue.  Telephones, security cameras, copiers, A/V systems all may be affected in the event of a true ransomware situation.  As we were not in that situation, all of these systems were operational.  A communications backchannel was established through our district’s mass communication system.  All passwords were reset and had to be distributed to all staff and students in-person in an efficient manner.  Over 13,000 stickers with new, temporary user credentials were strategically deployed. Schools utilized PA announcements in a way that they hadn’t in many years and went back to distributing printed copies of things that may have been emailed in the past.   While it was important to let school families know that their students were not accessing technology at school, the messages could not be incredibly detailed as the investigation began. Families were informed that the access didn’t include the student information system.

While school life continued as normal as possible, the investigation involved conversations with a local partner recommended by the Indiana Department of Homeland Security and our school administration. At the conclusion of the investigation, it was determined that no sensitive files were accessed, and no ransomware was discovered on the network.  It showed that the perpetrator seemed to attempt to use our network to make fraudulent purchases online, and most-interestingly, the initial access coincided with the date and time of our network security assessment.  We engaged in a strategic restart of the network to minimize the risk and isolate any further attempts to compromise the network.  After a few days, the district was back online with the next-gen anti-virus software fully in place.

Hearing of other districts’ incidents involving ransomware and encrypted files, I know we were fortunate in our case. In the weeks and months after our intrusion, many ‘what if’s…’ followed:  What if this ‘system’ or that ‘tool’ was also affected, etc.?  How would we take attendance if our student information system became inaccessible?

All of this helped us further re-shape our disaster recovery plan, and the year-long security roadmap we were following was accelerated to about five weeks with nearly total buy-in from our staff.

If you’ve not had a chance to develop a disaster recovery plan for your district, I would highly recommend you complete that.  Many resources beyond the Technology Department need to be involved in the planning for and execution of such plan.  The Indiana Cybersecurity website contains some great resources to incorporate into your plan.  Purdue CyberTAP offers no-cost cybersecurity assessments, which we took advantage of last year.  This assessment gave us additional ideas for our plan as well.  IN-ISAC also publishes timely notifications of threats and vulnerabilities which you can sign up for here.

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the second installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, discusses the importance of protecting your personal information when it comes to USB devices and ports, as well as other forms of removable media.

By David Dungan

USB devices, CDs, SDs, and SIM cards make our lives easier in many ways, but it's important to understand the inherent vulnerabilities of these devices so you can keep your private information safe and secure.

One common attack relies on social engineering to infect devices. It starts with someone leaving a USB flash drive in common public places (even a parking lot), on someone’s desk, or it’s addressed to an individual with the hope that a person will plug it into their computer.

Call it curiosity or a desire to simply help someone, you might be tempted to insert the removable media to see who it belongs to, or to access the information (if they think it belongs to them), or if they need to plug in the removable media for a specific task. The problem is these devices act like a remote keyboard when the victim plugs them into their device. The removable media devices have pre-programmed keystrokes that can place malware on your computer, delete important files, open a backdoor for persistent access, and more.

Essentially, with a removable media attack or USB drop attack, the attacker can program the device to perform any actions that they would be able to perform, just as if they were sitting at your computer. You can protect yourself from this kind of attack by never plugging an unknown removable media device into your computer or mobile device.

Another common attack involves public USB ports that, more and more these days, are found in cafes, airports, and hotels. While these may be convenient if you’re traveling and your phone’s battery is running low, but you could be handing over your personal information directly to a malicious attacker. This type of attack works by modifying the port to include a device that will interact maliciously with your phone. A similar attack uses a malicious USB cable to steal private information.

To protect against attacks like these, never plug a phone into an unknown USB port and never use a charging cable that is not trustworthy. If you need to plug it into an unknown USB port, you can use a data blocker to prevent malicious devices from interacting with your phone. This data blocker works by not including the USB lines that transfer data in the port that connects to the suspicious device. It is important to plan ahead so that the next time you’re out in public and need a charge, you have your own charger or portable battery.

The bottom line is simple: all of us need to be wary of removable media that is not our own and take precautions whenever we’re plugging our devices into an unknown or, otherwise, suspicious USB port or charging station. If you want more information about these types of devices, Verizon and the National Cybersecurity Alliance also offers lots of great tips and best practices that you’ll find helpful.

By Dr. Jim Roberts

As a superintendent, I am always concerned about safety and security. Traditionally, that has meant protecting our students and staff members from physical harm. Unfortunately, now, it includes something that might not be on everyone’s radar but is crucial in today's digital age: the protection of computer data in K-12 schools. Just as we lock our classroom doors and set alarms for our schools, we need to secure our digital spaces. Think about it: schools are treasure troves of sensitive information. From student records to faculty details, all of it is vulnerable without the right protection.

First and foremost, tackling this behemoth requires a team approach. We can't leave cybersecurity to a single person. Creating a leadership task force is essential. This should include the sharpest minds in our school community: technology directors, network administrators, system administrators. These are the folks that understand the intricate details of our school’s digital backbone and can devise a plan to safeguard it.

As we chart the course of securing our schools, we need to ensure support at all levels: hardware, software, people, and processes. It's like piecing together a jigsaw puzzle – all parts need to fit perfectly. And while doing so, we must ensure that our school environment remains just as welcoming and safe as before, not turning it into some high-security tech fortress that makes its use too cumbersome.

There is a lot to this effort and it sounds expensive. But here's the silver lining: there's help available. Schools can utilize state-funded grants to help invest in cybersecurity solutions like KnowBe4.  And trust me, this is an investment that promises significant returns, not just in terms of data safety but in the peace of mind of parents, staff, and students.

One of the best roadmaps to follow for this journey is the 18 CIS Critical Security Controls. These controls are a golden standard in cybersecurity, a comprehensive guide to building a robust infrastructure. By adhering to these, we're not just throwing on a security blanket; we're constructing a digital fortress, brick by brick.

And, let's not forget the human element in all this. No matter how strong our walls are, there's always the risk of someone inadvertently leaving the gate open. To prevent this, it's imperative to run email phishing campaigns to educate and test staff on how to recognize threats. Additionally, routine tabletop exercises can simulate potential security scenarios, ensuring that when (not if) a threat occurs, our team knows exactly what to do.

Without question, the digital era has brought countless blessings to our educational system. But with these benefits come risks. Hence, the importance of guarding our school’s digital future, one byte at a time!

By Dan Layton

If you read the title above and your mind instantly wanders to the corny animations of Whammy and Sammy stealing all the money from contestants on what was the most technically advanced gameshow in 1983, your mind works like mine, and you are probably wondering what a gameshow has to do with creating a robust data privacy and protection system for your school district.

Like many of you reading this post, I knew my district was taking several steps to ensure we protected the information we had collected.  We only collected what we needed, we had a robust firewall, we had hired a good network team, we had an authenticated wireless network, and we, although most of us didn’t know it well, threw the acronym FERPA out there from time to time when it came to sharing information about our students.

There was obviously more to it, but all in all, nothing bad had happened and we were doing just fine as a district.  We had gotten by with a less than stellar strategy: hope.  We simply hoped nothing bad would happen that we would undoubtedly react to the best we could.  We were not taking crucial preemptive steps to ensure privacy and protections.  We had our ores in the water, but we were all rowing in different directions at different speeds.  With the ever-evolving landscape of AI enabled security threats and information protection, it became more and more evident to me, “Hope was not a strategy.” Hope was not going to train our staff and students, hope was not going to read privacy policies, hope was not going to negotiate contracts from a data protection perspective on behalf of our young learners.  We simply needed something more, but what was it that we needed.

This brings me back to the gameshow.  Michael Larson, an ice cream delivery man from Ohio, took the same “hope is not a strategy” approach after watching other contestants on Press Your Luck simply hope to avoid a whammy to win, “big bucks.” The game, if you have never seen it, consists of an electronic board with 18 shuffling electronic tiles of money and whammies.  If you land on money, you collect.  If you land on a whammy, you lose your money and your turn.  Larson started to video record every episode and repeatedly play them until he eventually found a pattern in which tiles #4 and #8 always had big dollar amounts and extra spins, never a whammy.  He taught himself how to consistently land on those two tiles.  He then used what was left of his savings to buy a plane ticket to Los Angeles to try out for the show.  He went to California with a strategy other than hope.

At the time of filming, the most money ever won on a gameshow was around $36,000.  Michael Larson with his preparation and strategy, walked away with over $110,000 in cash and prizes.  Larson knew hope was not a strategy and he did everything he could to make sure he was ready for anything that came his way on the show. He would eventually take over 40 consecutive turns on the board without hitting a whammy, shattering the previous record of 8.  At first CBS thought Larson had cheated and refused to pay up but, after review, realized he had simply put in the work and beat what they thought was a foolproof system.

The lesson from Press Your Luck is a mirror for all of us, as we journey through the digital realm and create a learning environment that is safe, secure, and trusted by our students, staff and community of stakeholders.  We can hope or we can prepare.  Lucky for us, the blueprints for preparation have already been developed by many groups from CoSN’s Trusted Learning Environment, the Indiana Executive Council of Cybersecurity (IECC) to best practices from the MS-ISAC.

I knew the trajectory we needed to take. I knew we had to start with step one of this strategy; we had to create urgency around data privacy and protection with key decision makers and those on the front lines.  Luckily, I had a great story to tell about Michael Larson and a game plan for how we would accomplish our goals of ensuring we could run school and protect the data of our students and staff.

By Brad Hagg

As students are preparing to transition back to school for the 2023-2024 school year, it’s a great time to reflect on not only the incredible digital tools that they are using to accelerate learning each day, but also how important it is that students are making wise choices when using these powerful solutions.

First, students and caregivers should be very careful about what information they are sharing and with whom they are sharing it. As families complete registration processes all over the state, it would be very easy for a cyber threat actor to imitate school personnel or send messages to steal valuable personal or financial information.

If you receive an unsolicited request for personal information or a form of payment, reach out to your school through a separate phone call or email before sharing any information to confirm that it is, indeed, your local school making the request.

Next, it is important to remind students to practice excellent digital citizenship when engaging with others online.  A good rule of thumb for students (and for everyone) is to ask yourself if you would say what you’re about to type or text if the person was standing right in front of you.  Another good tip is to ask yourself if you would make the post if you knew a grandparent was going to read it.

Just like we tell our children not to talk to strangers, students shouldn’t have an online conversation unless they are absolutely sure they know who they are talking to, and that it is someone they trust. Students should always show any message that seems strange or offensive to an adult that cares about them. Online predators may threaten to hurt relatives of a student they are talking to if the student discloses the conversation. They may also threaten to disclose embarrassing or uncomfortable information about the student. We should make sure that students understand that these situations are definitely when they need to reach out to a trusted adult for help. Talking about situations like these with students before they occur helps us prevent them from causing harm.

When family members communicate openly with each other and plan ahead for how to use these digital tools, they can build some excellent memories and be positioned for a great year of learning!  For more tips, don’t forget to take a look at all of the incredible resources in the NEW Cybersecurity for Education Toolkit 2.0. Download it today!

PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the first installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, shares his perspective on why cybersecurity is an essential tool for local business owners.

By David Dungan

The world is digital. Present-day business infrastructures depend on technology that provides simplicity but may be easily exploited. Small businesses are subject to cyberattacks, usually due to deficits in their security infrastructure.

The Cybersecurity & Infrastructure Security Agency (CISA) stresses that small businesses have valuable information, such as health, financial, and personally identifiable information on employees and financial data of customers. Small businesses are usually more vulnerable and at higher risk of cyberattacks compared to larger firms due to fewer resources for cybersecurity than larger businesses.

Small businesses should upgrade their security infrastructure to decrease the odds of a successful cyberattack.

Cyberattacks are usually viewed as external threats, but this may not always be the case. Most cyber-related incidents actually occur within the company itself, whether it was done on purpose or on accident. International Business Machines (IBM)classifies these threat actors into four different categories:

• The Pawn is an innocent employee, unaware of the implications of their digital actions. Essentially, this employee could be easily duped by outside threats. If they were to receive an inauthentic email from their district manager, asking for personally identifiable information, this employee will mistakenly send the requesting entity the information asked of them.
• The Goof is an employee that does not properly follow company security protocols. This individual may enter restricted parts of the company, or they may take their work home, risking the exposure of business information to outsiders.
• The Collaborator is the “undercover employee.” This employee has ulterior motives, which mainly involve working with other organizations that may be competitors.
• The Lone Wolf is the employee who works alone against the company, perhaps for financial gain or malicious intent. The situation becomes worse if this person has an elevated privilege level and access.

Common Cyber Threats to the Workplace

(World Economic Forum, 2017)

How Can Local Businesses Start Preparing?

There are a variety of ways an organization can start improving its security infrastructure, including:

• Employ qualified cybersecurity professionals
• Utilize identification cards
• Install/Upgrade security cameras if they are more than five years old
• Assess the cyber awareness of employees on a regular basis
• Update staff on any new hires
• Define company limitations and designate no-access/restricted zones

There is always more an organization can do to improve its security capabilities. It is great to have security procedures in place, but those protocols must be continuously revised and updated to ensure a secure working environment.

There is no way to guarantee against a cyberattack, but businesses can upgrade their security posture, making it more difficult for attackers to access and breach their assets.

By Joel Thacker

Cybersecurity threats have become an increasingly pervasive concern in today's digital landscape. The ever-evolving nature of cyber threats necessitates a proactive and comprehensive approach to protect critical infrastructure and sensitive data. Cyber incidents can range from data breaches and network intrusions to ransomware attacks and beyond. The consequences of these incidents can be devastating, leading to financial losses, reputational damage, and disruption of essential services. By having a well-crafted Cyber-Incident Response Plan (CIRP), organizations can better prepare, respond, and recover from such incidents.

One key aspect of a CIRP is establishing clear roles and responsibilities for incident response. This ensures all stakeholders understand their roles and can swiftly and effectively respond to cyber incidents. Organizations can minimize confusion and improve coordination during high-pressure situations by defining these roles in advance. CIRPs should also include a robust communication strategy outlining how the information will be disseminated internally and externally during a cyber incident. Timely and transparent communication is crucial to maintaining public trust and confidence and mitigating the potential impact of the incident. Of course, all plans should have alternative methods of communication should technology be temporarily interrupted.

Prevention is always better than resolving after the fact, and a well-designed CIRP should prioritize proactive measures such as continuous monitoring, vulnerability assessments and threat intelligence sharing. By implementing strong cybersecurity controls, organizations can detect and address potential vulnerabilities before they are exploited, reducing the likelihood and impact of cyber incidents.

The evolving nature of cyber threats requires organizations to regularly update and test their CIRPs to ensure their relevance and effectiveness. Cybersecurity is rapidly changing, and organizations must stay informed about emerging threats, trends, and best practices. Regular reviews and updates to the CIRP help address new challenges and incorporate lessons learned from previous incidents.

In today's interconnected world, a cyber incident can have far-reaching consequences. A robust Cyber Incident Response Plan is paramount for organizations to effectively mitigate risks, respond promptly and recover swiftly from cyber incidents. The Indiana Department of Homeland Security encourages all organizations, regardless of size or sector, to prioritize developing and implementing a comprehensive CIRP. By doing so, we can collectively strengthen our cybersecurity posture and safeguard our critical assets from evolving cyber threats.

You can access a host of critical resources by visiting the Indiana Cyber Hub at in.gov/cybersecurity.

Welcome to National Cell Phone Courtesy Month! As we celebrate the benefits and convenience of mobile technology, it's crucial to also address the challenges and risks that come with it. In this digital age, cyber scams have become increasingly prevalent, targeting unsuspecting individuals through their cell phones, smart phones and mobile devices. As we highlight cell phone courtesy, let's also explore the importance of staying vigilant and safeguarding ourselves against cyber scams, defining some of the cyber jargon you’ll hear, and learning exactly what these different attacks mean.

Phishing Attacks

Phishing has been around since the early e-mail days, as far back as the mid-1990’s. Today, phishing attacks have become among the most dangerous forms of what we consider to be a cyberthreat. In fact, 36 percent of all security breaches begin with a phishing attack. Mobile phone users are most often at risk to these attacks because of the ease of access that comes with using these types of devices. Scammers send text messages or emails that appear to be legitimate, impersonating real people and organizations (or both) and they’re requesting personal information. This can include everything from an email (or text message) letting you know that you have a package that’s being delivered (when you haven’t ordered anything) to something, such as an email with a confirmation from PayPal (involving a transaction you didn’t make). All of it looks to be surprisingly real. However, when you click on the link and/or enter your information, instead, your money and your personal information is headed into the hands of a cybercriminal as part of a scam.

To protect yourself, here’s some helpful tips to keep in mind, including:

• Being cautious of unsolicited messages. Be skeptical of any message asking for personal information or urging you to click on a suspicious link.
• Verifying the sender's legitimacy. It’s always a good idea to contact the organization directly using their official website or contact information to confirm the authenticity of the message.
• Installing anti-phishing software. There are apps for your phone or mobile device that can help protect you from phishing attacks, easily found by searching ‘anti phishing’ on the app store.

Fake Apps and Malware

Fake apps and malware pose a significant threat to mobile phone users. Cybercriminals can create their own apps that look very similar to the real deal. To avoid falling prey to a hoax:

• Stick to legitimate app stores: Download apps only from trusted sources, such as Google Play Store or Apple App Store.
• Read reviews and check app permissions. Before downloading an app, read user reviews and verify the permissions it requires.
• Install reliable mobile security software. Be sure to invest in a reputable antivirus or security app (that’s within your budget) that scans for and prevents the installation of malicious apps.

Vishing

Vishing, or voice phishing, involves scammers making phone calls impersonating representatives from banks, government agencies, or other organizations (include non-profits) to extract personal information. Protect yourself from vishing attacks with these precautions:

• Be cautious of unsolicited calls: Don't provide personal information over the phone unless you initiated the call or can verify the legitimacy of the caller.
• Verify caller identity: Ask for the name, department, and contact number of the caller. Then independently contact the organization to verify their authenticity.
• Register your number on the National Do Not Call Registry: This can help reduce the number of unwanted telemarketing calls.
• Remember, a verified organization, such as a bank or a credit union, will never ask you to read out a credit card number, social security number, or other sensitive information over the phone.

As we embrace National Cell Phone Courtesy Month, let's prioritize our digital well-being and protect ourselves from cyber scams that target mobile phone users. By being vigilant, following best practices, and staying informed about the latest scams, we can minimize the risks associated with mobile technology.

Together, let's make cell phone courtesy about more than just politeness; let's make it about security and ensuring our digital experiences are safe and enjoyable. Stay cautious, stay informed, and enjoy the benefits of your cell phone responsibly!

Happy National Cell Phone Courtesy Month!

Today, social media is a large part of all of our lives. It allows us to connect with others, share our stories, and express ourselves. However, with the large reach of social media, it’s very important to prioritize our safety and protect ourselves from various dangers. This week, as we celebrate National Social Media Day on June 30^th, it’s a great time to explore and share with you some helpful tips and strategies to keep yourself safe in the digital realm.

• Guarding Personal Information: One of the best ways to keep yourself safe is to carefully manage your personal information. It’s always a good idea to avoid putting sensitive information online, including your home address, phone number, and/or any financial information. The Department of Justice cautions that sharing sensitive information with people you don’t know personally is one of the biggest risks to your security online. Also, be sure to restrict what apps can see using privacy settings; that’ll help in keeping your data more secure.
• Using Strong and Unique Passwords is one of the fundamental steps to keeping yourself safe on social media and making sure your accounts are protected. Having the same password over multiple sites, using passwords that are common, and not utilizing a good combination of numbers, upper and lower case letters, and symbols puts you at risk of losing control of your account, and giving a cybercriminal access to sensitive information.
• Stranger Danger and Parental Controls: Be sure to look into the parental settings for your accounts, and make sure you have careful control over who can see what your kids and teens are posting. Be careful, too, sending messages to accounts you don’t know well and be mindful of whose friend requests you accept. It’s important for your children understand and are aware of the dangers of strangers online and how to keep themselves safe as well.
• Think Before You Share: When you post, consider the potential consequences. Be careful of what’s in the background of pictures, opinions that you’re making public, or if there’s any information in your post that could give a stranger or someone who “claims” to be your friend an opportunity that could hurt you. For example, making sure that a picture of a new car doesn’t show the license plate is good cybersecurity practice. If that post is public or gets outside of your circle of close friends, anybody can use it to identify you and your address in most states.
• Cyberbullying and Online Harassment: Try as they might to apply standards for the content that’s posted, social media sites contain lots of messages and posts that are intended to harass people. Limiting who can see each post you make is a good preventative measure but utilizing the ‘block’ function to stop interacting with someone who is causing you stress is an important countermeasure to keep in mind. Support platforms on the sites can also help out; it allows you to reach out to the platform’s administration and report the person, making it beneficial for everyone.
• It’s OK to be Skeptical: Hackers use benign and unassuming attacks to get access to your data. For example, QR codes have been efficient and even fun ways to share things with customers and friends in public. However, since humans can’t check where the QR codes will actually take them before they scan it, there can be malware that’s dangerous if it’s downloaded to your phone. The FBI is warning citizens about criminals putting malicious codes over real ones. Being extra careful and practicing a healthy amount of suspicion for things online and relating to your online devices is a great way to keep yourself safe.

By staying safe whenever you’re online, National Social Media Day is a cause for celebration and connectivity with loved ones and your shared experiences. Enjoy!

It’s Not Goodbye, It’s See You Later

By Chetrice Mosley-Romero

When I started my role as Cybersecurity Program Director for the State of Indiana, I started with an Executive Order from the Governor and a blank piece of paper.

Skip forward 6+ years and now we have two comprehensive (and successful) strategies and a highly visited cyber hub website with a multitude of easy-to-use cyber resources that are focused and used by a number of sectors and businesses who need the help.

How were we able to accomplish all of this? It was through the efforts of the dedicated members of the Indiana Executive Council of Cybersecurity, who have all donated hundreds of hours and millions of dollars in the way of expertise, services, and resources for the benefit of all Hoosiers, governments, and businesses.

It has been an amazing 6+ years serving the State of Indiana in this role. And while today will be my last day with the State of Indiana after 15 years of service, I am so excited to continue serving Hoosiers in my new role with USDHS CISA. The best part of my new role is that I’ll be able to continue my work in cybersecurity to help Hoosiers, in a federal capacity, as the first cybersecurity state coordinator for Indiana with the USDHS Cybersecurity and Infrastructure Security Agency (CISA).

As I look back over my years in this role and my philosophy on this blog, I’m happy to know that many of our readers have provided feedback that has only reinforced things about cyber that I think are missed by the movers and shakers of our world, such as:

• Cyber can be fun! National Selfie Day? National Hug Your Pet Day? Why not connect that to cyber? There is no reason to just focus on the doom and gloom of cyber all the time. I know for me; I learn better when training makes me laugh. I learn better with cartoon illustrations and metaphors. We have been able to accomplish this not just with our blog, but our social media as well.
• Cyber can be simple. A famous Einstein quote that has been at the heart of my core work philosophy since college is “Out of clutter, find simplicity.” I am always leery of anyone in cybersecurity who can only explain something in a very technical way. I truly believe that if someone understands something, he/she should be able to explain it in laymen’s terms. Cybersecurity sounds scary, but it can be demystified.
• Cyber is very personal. I truly believe that if we only focus on our organization’s interests then it will take 100 times longer for people to understand that good cyber hygiene is not only important to keep an organization secure, but (more importantly) it is important to keep YOU and YOUR family safe. Beating the drum on losing weight to help lower the cost of an insurance premium will never get me to eat healthier, BUT if you talk to me about how losing weight will improve my quality of life and allow me to see my grandkids, NOW you have my attention. Talking about cybersecurity shouldn’t just be focused on protecting our state or local government, it should also focus on our homes and families.

Now the great thing is that we have many guest bloggers in the coming months who will keep the blog going. I would be remiss to not call out our amazing communications manager, David Ayers, who is the backbone of our website and communication channels. His dedication will keep important information coming your way, even with me gone. If you have any ideas, don’t hesitate to contact him at dayers@iot.in.gov.

I am truly looking forward to being out and about more with the local governments, organizations, and individuals who want to learn how to better protect themselves, their communities, and our state. So, this is certainly not goodbye by any measure. You will see me around Indiana, and I will always be happy to help in any way I can.

Continue to follow my cybersecurity journey on LinkedIn and/or Twitter.

By Chetrice Mosley-Romero

June is National Homeownership Month, and whether you’re a Hoosier homeowner, or you’re looking to buy or rent, there are a few things to keep in mind to make sure that your experience is safe and secure.

Houses are expensive, so the profits for cybercriminals are ripe. No matter whether you’re buying or renting, there are some online scams you’ll want to avoid that could cost you thousands of dollars.

Recently, a couple in California, looking to rent a home, found a property on Facebook. It seemed great, except that the property was not for rent. The real owners had no idea that the property was on the market and the fake landlord had gotten the pictures of the inside of the home from Zillow. Luckily this couple went to the property and knocked on the door, saving themselves thousands.

The FBI routinely provides information, warning American families of homeowner scams. In 2021, the increase was a staggering 64 percent compared to 2020 in real estate-related cybercrimes.

Wire fraud is just one of the other types of scams out there relating to the real estate sector. Some 13,500 people fell victim to this type of scheme, costing them more than  $213 million dollars. All too often, scammers will try to sell a property they don’t own, such as what happened with the couple from California.

As a homeowner, you can search for your own property online right now on sites like Facebook Marketplace or Apartments.com to see if someone is trying to list it as their own and report it. As a buyer, be sure to read through the contracts carefully to protect yourself and your investment. It could save you from such things, as a lockout clause, and doing your due diligence could help you avoid sending money to a scammer.

When it comes to agreeing to a wire fraud transfer of funds, the American Land Title Association (ALTA) recommends all homebuyers and sellers double check all wire instructions with the title company. Each wire should be verified in person or on the phone with an authorized company representative. The ALTA website also features a brief video with additional information on ways to properly securing your property against other types of scams.

When it comes to reporting these types of scams, you can contact the FBI. If it involves a fraudulent rental listing, the Federal Trade Commission offers resources that can help you.

Best of luck in your journey to securing a home that’s truly your own!

By Chetrice Mosley-Romero

Summer is finally here! It’s time for a vacation for a lot of Hoosiers, wherever that might be.

Whether you’re a family of five, traveling with friends, or it’s just the two of you getting away for the weekend, there’s some steps you can take to protect yourself from being the victim of a cybercrime (or a break-in).

And it starts by not sharing the details of your getaway with everyone on social media while you’re out having fun.

Vacations are one of those things we want to share with our family and friends. Everything from what we’re planning and when we’re leaving to where we’re at and showing them all the fun, we’re having. In that moment, we don’t always realize that those posts can get out to the wrong people, and it tells the world that no one’s at home.

According to the FBI, most burglaries happen between June and August and roughly half of those are committed by someone who knows the victim. A lot of that comes from the fact that close to 40 percent of the people who are on vacation are posting about it before the trip is over.

Of course, as with a lot of things, there are some steps you can take to protect yourself before you leave and there’s a few ways that’ll help you stay safe online during your trip, including:

• Never Posting Your Upcoming Travel Plans -- As tempting as it may be, the worst thing you can do is post details of any upcoming travel plans. First, you’ll be giving thieves a heads-up as to when you’ll be gone, and second, they could be waiting for you when you arrive on vacation. Only your closest friends and family should know (offline) about your travel plans.
• Waiting Until You’re Home to Do a ‘Photo Dump’ -- It’s a good idea (once you start sharing some of your memories) to mention the vacation is over and that it’s good to be back home.
• Disabling Geolocation Tags on Your Posts -- Being less specific and providing less information also makes it a little safer to share (anything not related to your trip) on Instagram or Facebook.
• Don’t Tag Other People -- If you return from vacation early and your friends or anyone you were traveling with, are still gone, be sure that you don’t tag them in any photos or status updates.
  • Wait until everyone is back home and then tag them (if they want to be tagged).
  • Additionally, enable the Facebook tag review feature if you don’t want to be tagged in photos or want to approve any tag before something is posted.

Even with the best approach, the other reason for being cautious when you’re online involves the fact that there are people, who might be described as a “friend of a friend”; someone you might not know at all or have ever met is the person who’s not SO good and is the one who breaks into your home. Members of law enforcement have reported how this can happen. So much so, that when some would-be burglars have been apprehended, they admitted knowing the person, who was targeted, was on vacation.

If you have a need to share, I get it, as sometimes we need to stay in touch with our family or close friends if we’re traveling, there’s a couple of things you can do. On Instagram, you can create a close friends list, so that whatever you share, is seen only by those you trust. You can also do the same thing on Facebook. The other option is to go offline and create a group text and share your photos and what you’re doing as a way to stay connected. I’ve found, too, that when I get back home, I’m able to create a journal that provides some great vacation memories!

Stay (cyber) safe out there and have fun!

Reprinted with the permission of the Cybersecurity and Infrastructure Security Agency (CISA), today’s blog first appeared on CISA’s website in a bylined piece, published on May 7, 2023, by Jen Easterly, who serves as the Director at CISA and Tom Fanning, who is the Chairman and CEO of Southern Company and serves as Chair of the CISA’s Cybersecurity Advisory Committee.

By Jen Easterly and Tom Fanning

Today marks two years since a watershed moment in the short but turbulent history of cybersecurity. On May 7, 2021, a ransomware attack on Colonial Pipeline captured headlines around the world with pictures of snaking lines of cars at gas stations across the eastern seaboard and panicked Americans filling bags with fuel, fearful of not being able to get to work or get their kids to school. This was the moment when the vulnerability of our highly connected society became a nationwide reality and a kitchen table issue.

The good news is that since that event, the Biden-Harris Administration has made significant strides in our collective cyber defense, harnessing the full power of the U.S. government to address the full spectrum of the threat. At the Cybersecurity and Infrastructure Security Agency (CISA), we have been laser focused on improving resilience across our Nation’s critical infrastructure. Recognizing that organizations need a simple way to access actionable and timely cybersecurity information, we developed stopransomware.gov to provide a central location for alerts and guidance for businesses and individuals. Recognizing that only cohesive collaboration across government will scale to meet the threat, we launched the Joint Ransomware Task Force with our FBI partners to orchestrate the federal government’s response to the epidemic of ransomware. And recognizing the need to bring together industry, government, and internal partners and tear down siloes that create gaps for the adversary, we established the Joint Cyber Defense Collaborative (JCDC) — a concept born out of the U.S. Cyberspace Solarium Commission on which one of us served as a Commissioner — to catalyze a community of experts on the front lines of cyber defense — from across the public and private sectors — to share insights and information in real time to understand threats and drive down risk to the nation.

Since its establishment, the JCDC led the national response to one of the most extensive software vulnerabilities discovered; played a central role in CISA’s Shields Up campaign to protect critical infrastructure from potential Russian cyber-attacks; and, along with our partners at the Transportation Security Administration (TSA), brought together more than 25 major pipeline operators and industrial control systems partners to strengthen security practices to safeguard the operational technology networks critical to pipeline operations, efforts that complement the Security Directives TSA issued in the aftermath of the attack on Colonial Pipeline. Separately, with the support of Congress, we expanded our capability known as “CyberSentry” which enables heightened visibility into and more rapid detection of cyber threats that could target our nation’s most critical operational technology networks. Finally, we worked to help organizations of all sizes and skill levels prioritize the most impactful cybersecurity investments with the introduction of cybersecurity performance goals, or CPGs.

While we should welcome this progress, much work remains to ensure the security and resilience of our critical infrastructure in light of complex threats and increasing geopolitical tension. The U.S. Intelligence Community issued a stark warning of a potential future in its recent Annual Assessment, noting that “If Beijing feared that a major conflict with the United States were imminent, it almost certainly would consider undertaking aggressive cyber operations against U.S. homeland critical infrastructure…China almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems.”

We cannot afford to dismiss this warning. We must do everything today to be prepared for such a scenario. First, we must ensure that the technology that underpins the services that Americans rely on every hour of every day is safe and secure. For too long, we have sacrificed security for features and speed to market, leaving us increasingly vulnerable, with the burden of security placed on those least able to bear it. As listed in one of the core pillars in the President’s National Cyber Strategy we need security to be built into the creation of new technology—as a foundational imperative—rather than bolted on at the end requiring continuous security updates from consumers.

Second, we need to prioritize cybersecurity at the highest levels. The days of relegating cybersecurity to the CIO or the CISO must end. CEOs and Boards of Directors must embrace cyber risk as a matter of good governance and prioritize cybersecurity as a strategic imperative and business enabler.

Third, we must continue to invest in the JCDC model of persistent and proactive operational collaboration between government and industry where the default is to share information on malicious cyber activity, knowing that a threat to one is a threat to all.

Finally, we need to normalize cyber risks for the general public with the recognition that cyber-attacks are a reality for the foreseeable future. We cannot completely prevent attacks from happening, but we can minimize their impact by building resilience into our infrastructure and into our society. We need to look no further than our Ukrainian partners for an example of the power of societal resilience.

These changes are not easy, but we need to hold ourselves accountable to the hard lessons learned from two years ago. Are we going to make the choices that will lead us to a secure, resilient, and prosperous future or are we going to allow inaction to dictate a future in which our national security and our way of life hang in the balance? We have proven that it can be done but only if we act now…together.

By Chetrice Mosley-Romero

Here in Indiana, when it comes to the month of May, there’s a lot going on.

• You’ve got kids of all ages, teenagers, and young adults, too, finishing the school year and moving onto to the next stage of their life.
• Couples are headed down the aisle and, seemingly, almost all of us knows someone who’s getting married. Am I right?
• And, of course, at the end of the month, everyone (regardless of where we’re at) will be celebrating being “Back Home Again in Indiana”. By then, you’ll be one of the more than 350,000 people at the track to experience the “Greatest Spectacle in Racing”. Or you’ll be kicking off your Memorial Day weekend with a picnic or party of our own.

Regardless of where in the Hoosier state we’re at, some of the people who’ll be with us for that grad party, or who will be gathering together, as friends, to share each other’s company for yet another trip to the Indianapolis 500 (that always begins with a cup of that much-appreciated senior coffee), is why we have another reason to celebrate the month of May and that’s because it’s Older Americans Month.

OK, it’s fair to say that you might not have had that one on your calendar. But I think you’ll agree that It’s important and some of the “why” that’s true might surprise you (HINT: it involves cybersecurity).

One of the ways, every day, we pay tribute to older people is by helping to protect them, especially as it regards their personal and financial information when they’re online.  Cybercrime cost Americans over the age of 50 nearly $3 billion last year and that’s an increase of 62 percent from 2020, according to the FBI’s 2021 Elder Fraud Report.

In fact, the number of victims could be much higher, as seniors are also less likely to report fraud, says the FBI. This is supported by figures from the Federal Trade Commission, which show that while 44 percent of younger people in their twenties reported losing money to fraud, only 20 percent of those who are in their seventies did the same.

The cyber-related risks show up in everything from fraudulent phone calls, phishing attempts in emails and text messages to social media messages and shopping scams and all of it is designed, specifically, to trick someone who’s older out of their savings.

To help keep that from happening, the National Council on Aging suggests there are four steps that seniors can take for improving their personal cybersecurity, including:

• Don’t click on links in emails from unfamiliar senders. Be wary of strange or unexpected messages, even if they’re from people you know.
• Don’t open any attachments unless you know the sender and were expecting them to send the information to you.
• Ignore any unsolicited phone calls and “robocalls.”
• Don’t respond to or click on pop-up windows on your phone or computer.

The FBI, Federal Trade Commission (FTC) and the Cybersecurity Infrastructure and Security Agency (CISA) offer a great deal of free resources to help you avoid being the victim of an online scam or identity theft.

If the worst happens and you believe that you’ve been the victim of a cybercrime, visit the Indiana Cyber Hub website and go to our “Report a Cyber Incident” page -- there you’ll find all of the steps you need to take to protect yourself and begin recovering.

Best of all, these resources are all FREE. That’s less than even the best deal you’ll find for that senior coffee!

By Chetrice Mosley-Romero

When it comes to cybersecurity, hospitals, and health care organizations -- supported by the dedicated people, who work tirelessly to take care of all of us -- represent the very definition of critical infrastructure that exists within our communities.

As we prepare to celebrate National Hospital Week, it’s important to know that right here in Indiana, there’s a free-to-download resource -- Healthcare Cyber in a Box -- that is already making a difference when it comes to providing small- to medium-sized healthcare institutions with the ability to create more of the critical systems that are needed for keeping their operations secure. At the same time, it is helping to protect their patents and preserve both their digital, as well as physical, well-being.

The Healthcare Cyber in a Box Toolkit provides an organization with three levels of expert guidance -- basic, intermediate, and mature -- involving 10 critical areas of cybersecurity. This guidance also provides specific, actionable information on how a health care organization can address each area of concern, everything from email protections, system access and asset management to laptop and workstation protections, as well as information about what specific threats each of these areas seeks to protect against.

Created with the expertise of a group of cybersecurity and information security professionals, who work in the healthcare profession in Indiana, the Toolkit is part of an ongoing initiative to help educate and support all Hoosiers. It is also an example of the work that’s been achieved over the past six years by the Indiana Executive Council on Cybersecurity (IECC). The IECC is responsible for creating the cybersecurity policies and initiatives in Indiana, on behalf of all Hoosiers, businesses, and local government.

The initiative for bring about these protections began in 2019, with the adoption of the Section 405(d) Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. The 405(d) Working Group and the Health Sector Coordinating Council, together with numerous provider, government, and industry volunteers are to be commended for making this a reality.

At a time when all institutions face greater threats from cybercrime, it’s difficult for a lot of organizations to possess all of the necessary resources, when it comes to people, processes, technology, and the budgets, to establish even basic protections. For healthcare, this is especially critical, given the fact that hospitals, clinics, and doctor’s offices are responsible for maintaining and processing some of the most sensitive data, both as it relates to a patient’s personal and financial information, in addition to their medical records.

* * *

Another new cyber resource that’s available for healthcare pros is the “Cybersecurity for the Clinician” Video Series.

It is a free-to-download cybersecurity training video series that explains in easy, non-technical language the basics for how cyberattacks can affect clinical operations and patient safety, and how clinicians can do their part to help keep healthcare data, systems, and patients safe from cyber threats without losing time away from their patients.

Developed by the Health Sector Coordinating Council (HSCC), clinicians, students, professionals, and institutions with training programs are welcome and encouraged to download the series on YouTube or in eLearning format at: https://www.healthsectorcouncil.org/cyberclinicianvideos/. For a preview, go to:  https://youtu.be/awIJ8kSP-Ak.

Just as we’re always searching for a cure to whatever it is that’s ailing us, it’s encouraging to know that we’ve got some talented and dedicated people, right here in Indiana, who are working on cybersecurity solutions to keep us all safe.

By Chetrice Mosley-Romero

In case you missed it on the calendar, it’s National Coin Week!

OK, to be fair, unless you’re an numismatist, it’s not necessarily something that a lot of us might take the time to celebrate. That being said, it did get me to think about where we’re at, as a society, with how we’re using coins as a part of our everyday life, and how bitcoin -- also referred to as cryptocurrency or crypto -- fits into the conversation.

To begin with, if you’ve been to a concert or sporting event lately, you’ve discovered that the one thing you don’t have to worry about forgetting when you leave the house is cash. And it’s not because you don’t have any money to spend, rather it’s because the venue or stadium (even at a lot of local high schools) doesn’t accept it as a form of payment.

Instead, we now have to remember to stop at an ATM before we go anywhere and paying (for a lot of things) with the change we’ve saved up is not necessarily an option either, as a lot of businesses have decided to go “cashless”. They’ve discovered it’s easier for us to pay with a credit or debit card, or we pay online (using our phone or mobile device) with Apple Pay. There’s even “Kohl’s Pay” (which I’m told is not to be confused with Kohl’s Cash).

As all of this has been going on, cryptocurrency is continuing to emerge as one more way people and companies are using as a legitimate form of payment and/or as an investment.

If you’re wondering what kind of “coin” we’re talking about, consider:

• According to Pew Research, approximately 16 percent of Americans use cryptocurrency in some shape, form, or fashion and it’s estimated that almost 70 million people use Blockchain wallets worldwide to store their cryptocurrency.
• Between 2012 and April 2023, the price of Bitcoin has gained 127,310 percent (from $22 per USD for $1 million worth of the token to $28,030).

Of course, it’s important to keep in mind, as someone who works in cybersecurity, crypto is also regarded as the preferred method of payment cybercriminals use when demanding payment from small businesses and local government, even schools, as part of their committing a cybercrime, either by stealing data or money or both. According to the FBI, cryptocurrency investment fraud increased 183 percent from $907 million in 2021 to $2.57 billion in 2022.

If you’d like to learn more about cryptocurrency, including how it works and the types of scams to be aware of, visit the website for the Federal Trade Commission. It’s a good place to start to understand some of the basics, along with some of the risks.

Seeing how there’s approximately 22,932 cryptocurrencies worldwide, it’s safe to say it’ll be a little while yet before we stop collecting coins, or feel as though we need to trade in our piggy banks for a digital wallet that’s filled with all of our money.

By Chetrice Mosley-Romero

When it comes to our everyday life, there’s always a few things that we know we need to do, but try as we might, even with the best intentions, we struggle with making the time to getting it done (at least, like we should, right?).

One of things that you could say that fits into that category is backing up our data. And there’s a lot out there -- from everything that’s on our phones, laptops, and mobile devices, all the way down to the files we have at work and the precious photos we have saved, seemingly, everywhere!

Friday, March 31st is World Backup Day. It’s a perfect time to “celebrate” by making sure that just as we lock our doors at night, we’ve taken a few simple steps to protect ourselves digitally. For some, it’ll be a new experience, as 21 percent of people have not backed up all of the data on their computers. And even if you’re tech savvy, it’s important to keep in mind that nearly 30 percent of data loss cases were caused by accident.

That being said, here’s five great tips to help protect your data, including:

• Set it and forget it. Cloud-based storage and external hard drives both give you the option to set up automatic data backups on a recurring basis. This way, even in case of emergency, you won’t have to worry about the last time you backed everything up.
• Redundancy is key. Having your data stored in multiple storage spaces will keep it more secure, especially if one storage space fails. (For example, if your external hard drive is lost or broken or you don’t have the internet to access your cloud data.).
• Choose the right option for you. There’s no one-size-fits-all approach when it comes to data backup.
  • External hard drives are a physical unit you plug directly into your computer. They’re relatively inexpensive, and they can be used with a variety of devices so you can access your data from anywhere.
  • Cloud-based storage, meanwhile, is completely digital. It can be used across multiple devices, and there are even some free options highlighting some of the best practices to follow.
• Protect against cyberattacks. Unfortunately, the increase in technology use has also caused an increase in cybercrime. Backing up your data helps secure your information if your device becomes compromised. Additionally, you’ll want to make sure you’re running the latest antivirus software on all of your devices and systems (if you’re at work).
• Don’t be afraid to ask for help. Data backup can be overwhelming, especially if you’ve never done it before. However, it’s important to take these steps before it’s too late. If you’re unsure of what you’re doing, reach out to that tech-savvy friend for help. There’s also a lot of resources online, in the way of tutorials, that you can download or use as reference to use as a guide. And in case you need it, there are also some data recovery software tools that are free to use.

Who knows, with a little work, here and there, backing up your files will give you an opportunity to enjoy all over again (and keep secure) some of those precious photos!

By Chetrice Mosley-Romero

It’s safe to say that National Credit Education Month isn’t likely to generate the kind of excitement a lot of us experienced last week, as we filled out our brackets for “March Madness” (especially as we were trying to figure out which of the #13 seeds were going to pull an upset, right?).

But it’s important for you to know that when it comes to protecting your identity and managing your money (especially when you’re online), you’ll want to follow a good game plan, because cybercriminals are out there using a full-court press to try and get you to commit some costly turnovers.

According to the FBI’s Internet Crime Report 2022, 800,944 complaints of cyber-crime were reported to the FBI by the public -- a five percent decrease from 2021 -- but the total potential loss increased from $6.9 billion in 2021 to more than $10.2 billion in 2022. Here in Indiana, in 2022, there were 11,682 complaints, with losses totaling $73.6 million.

Fortunately, there are some great (and FREE) resources Hoosiers can use to help stay safe, including the Consumer Protection Division of the Attorney General’s Office -- featuring a variety of interactive tools on its website to help protect you from being a victim of identity theft. And while it’s true that you cannot avoid the risk completely, you can benefit from using some of the resources that are out there to protect yourself and learn more about what you can do to educate yourself and your family.

If you need assistance, the Attorney General's Identity Theft Unit provides investigative services to help in the prosecution of identity thieves. The Identity Theft Unit is committed to reducing incidents of identity theft around the state by providing free educational resources, as well as information on how to “freeze” your credit and block unwanted calls from telemarketers. The site also offers links to information from the Identity Theft Resource Center, including the steps you can take to recover your identity, as well as protect your business.

Because cybercrimes also involve different forms of cyber incidents and cyberattacks, such as ransomware, malware, denial of service, among others), as well as fraud and other violations of privacy, you’ll want to be sure and visit some of the other pages on this website -- known as the Indiana Cybersecurity Hub -- including the steps you need to take if you have to report that you’ve been the victim of a cybercrime -- including the information you need to share if you work in local government.

Another resource (also FREE) is the Federal Trade Commission. The site offers everything from helpful tips on how to protect yourself against identity theft to knowing how to tell if someone has stolen your identity.

At a time when it can take less than a minute to withdraw money from an ATM or transfer thousands of our hard-earned dollars electronically, you might be interested to know that credit is something that was first used in the 1520’s -- defined as a term that came with a mix of different origins, including “belief, trust” and was also described as “a loan, [a] thing entrusted to another”, as well as a past participle of credere "to trust, entrust, believe".

Whatever the circumstance that you find yourself in, it’s good to know that there’s help out there to keep who we are - along with our credit - safe and secure, and that’s still got to be easier than figuring out who’s going to win all of these basketball games!

By Natasha Jensen-Matta

We hear the stories all the time, but most people think “that would never happen to me” or “I’m not important enough to be hacked”.  Cybersecurity threats are very real for any business – but small businesses are increasingly big targets for cybercriminals. Verizon‘s 2021 Data Breach Investigations Report shows that 46% of data breaches impacted small and midsize businesses (defined as businesses employing less than 1,000 individuals). So even the small businesses need to be aware of their cyber risk!

What makes a small business a target? They have valuable data! Do you take payment via credit card? Do you allow for bank payments? Do you have business information for partners, suppliers, buyers, etc.? Small businesses collect a lot of very valuable data without even thinking about it.  As businesses increase their digital footprint, pivot to more online sales, or store more customer or business data, this threat will continue to grow.

Small businesses are highly vulnerable to cybersecurity threats, as they often lack the resources and expertise to implement robust security measures. But the repercussions for cybersecurity threats are large:

• Disruption of Operations: A cyberattack can disrupt the operations of a small business, leading to downtime and loss of productivity. This can have a severe impact on revenue and can cause delays in fulfilling orders.
• Damage to Reputation and Customer Following: A data breach can easily damage the reputation of a small business. Customers may lose trust in the business and may choose to take their business elsewhere. Small businesses can also lose access to their social media platforms making ruining their digital profile and losing their earned customer following.
• Legal Liability: Small businesses can face legal action if they are found to be responsible for a data breach. They can be held liable for damages resulting from the breach, including compensation for the affected parties, regulatory fines, and legal fees.
• Compliance Issues: Small businesses that handle sensitive data are required to comply with certain federal regulations. Failure to comply with these regulations can result in penalties and fines.

Cybersecurity threats can have a significant impact on small businesses. It is essential for small business owners to take proactive steps to protect their businesses from cyberattacks.

Understanding your small business’ cyber vulnerability and mitigating cyber threats are not easy tasks. But putting in the effort now to protect your business is worth it! The Indiana Economic Development Corporation’s (IEDC) Small Business Development Center program offers a no-cost, ready-to-implement toolkit to provide Hoosier small businesses with easy to understand and ready to use resources that can help avoid or reduce the impact of cyber incidents. The IEDC engaged the Global Cyber Alliance to create a unique toolkit for Indiana small businesses interested in understanding the basics of cyber hygiene and mitigating cyber risks as well as finding organizations to help with training and cybersecurity implementation.

The Indiana Small Business Development Center also offers no-cost business advising, training, referrals, and a library of cultivated tools and resources to help a business succeed, from startup through to sale or retirement. You can find more information on the cybersecurity resources available through the Indiana SBDC program here or visit any of the 10 regional offices located throughout the state.

By Lieutenant Governor Suzanne Crouch

Although half of Indiana’s workforce is female, just over a quarter of the people performing tech jobs are women, the 4^th largest tech worker gender gap in the nation.

Some may see this as a bleak statistic, but I see it as an opportunity for our state to grow and position itself as the perfect place for women to begin their tech careers.

According to the Girl Scout Research Center, 74% of teenage girls are interested in pursuing a career in STEM. In just a couple of years, they will be ready to step into the workforce of this currently male dominated field. And once they do, it is important that we attract them to Indiana.

Enticing people to our state starts by reminding people of all the unique opportunities and activities available in Indiana. As Lieutenant Governor, I oversee a portfolio of agencies including the Indiana Destination and Development Corporation (IDDC). IDDC is dedicated to promoting, branding, and telling Indiana’s authentic story to both attract and retain businesses, talent, students, and visitors to our state.

By utilizing the “IN Indiana” branding at your business, in public art or with #INIndiana on your social media posts, you are helping share the story of Indiana, which will attract more people from across the country to want to come visit, including prospective women in tech.

But once people find their way to Indiana, it is important that we work to ensure that they feel connected and supported while living here and can plug into common interest groups.

One group that is doing just that is Government Women In Technology (GWIT), a State of Indiana affinity group that supports, advocates and motivates women in technology. Founded in 2020 by Anushree Bag, GWIT now has over 100 members from 35 state agencies who gather to share their knowledge, serve as mentors, and empower one another to take risks and navigate an impactful career in technology.

The work being done by GWIT is vital to the success of our state and is building a strong foundation for future generations. I am optimistic that building a culture of support within the tech community, especially for the women who work in this field, will encourage this next generation to come to Indiana for college, for their careers and for their lives.

During Women’s History Month, I challenge you to take a step in supporting the next generation of women in tech. Whether that be by joining an organization like GWIT, volunteering for a local elementary school’s STEM club or becoming a mentor for a local student who is interested in the tech field. By taking these steps, each of us can help close the gender disparity gap in the Indiana tech industry.

Reprinted with the permission of the Cybersecurity and Infrastructure Security Agency (CISA), today’s blog first appeared on CISA’s website in a bylined piece, published on January 26, 2023 by Eric Goldstein, who serves as the Executive Assistant Director for Cybersecurity at CISA.

By Eric Goldstein

In 2021, CISA and our partners across government and the private sector created a new kind of partnership organization — the Joint Cyber Defense Collaborative (JCDC). While our model is still evolving, we collectively demonstrated how persistent collaboration and frictionless engagement can yield benefits in addressing exigent risks like the Log4Shell vulnerability and potential cyber activity resulting from Russia’s full-scale invasion of Ukraine. However, collaborating around immediate risks is necessary but not sufficient. We must also look over the horizon to collaboratively plan against the most significant cyber risks that may manifest in the future. This proactive planning is foundational to JCDC, as first envisioned by the Cyberspace Solarium Commission and then codified by Congress.

To advance this critical aspect of our work, CISA and our partners are proud to announce JCDC’s 2023 Planning Agenda. This Agenda is the first of its kind — a forward-looking effort that will bring together government and the private sector to develop and execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration. We will continue to expand the breadth and depth of our partnership to maximize both the completeness and impact of these planning efforts.

Through a rigorous process that included input from subject matter experts and our government and private sector partners, we have developed a Planning Agenda focused on three topic areas: systemic risk, collective cyber response, and high-risk communities.

• While all organizations are at risk of cyber intrusions, we know that certain elements of the ecosystem can be abused by malicious actors to achieve widespread impacts. To reduce these types of risk at scale, we will convene key partners across the following efforts:
  • Understand and mitigate risks potentially posed by open source software (OSS) used in industrial control systems
  • Advance cybersecurity and reduce supply chain risk for small and medium critical infrastructure entities through collaboration with remote monitoring and management, managed service providers, and managed security service providers
  • Deepen operational collaboration and integration with the Energy Sector, in partnership with the Department of Energy
  • Identify approach to enhance security and resilience of edge devices for the water sector
• Over the past several years, government and the private sector have significantly advanced our processes and approaches for incident response, but our plans and doctrine have not kept up. JCDC will lead an effort to update the National Cyber Incident Response Plan, in close coordination with the Federal Bureau of Investigation and other partners, which will include articulating specific roles for non-federal entities in organizing and executing national incident response activities.
• Malicious cyber actors do not only target critical infrastructure or businesses; to the contrary, we know that high-risk communities, such as civil society organizations that support journalists, and cybersecurity researchers are routinely targeted by adversaries seeking to undermine American values and interests. JCDC will lead collaborative planning efforts with key non-government organizations, government, and industry stakeholders to develop a cyber defense plan for civil society organizations who are at high risk of being targeted by foreign state actors.

In the coming weeks, we will kick off our planning efforts on OSS and scaling cybersecurity to support small and midsize critical infrastructure and state, local, tribal, and territorial entities. The remaining priorities for cyber defense planning efforts will commence in the following months.

Through these planning efforts, CISA and our partners across government and the private sector will take steps to measurably reduce some of the most significant cyber risks facing our country and deepen our collaborative capabilities to enable more rapid action when the need arises.

This level of proactive planning is new; we’ll learn as we go, and we’ll be transparent about our successes and our continued areas of growth, informed as always by the input and feedback from each of our partners in this critical work. We will also maintain flexibility to undertake urgent planning efforts as the risk environment changes, recognizing that agility is foundational to our shared success.

JCDC is a public-private cybersecurity collaborative that leverages new authorities granted by Congress in the 2021 National Defense Authorization Act to unite the global cyber community in the collective defense of cyberspace. CISA welcomes all critical infrastructure organizations and entities with cybersecurity expertise and visibility to participate in our collaboration efforts. For further information about JCDC, email cisa.jcdc@cisa.dhs.gov.

By Chetrice Mosley-Romero

In the course of our lives, we experience romance in a variety of different ways.

For some of us, there was a time where it began simply enough, with a folded note that we asked our best friend to pass over to someone while we were in class.

From there, it’s the relationships that begin as early as our teens and twenties. Or if we aren’t so lucky it takes a few frogs to find our prince. And, if we’re fortunate, it continues on, until we’re in the twilight of a life well-lived in the company of someone special who cared about us.

With Valentine’s Day right around the corner many people (me included) start thinking about what we can do for our loved ones to offer a token of our love that day. In fact, it’s estimated that people will spend an average of $192.80 for Valentine’s Day -- when you add up the cost of what we’ll spend, not only for our husband, wife, or significant other, but our family, friends and even our pets! What’s more, consumers ages 35 to 44 are planning to spend even more -- an average of $335.71, the most of any age demographic.

Yet, in order to get to our storybook ending, it’s important for you to know that cybercriminals and scam artists are doing everything they can to steal away your life savings and your personal information while, at the same time, breaking your heart.

Here in Indiana, hundreds of Hoosiers fall victim to the scheme every year. From 2019 to 2021, romance scam complaints, nationally, have increased by 25 percent and the victims' losses totaled $1.3 billion in the past five years.

Many victims hesitate to report it because of embarrassment. Recently, a woman in Central Indiana, shared her story in the hope that it’ll help other people avoid being the victim of a romance scam.

In a recent interview with the Indianapolis Star, Herbert Stapleton, Special Agent in Charge at the FBI’s Indianapolis office said it’s important to understand how a romance scam works and how you can protect yourself.

Additionally, there are some helpful tips to keep in mind, including:

• Be careful what you post and make public online. Scammers can use details shared on social media and dating sites to better understand and target you.
• Research the person’s photo and profile using online searches to see if the image, name, or details have been used elsewhere.
• Go slowly and ask lots of questions.
• Beware if the individual seems too perfect or quickly asks you to leave a dating service or social media site to communicate directly.
• Beware if the individual attempts to isolate you from friends and family or requests inappropriate photos or financial information that could later be used to extort you.
• Beware if the individual promises to meet in person but then always comes up with an excuse why he or she can’t. If you haven’t met the person after a few months, for whatever reason, you have good reason to be suspicious.
• Never send money to anyone you have only communicated with online or by phone.

Most importantly, trust your instincts (and not just your heart…) and if you suspect that you’ve been the victim of a romance scam, be sure to file a complaint as soon as possible with the FBI at the Internet Crime Complaint Center IC3.  You can also report it to the Federal Trade Commission at ReportFraud.ftc.gov and it’s a good idea to notify the social networking site or app where you met the person.

And, hey, if it’s meant to be, you’ll be safe and secure and find the fairy tale together. Happy Valentine’s Day!

Additionally, there are a wide range of benefits to having a cyber compliance management system, including:

• Saving time and resources by automating compliance-related processes, such as policy management and security assessments.
• Helping to avoid more of the cost that can come from non-compliance, such as fines and penalties, and potential lawsuits. Also, it can minimize the costs associated with incident response and recovery in case of a security breach.
• Customers, employees and vendors feeling safer knowing you are looking out for them.
• Putting in place more efficient data management policies that will help “keep the lights on”, in the event of a cyber incident or cyberattack.
• Taking solace in the fact you’ve done everything you can to protect your business and that you will be ready and resilient for any issues that may arise.
• Protecting against having to take corrective actions and incurring penalties for noncompliance.
• Mitigating risk to survive and recover from a cyber incident or cyberattack.

The other way to create a greater measure of compliance is to offer cybersecurity training to your employees. In doing so, it offers several advantages, including:

• Awareness -- Cyberattacks often involve a substantial number of human mistakes. An effective security awareness training program will provide them with more of the skills and assurance they need to spot security hazards when they are presented and show them how to escalate problems. The better informed your staff is, the better they can defend your company, and the more proactive your cybersecurity measures will be. It will also help in avoiding downtime.
• Increase Customer Confidence: According to a Ponemon survey, 31 percent of consumers reported that after a data breach, they stopped doing business with the compromised firm. These figures demonstrate how crucial it is to keep a robust security posture. Customers will have more faith in a company and be more likely to do business with them if they are aware that the company is taking cybersecurity seriously.
• Threat Reduction: A cybersecurity awareness campaign is crucial in lowering the dangers that could result in data breaches and other cyber threats. Employees will be informed of information security best practices, apps, and technologies using a cybersecurity awareness program, including social media, email, and websites. Employees that receive cybersecurity awareness training are better informed about common social engineering threats like phishing and spear phishing. By assessing their knowledge about cyberattacks and how they react to phishing emails, this tool can be used to identify individuals who may benefit from more training.

Regardless of the real consequences that can occur as a part of any sort of breach, people must be aware of recommended practices to generate a higher level of security. This will also help in avoiding a situation, in which the company takes a hit to their reputation or the fallout that can come from having to deal with some negative press.

What’s more, by proactively initiating a cybersecurity compliance program, you’ll not only help in protecting your company from hackers and cybercriminals, but it'll also provide a safer, more secure work environment. For more information about cyber compliance, please visit Lionfish Cyber Security or email me at jeremy@lionfishcybersecurity.com.

PERSPECTIVES FROM THE FIELD

The strength of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the Indiana Executive Council on Cybersecurity (IECC). Hence the name "Perspectives From the Field Series" in which we invite experts to discuss the real and challenging issues we are facing in the field and the proposed solutions from the experts to better the lives and businesses of all Hoosiers.

In the first installment of a two-part blog series, Jeremy Miller provides his perspective on what is cyber compliance and how it fits in today’s digital marketplace.

By Jeremy Miller

What is cyber compliance?

Cyber compliance refers to the process of ensuring that an organization adheres to industry regulations, standards, and laws related to information security and data privacy. Many different types of organizations may need to comply with various cyber security regulations and standards. Some examples include:

• Healthcare organizations, which may need to comply with HIPAA regulations that protect patient health information.
• Financial institutions, which may need to comply with PCI-DSS regulations that protect credit card data.
• Retailers and e-commerce companies, which may need to comply with PCI-DSS regulations if they accept credit card payments online.
• Companies that handle personal data of European citizens, which may need to comply with the General Data Protection Regulation (GDPR).
• Companies that operate in certain industries, such as defense or energy, which may be subject to regulations specific to their sector and industry standards such as ISO 27001, NIST or CMMC.

It's important to note that compliance is not only limited to large companies, small and medium-sized businesses may also be required to comply with the laws and regulations of their country or industry.

Why Should Cyber Compliance Be a Top Priority

It’s vital for businesses to be on top of their compliances for a variety of reasons, including:

• To protect sensitive data: Compliance with regulations and standards helps to ensure that an organization is taking the necessary steps to protect sensitive information, such as personal data and financial information. This can help to prevent data breaches, which can result in significant financial losses and damage to an organization's reputation.
• Being compliant for legal requirements: Failing to comply with regulations and standards can result in significant fines and penalties, as well as legal action. Compliance is important to avoid these risks and ensure compliance with laws and regulations.
• To maintain customer trust: Compliance with regulations and standards can demonstrate to customers and partners that an organization takes data security and privacy seriously, which can help to build trust and maintain positive relationships.
• Improving overall security posture: The process of achieving and maintaining compliance can also help to improve an organization's overall security posture. This can include identifying and addressing vulnerabilities, implementing best practices, and regularly assessing and testing security controls.
• To obtain cyber insurance: Many companies have cyber insurance that requires compliance with certain standards and regulations. Non-compliance can lead to denial of claims and can make companies more vulnerable to a cyberattack.

Overall, cyber compliance is an important aspect of protecting businesses from potential cyber threats and ensuring that they are able to operate in a secure and compliant manner. Furthermore, cyber compliance management and training can help a business to protect sensitive data, comply with legal requirements, maintain customer trust, and improve its overall security posture.

For more information about cyber compliance, please visit: www.lionfishcybersecurity.com or email me at jeremy@lionfishcybersecurity.com.

In part two of our special blog series, on Thursday, Feb. 2^nd, Jeremy Miller discusses the advantages of cyber compliance management and why it’s important to your business.

By Chetrice Mosley-Romero

If you have ever met me, you would quickly know that I LOVE “To Do” Lists. But when it comes to making out a “to do” list, if you’re like me, there’s always that ONE thing you forget about, right?

And just about the time you walk through the door at home, or you’ve left the office for the day, you suddenly remember what it is you forgot to do, and in that moment, it drives you just a little crazy. We’ve all been there. Of course, most of the time, it’s easy to head back to the grocery store for that gallon of milk or open your laptop to finish sending that email but how about protecting your personal information? That’s one item that you could say is and should be on our “to do” list every day.

This week is National Data Privacy Week and it’s fair to say that being concerned about our personal data is certainly something that’s on our minds these days. According to the Pew Research Center, 79 percent of U.S. adults report being concerned about the way their data is being used by companies. Add to that, another Pew Research Center study found that 93 percent of Americans considered it important to be able to control who could access their personal data.

The fact is, our ability to keep tabs on our data – everything from our social security number and date of birth down to the number of steps we’ve taken today, as recorded on our Apple watch or Fitbit device – is a balancing act. It’s all about what we need to do as a part of our everyday life while, at the same time, trying to take advantage of the convenience that today’s technology affords us. In other words,  being able to do everything in a click or two without getting hacked or being the victim of a phishing attack.

Fortunately, there are a lot of great (and FREE) resources to help you.

For starters, if you want to learn more about what is data privacy, the National Cybersecurity Alliance (NCA) offers a great article that’ll help you understand more about it.

According to the NCA, there are also several key tips to keep in mind when it comes to protecting yourself, including:

• Knowing the tradeoff between privacy and convenience – Your data is tremendously valuable and it’s a good idea to make informed decisions when sharing it with a business or service.
• Adjusting (and managing) your privacy settings to fit your comfort level (err on the side of sharing less data, not more).
• Protecting your data – Turn on multi-factor authentication whenever it’s permitted and learn how to identify phishing messages.
• Creating complex passwords for each account or device and storing them securely in a password manager.

Here in the Hoosier State, we invite you to visit our Indiana Cyber Hub website for all kinds of cybersecurity resources, best practices, tips and even toolkits that you can download for FREE to help you stay safe whenever you’re online and protect your personal information.

If you’re a business owner, a non-profit organization or work in local government, there’s even a PII (Personal Identifying Information) guidebook (written by privacy experts) that you can use to help better protect yourself.

For more information, visit www.in.gov/cybersecurity.

By Chetrice Mosley-Romero

While it could be said that the three things we look forward to most when it comes to the start of a New Year is optimism, hope, and an affordable gym membership, there is another reason to celebrate in 2023.

And that’s the influence or advice we’ve received from someone we consider a mentor. Of course, it’s the perfect time, as January is National Mentoring Month.

From my own experience, the guidance I’ve received – over the course of my life – from people who’ve influenced me, both at work and in my everyday life, is immeasurable. Mind you, some of what I heard along the way, at times, might not have been easy to take or something (in that moment) I might've found to be a challenge. But to be sure, what I gained from it all is something I value, to this day.

What’s more, it’s enabled me to use those experiences and serve as a mentor to others.  That’s important, but not for the reasons you might think. A survey by Olivet Nazarene University, published in in a 2019 article in Forbes, reported that 76 percent of people think mentors are important, but it also revealed that only 37 percent of those surveyed said they have one.  It also found that just 14 percent of mentor relationships started by asking someone to be their mentor. Sixty-one percent of those relationships developed naturally.

Mentoring.org highlights the case not only as to why someone should become a mentor, but also provides important data about the realities involving the impact of someone who grows up without a mentor. It also illustrates what happens with young adults who DO grow up with a mentor. You can even sign up to become a mentor.

All of this is important for two reasons. Cybersecurity is one of the fastest-growing professions in the world and the opportunities, as it relates to hiring a diverse workforce, are truly unique. Because of that, there are some 750,000 available job positions in cyber in the U.S.; a figure that includes roughly 20,000 openings here in Indiana.

Secondly, the times have changed, and mentoring is not an activity that’s exclusive to someone who’s older providing their influence on a younger person, who is either in an entry-level position or, perhaps, is a high school or college student. The script has changed and there are many people – working in cybersecurity and other related fields – who’ve gained the requisite level of knowledge and experience (at a much younger age) and they’re able to pass along their experience to someone who’s older. That’s a trend that’s emerged, as people are deciding, as never before, to change careers, or they’ve decided to do something that requires additional training to gain the experience they need to pursue a job in cybersecurity in the long term.

In celebration of all mentors and all of us whose lives they’ve influenced, be sure, too, to visit our Indiana Cyber Hub website for more information about cyber careers, including job boards, training resources, and more!

By Indiana Office of Technology Outreach Team

When you travel the state of Indiana for a little over a year talking about cybersecurity with local governments, it is difficult to encapsulate the experience in short order.

The range of perspectives, the complexities of the challenges, and the dedication of the people you meet offer subjects that could be discussed at length.  More narrowly focused topics, such as ransomware and business email compromise (BEC) threats, as well as access to IT and cybersecurity expertise, together with the significant penetration of cybersecurity insurance, cultural inhibitors to governance and ownership, and many others would illustrate the varied strategies that have evolved to protect local government data and services.  It was an educational and rewarding experience.

Before diving headlong into our experience, we must say that Indiana is a beautiful state and Hoosiers are the most welcoming individuals.  Visiting with state and local government representatives from 92 counties required some serious time and mileage; thankfully, the scenery and hospitality made the long drives enjoyable.

Local government officials are aware of the threats they face and seem to take the challenge seriously. We found a collective theme of constraints: funding, tools, expertise, and, at times, executive cohesiveness. Still, the capabilities in place with most local government operations are beyond what many assume, and they are checking many of the important boxes.  At the same time, in a day and age when even the best run organizations are breached, much work remains to be done at the local level.

We pursued our listening tour with three primary objectives.  First, we wanted to better understand the cybersecurity environment statewide.  Second, we needed to build and strengthen relationships and lay the foundation for an integrated cybersecurity community. Third, we sought to gather information that would help us craft a “whole of state” cybersecurity plan.

We found the environments to be as diverse as expected, consistent with some general assumptions, and different with each organization.  We put a good foot forward toward building the trust imperative for an integrated cybersecurity community.  We followed up on every question, and, more importantly, we responded with action to the needs expressed.  Through the year, the Indiana Office of Technology (IOT) added to the portfolio of services the state could offer to offset locals’ costs and constraints (e.g. – secure email, cybersecurity training).

Finally, we’ve incorporated what we learned into our draft of the State’s whole of state cybersecurity plan for the federal State and Local Cybersecurity Grant Program (SLCGP). Getting each local government to where they want and need to be, will be a long process, in which we hope the SLCGP funds can assist.  Our traveling efforts were a solid step to that end. Success is difficult to measure for this particular effort; however, openness to our message by the local governments, executive support for the necessary resources, and empathetic team members eager to help resulted in the request of a 2023 Listening Tour. We expect this coming year to be even more productive in terms of advancing the cybersecurity capabilities of local governments, and we look forward to enhancing our relationships with local officials and their IT teams – the real protectors of Hoosiers’ data.

By Chetrice Mosley-Romero

You cup the dice into your hands, shake them around (perhaps wishing them good luck), and finally roll them onto the board. Pandemonium breaks out! The dice has decided the fate of every player on the board. Whether it be Dungeons and Dragons, Yahtzee, or Monopoly, everyone is sure to have a good time when playing games with dice.

Recently, these games have been moving online and people are able to play dice games with people all over the world. However, having these games online exposes dice enthusiasts to cybercriminals looking to take their private information.

In just this past year, there were major data breaches against Roblox, Neopets, and Bandai, with Neopets exposing the data of 69 million players. There was also a data breach in 2019 where more than 200 million online gamers had their data stolen. Is there anything online dice game enthusiasts can do to protect themselves? Thankfully there are ways to mitigate the effects of data breaches on you!

In celebration this week of National Dice Day, here are some online gaming tips from the National Cybersecurity Alliance that will help you stay safe and protect your personal information, allowing you to focus on just having fun.

• Do Your Research – Mobile gaming makes up approximately 45 percent of the global games market. But just because a game is available on a trusted app store, it doesn’t mean it is a safe app to download. Before downloading any new gaming app on your device, make sure it’s a legitimate app. Check out the reviews and look it up online before downloading it.
• Think Before You Click – Cybercriminals will often try to entice gamers into clicking links or downloading malicious files by offering cheat codes, hacks, or other ways for you to gain an advantage over competitors; this is especially true if it comes from a stranger or it’s something you weren’t expecting. If the offer seems too good to be true, chances are it is.
• Protect Your Privacy – As part of your gaming profiles, the more personal information you post, the easier it may be to steal your identity or access your data. Be cautious and if a stranger asks you to share this information, say “no”. The same is true if they ask you to share a photo or turn on your webcam.
  • Avoid using geo-tagging features which can reveal your exact location. A better option is to disable this function before you start playing.
  • Playing with people you don’t know or aren’t a part of your friend group? Use a safe game name, such as Superstar55 or Catsby90. Don’t use your first or last name in your usernames and use an avatar instead of an actual photo.

It’s also a good idea, as with a lot of things you’ll want to do whenever you’re online, is to:

• Always use a secure wi-fi connection.
• Create long and strong passwords (at least 12 characters long) and if you’re a real gamer, who enjoys playing on multiple gaming platforms, consider using a password manager.
• Use two-factor or multi-factor authentication on all your gaming devices.
• Secure your payment data
• Make sure all the internet-connected devices you’re using to access online games on – including personal computers, smartphones, and tablets -- are updated with the latest security software. Setting up automatic notifications are always good and if you’re playing an app-based game on a device, make sure it is updated regularly.

Of course, as adults, anything that involves a game that can’t be played at the kitchen table or involves handing out “play money”, it’s a good bet you’re going to ask questions, right? One way to learn what it’s all about is to have your kids teach you how to play whatever games they’re playing. It’s a great way to spend some time together and, who knows, you might actually win a game or two (but, if you’re like me, probably not).

Online gaming shouldn’t feel like you’re rolling the dice with your cybersecurity, waiting to see whether or not your private information will be leaked online by hackers. By following these tips, your dice rolls for increased privacy are sure to be natural 20s, just like in Dungeons and Dragons!

By Chetrice Mosley-Romero

One of the realities of the holiday shopping season (besides the fact that it feels like some retailers started celebrating “Black Friday” back in September) is that cybercriminals are always working on a new scam so they can go shopping with your money.

That’s a LOT of cash when you consider:

• Just last week, according to Adobe Analytics, U.S. Black Friday online sales hit a record $9.12 billion. Add to that another $9.55 billion in weekend sales, and Cyber Monday took the top spot as the busiest of all shopping days, with sales coming in at $11.3 billion. Throw in the fact, too, that fully 48 percent of these sales were completed using our smartphones. In making those registers ring, 196.7 million people shopped in stores and online between Thanksgiving and Cyber Monday.

As you look back over your receipts, it’s important to keep in mind, too, how much of what we spend is lost. According to the Internet Crime Complaint Center’s (IC3) 2021 report, non-payment or non-delivery scams cost people more than $337 million. Credit card fraud accounted for another $173 million in losses. In a non-delivery scam, a buyer pays for something they find online, but those items are never received. Conversely, a non-payment scam involves goods or services being shipped, but the seller is never paid.

Fortunately, there’s a lot of free resources, with helpful cybersecurity tips – from sources you can trust – that are designed to make your online shopping experience easy, but more importantly, safe, and secure, including:

• Learning more about cyber from why it’s important to take precautions and how attackers go after online shoppers to ways you can protect yourself is the mission of the Cybersecurity and Infrastructure Security Agency and their website is filled with all kinds of great information, tips and best practices.
• Avoiding “fly-by-night” websites and resisting the temptations of “free” offers are among the tips Regions Bank offers as part of its advice on how to handle Five Common Online Shopping Scams.
• PRO TIP: No online retailer needs your Social Security Number or your Date of Birth to make a purchase. Making sure that you don’t overshare your personal information and always looking for the “lock” when visiting a website that you intend to use a credit or debit card for making a purchase are at the top of PC Mag’s 14 Tips for Safe Online Shopping.

Here in Indiana, cybersecurity is a top priority and there’s always lots of FREE information for Hoosiers of all ages, including cyber tips for individuals and families, as well as businesses, local government, and schools on our Indiana Cyber Hub website and be sure to follow us on LinkedIn, Twitter and Facebook.

Happy Holidays!

By Chetrice Mosley-Romero

As the Cybersecurity Program Director of the State of Indiana, I am encouraged that a career in cybersecurity is among the fastest-growing categories in technology – not only here in Indiana, but across the country and around the world.

Over the last 10 years, Forbes notes that cybersecurity jobs worldwide grew 350 percent (2013-2021). In the United States, there are approximately 750,000 open cybersecurity jobs, but only enough qualified workers to fill 400,000 of them.

By any measure, that’s quite a gap to try and fill. That being said, as someone who’s worked in cybersecurity for several years now, but whose background and experience is in communications (not technical), it’s my belief that the cybersecurity field is set up, you might say, for the kind of progress we’re seeing with STEM/STEAM careers that’s occurred within the past 20-30 years.

With this month being National Career Development Month, here are some reasons cybersecurity is emerging as a career to consider, including:

• People are deciding – for a variety of reasons – to change jobs or switch careers at a rate we haven’t seen since the 1970s and the path for making that kind of transition is as wide-open as it’s ever been for people ranging in age from their late teens to their 50s or 60s (and older…).
• In terms of education, nearly a dozen colleges and universities in the Hoosier State offer cybersecurity degree programs as part of their class offerings. Opportunities are starting to grow among K-12 schools and competitions, such as CyberStart America, are helping to introduce cyber as a career to high school students to consider pursuing once they graduate.
• At the same time, a growing number of organizations – educational, vocational, and military, as well others in both the private and public sectors – are offering programs with real-world training (that doesn’t require a degree) and on-the-job experience that can lead to someone earning an entry-level salary in the range of $40,000-$50,000 in as little as six months.
• Because of the urgency that exists to fill these positions, the opportunity for creating a diverse and inclusive workforce is greater than ever. Additionally, the opportunities for finding a meaningful career includes people who’ve been diagnosed as neurodiverse; creating a career path for someone whose performance is not defined by the fact they are managing a condition, such as autism, attention deficit/hyperactivity disorder (ADHD) or dyslexia, as part of their everyday life.

Whether you’re a student, a parent, or an employer, you are invited to visit the cyber careers page on our Indiana Cyber Hub website. There, you’ll find links to all kinds of FREE resources, covering everything from job boards to educational information that’s designed to help you find schools and/or organizations that are offering degreed programs and where to go to find a wide range of training.

Who knows, maybe as the world of cybersecurity continues to grow, we can find a way to celebrate cyber as part of STEM Day and that we’ll not only keep adding – and filling – job positions in cyberspace, but we’ll find ways to add cyber as an option in more and more classrooms and communities across Indiana.

By Chetrice Mosley-Romero

October is Cybersecurity Awareness Month and this year’s theme is “See Yourself in Cyber” and demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people.

The celebration comes as Indiana’s ascension in cybersecurity collaboration – as a top-tier state nationally – is continuing to rise at a rapid, yet steady pace; progress driven by the unprecedented release of a second, three-year statewide strategic plan and the success that’s being achieved with two unique programs focused on partnering with local government and municipalities while providing a greater level of training and resources for the benefit of all Hoosiers.

Local Government Focus Features Community Conversation Tour, Cyber Ready Pilot Program

As part of the state’s ongoing commitment to supporting local government, the Indiana Office of Technology (IOT), led by Tracy Barnes, Chief Information Officer for the State of Indiana, is continuing with its 92-county community conversation tour. At each stop, IOT representatives have met with county, city, and town officials to discuss various information security topics and the free and low-cost services available to local governments from IOT. To learn more, visit: https://on.in.gov/IOTlocal.

A second local government initiative is the Cyber Ready Communities (CRC) pilot program. As the State of Indiana’s Cybersecurity Program Director, it is my pleasure to visit and work closely with local government leaders in four Hoosier communities – Jasper, Ind., and Dubois County; Nashville, Ind., and Brown County; Kokomo, Ind., and Howard County; Carmel, Ind., and Hamilton County.

The CRC program is centered on achieving two goals. Primarily, the purpose is to work closely with the communities to be cyber ready at every local government department level by changing the cybersecurity culture and connecting those communities to additional state, federal, and private partners, resources, and services. The second goal is to help inform the IECC (Indiana Executive Council on Cybersecurity) and state leaders as they continue to develop additional programs to help in partnering with local governments.

Emergency Manager Cybersecurity Toolkit  

The centerpiece of all things cyber in the Hoosier state is the Indiana Cybersecurity Hub website. Featured among the many resources, best practices and tips that are available for free on the website, there is a great deal of “hands on” information, designed to provide local governments for being prepared, including the Emergency Manager Cybersecurity Toolkit; a free, downloadable “playbook” designed to help take out some of the complexities related to cyber and provide an invaluable resource with the tools to help local governments prepare for an cyber incident.

IECC Strategic Plan

Within the past year, the IECC presented to Indiana Governor Eric Holcomb, the 2021 Indiana Cybersecurity Strategic Plan – highlighting the cyber policies and initiatives that the Council are, now, actively working on and focused on completing in the years ahead. As a part of that work,  the Council also completed the State of Cyber Report – 2017-2021– outlining all the cybersecurity policies and initiatives that have been completed since 2017 in Indiana by the Council, as well as throughout the state by colleges and universities and small businesses. The Council completed nearly 80 percent of the deliverables and objectives as part of its “first of its kind” 2018 strategic plan.

For additional information regarding the latest cybersecurity news and trends, visit the Indiana Cybersecurity Hub website and follow us on LinkedIn, Twitter and Facebook.

Cyberattacks and online threats are an increasingly significant and widespread problem for K-12 schools and districts. A growing dependence on technology for learning, the presence of sensitive student data, and increasingly complex and deceptive cyber criminals have made the K-12 community particularly vulnerable over the past several years. Impacts from such attacks can affect a school’s financial security, educational obligations, and ability to provide a safe, secure environment for students and staff.

Cybersecurity Awareness Month, recognized each October by the Cybersecurity and Infrastructure Security Agency, the National Cybersecurity Alliance, and other organizations throughout the country, provides an important opportunity for the K-12 community to become more educated, empowered, and equipped to take action against cyber threats. This year’s campaign theme – “See Yourself in Cyber” – illustrates that while cybersecurity may seem like a complex issue, everyone can play a role in staying safe online.

For students, teachers, and staff, taking action can mean enabling basic cyber hygiene practices. School communities can get started with these four simple steps:

1. Enable Multi-Factor Authentication: Multi-factor authentication (MFA) is a layered approach to securing online accounts that requires users to provide two or more authenticators to verify their identity. Enabling MFA can make users significantly less likely to get hacked.
2. Use Strong Passwords: Passwords are the most common means of authentication. Create passwords that are long, unique, and randomly generated, and use a password manager to generate and store passwords across multiple accounts.
3. Recognize and Report Phishing: Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. Reduce the risk of phishing attempts by ‘thinking before you click,’ enabling strong spam filters, and training staff to recognize and report suspicious activity.
4. Update Your Software: Outdated software can contain vulnerabilities that can be exploited by threat actors. Install updates on school devices as soon as possible and/or enable automatic updates to protect your systems.

Learn more about these action steps with this cybersecurity infographic from SchoolSafety.gov. This one-page overview can be printed and shared to help promote cybersecurity best practices within your school, and to encourage all members of the K-12 community to ‘see themselves in cyber.’

Visit SchoolSafety.gov to access additional cybersecurity resources and guidance and follow @SchoolSafetyGov on Twitter for other timely school safety updates.

SchoolSafety.gov Disclaimer  ​​​​​​
The U.S. Department of Homeland Security (DHS), U.S. Department of Education (ED), U.S. Department of Justice (DOJ), and U.S. Department of Health and Human Services (HHS) do not endorse any individual, enterprise, product, or service. DHS, ED, DOJ, and HHS do not mandate or prescribe practices, models, or other activities described in this communication. DHS, ED, DOJ, and HHS do not control or guarantee the accuracy, relevance, timeliness, or completeness of any information outside of those respective Departments, and the opinions expressed in any of these materials do not necessarily reflect the positions or policies of DHS, ED, DOJ, and HHS.

By Joel Thacker

October is Cybersecurity Awareness Month, and the cyber risks to our way of life have never been more serious.

The theme this year is “See Yourself in Cyber.” Those who stay diligent to avoid scams understand how important individual responsibility is in this fight. Nearly 90 percent of cyberattacks are due to human error, that one person who mistakenly opens an attachment at work, putting an entire organization at risk. It happens every day, but it does not have to be that way.

Corporate data breaches reached an all-time high in 2021 as more people worked remotely and normal safeguards from workstations went by the wayside. In the U.S., the average breach cost companies more than $9 million, with the most expensive occurring in health care. Again, human error led to multimillion-dollar losses.

With more employees back in the office, training has been amplified, and we are hearing more conversations about how we can protect ourselves. The conflict in Russia and Ukraine has presented new and daunting challenges from the cyber world, and players such as China, North Korea and Iran continue to exploit opportunities.

Just this month, an Indiana utility company was hit with a ransomware attack. This is a local problem with local solutions. This is our problem.

The Indiana Office of Technology offers any municipal body a multitude of free or low-cost services to protect government entities from cyberattacks. One key advantage IOT offers for free is online training to all local government employees through its KnowBe4 platform. A full offering of state services can be found on the IOT Local Government Services website.

Additionally, the Indiana Department of Homeland Security soon will administer Indiana’s portion of the $1 billion allocated across four years for cybersecurity as part of the Infrastructure and Investment Jobs Act. Details are still coming together on how many dollars will be coming to state, local and tribal governments in Indiana, but 80 percent of the allocation is earmarked for local government, including rural areas.

The State and Local Cybersecurity Grant Program was announced on Sept. 16. It is not yet open for applications, but information about how to apply will be provided in the coming weeks.

Momentum continues to increase for the U.S. to protect itself, its infrastructure and its citizens from the new frontier of online crime. The government is doing its share to better position each state according to its needs.

Each one of us must take ownership of cyberthreats and do our part to protect one another.

By Heidi Leonard and Erik Miner

“You’ve been compromised.”

Those three simple words keep business owners awake at night. And for good reason.

The Association for Financial Professionals estimates that 71 percent of companies have received fraudulent attempts during the past year.

Ensuring the secure transfer of funds is essential for any organization. The AFP survey also identified real estate as one of the three most often-targeted industries by criminals (in addition to construction and commercial services). It also points out where business fraud is on the rise, increasing more than tenfold over a two-year period.

The factors behind this high-risk industry gives us pause and think of state and local governments, given the common factors real estate firms share with many cities, towns, and schools:

• They involve large dollar transactions.
• They have easy access to public records.
• It is easy to impersonate someone via email; and, in both industries, there is oftentimes a lack of strong authentication processes.

The public sector houses some of the hardest working professionals we’ve had the pleasure of working with. However, it is an industry subject to potential turnover framed by heavily scrutinized budgets. It is key for staff to be armed with fraud education and cybersecurity resources such as multi-factor authentication and other fraud prevention tools.

When you add the current strained and volatile economy to the risk profile of many municipal governments, it could be argued that the risk of fraud schemes will only increase in 2022 due to distraction, unpredictability, and chaos. Extra vigilance is required by Hoosiers in today’s economy, and we should all task ourselves with mitigating cyber risks both at home and at work.

At Regions, we recommend that organizations implement a multi-layered approach, leveraging education and information sharing with an internal process driven by best practices, along with utilizing external resources.

• Begin by talking with your banker about the best safeguards against fraud, including products like Positive Pay and ACH Alerts. Be and stay curious.
• Carve out regular time to educate yourself and your team on current fraud strategies (they never cease to amaze us).
• Create an internal team to conduct a thorough IT/infrastructure assessment to identify any potential points of compromise.  Document your process and plan – you can leverage these free resources to help you.
• Implement an anti-fraud training program and internal controls using Stop-Call-Confirm and dual approvals to be more proactive. By adding some intention and dimension to your business practices, you are bound to reduce your risk, no matter your industry, something that allows all business owners to sleep more soundly each night.

Unfortunately, fraud isn’t going away because when big money is involved bad actors want a piece of the action. Protect yourself and your organization with ongoing education, training and multi-layer protections that make access difficult for scammers.

By Joel Thacker

As we move from September’s National Preparedness Month to October’s National Cybersecurity Awareness Month, it is important to remember how the two connect and what we can do to keep yourself and your loved ones safe and healthy.

As the Executive Director of Indiana Department of Homeland Security, the #1 piece of advice I give people when preparing for an emergency or a disaster is to have a plan. And, just as you need to make certain you go to a safe location in your house, in the event of severe weather, or you decide on a safe meeting place if there’s a fire or a flood, it’s important for you to include a cybersecurity plan that helps protect everyone, regardless of the situation.

The National Security Agency offers a list of best practices to keep your home network secure, such as updating your operating systems and safeguarding your mobile devices, as well as some helpful tips designed to help you stay whenever you’re online – including taking precautions on social media to using different devices for different activities for protecting your personal information. With National Cybersecurity Awareness Month, USDHS Cybersecurity & Infrastructure Security Agency also features four things you can do to help improve your cyber hygiene and stay better protected.

* * *

In addition to being prepared at home, our cities, and towns – across Indiana – have to be prepared for any emergency, in order to protect everyone they’re dedicated to serving, as well as making certain that the critical infrastructure systems that are a vital part of local government are maintained safely and securely.

Among the resources that are available includes the Emergency Manager Cybersecurity Toolkit. Developed by the Indiana Executive Council on Cybersecurity (IECC), is a free, downloadable resource for emergency managers that includes four key sections, including:

• A survey to assist emergency managers in planning with their partners they work with to develop emergency and continuity of operations plans;
• A cybersecurity incident response plan template; a training and exercise guide and;
• Additional resources for navigating a range of different cyber incidents and threats.

While there really is no perfect plan or guide to use when planning for an emergency, nothing more is important than protecting our families and our communities. For more information, visit the DHS website on how you can get prepared and the Indiana Cyber Hub website at: www.in.gov/cybersecurity.

By Chetrice Mosley-Romero

Every year, it feels more and more like we’re living in a science fiction world because of all the technological advances we benefit from in our day-to-day lives. This is especially  true for parents to watch over their babies with smart baby monitors.

If you are anything like me, when I became a new mom I was OBSESSED with this baby who  made my whole heart full. So as a new mom, I was consistently checking on my little one at night. But with the extra convenience (and peace of mind), it can come at a cost if you don’t take a few steps to protect your little one.

It might surprise you to know that baby monitors have been notoriously weak in security, and I’ll tell you how and why it’s an issue. For some context, last year, there was a critical vulnerability that was found in more than 83 million smart devices, which included baby monitors. There were even more examples of smart baby monitors with critical vulnerabilities last year and in 2018 and probably much more that went undiscovered! A common theme is that some of the monitors were rushed into market at an affordable rate, which comes at the cost of not designing in enough security measures into the product itself. Because of this, it exposes people to some issues involving their privacy (including the use of any cameras) and their home network being compromised. This just adds to the stress for new parents, who are just looking to take care of their children. That being said, here are some helpful tips you can use to protect your smart baby monitor!

Secure Your Wireless Router

Your router is the (digital) front door to your home and that includes any, if not all, of the smart devices that are connected to your network – including your baby monitor. The first thing you’ll want to be sure is to keep your router secure, beginning with a strong password (when you set it up), and to keep the router’s firmware updated, disable any remote router access, maintain strong passwords, and never leave your WiFi network open.

Create a Strong Password for Your Baby Monitor

Your password is the first line of defense for your baby monitor. Make sure they’re at least 12 characters long using a combination of uppercase and lowercase letters, numbers, and special symbols. Also, be sure to change the default password – before turning it on -- as some of these passwords are commonly known to would-be cybercriminals.

Update Firmware for Your Monitor’s Camera

As with all of your devices, it’s important for you to go through and make sure that you’re completing updates to your firmware, as it will help protect you and guard against any vulnerabilities the vendor may discover over the life of the product.

Register Your Monitor

Registering your monitor, with the manufacturer or retailer, will help you stay current with any security updates. If a security vulnerability is found after being sold, the vendor may send out a recall notice or software update.

Disable Remote Access to Your Monitor’s Camera

While it’s convenient for watching your baby through the internet, it also gives others the potential to use the camera to monitor your home and your baby as well. Removing it from the network will prevent others from easily spying on your house and protect your baby.

As we grow more technologically advanced, we become more exposed to security vulnerabilities. By following these tips, you can stay ahead of the curve in protecting your family's privacy, your baby, and your home. If you’re interested in following more tips, be sure to check out our blog here and our cyber tips here!

From October 2021 to April 2022, hundreds of Indiana students participated in CyberStart America, an interactive, national competition to help high school students understand the many advantages that come with a career in cybersecurity.

The competition involves an easy-to-follow platform that allows them to learn technology security basics through a series of gamified competitions.

Indiana clinched a Top 10 spot among all states that participated in this year’s competition with more than 700 students from 84 schools across the state who participated. While 105 Hoosier players qualified to apply for National Cyber Scholarship Foundation scholarships, ultimately 51 Hoosier students ended the game with scholarships to continue their education in cybersecurity. Indiana also moved into the number 10 spot nationally in 2022 after placing 11th in last year’s competition.

Cybersecurity continues to be an in-demand skill, and the need for trained industry professionals is not slowing down for the foreseeable future, which makes the need to find these future professionals so necessary. According to the Bureau of Labor Statistics, the rate of growth for jobs in cybersecurity are expected to grow by 33 percent by 2030, much faster than the average. With so many jobs available, and the need to fill them so dire, more K-12 schools are offering lessons, classes, and degrees in cybersecurity.

This year's top-performing schools and their scholars were:

Noblesville High School (4 scholars, 1 remained anonymous)

• Ellie Hohmann, Trace Downs, Aj Einterz

Carmel High School (3 scholars)

• Oren Jensen, Alex Anderson, Irene Liang

Hamilton Southeastern High School (3 scholars)

• Sandilya Kambhampati, Aryadeep Buddha, Anish Kambhampati

The state of Indiana congratulates this year's winners and looks forward to all their future successes. For more information about CyberStart America, visit: www.cyberstartamerica.org and if you’d like, you can register and sign up to receive updates as to when the next CyberStart America intake is open for registration.

PERSPECTIVES FROM THE FIELD SERIES

The strength of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the Indiana Executive Council on Cybersecurity (IECC). Hence the name "Perspectives From the Field Series" in which we invite experts to discuss the real and challenging issues we are facing in the field and the proposed solutions from the experts to better the lives and businesses of all Hoosiers.

In the latest installment of our series, we go to Kevin Mabry – founder, president and CEO of Sentree Systems Corporation, a data security consulting firm dedicated to helping small- and medium-sized businesses –  who shares his perspective about the impact cybersecurity scams – such as Business Email Compromise (BEC) – are having on organizations – of all sizes – and what companies can do to protect themselves.

By Kevin Mabry

Every day, when a business opens its doors, which, these days, can be defined as simply turning on its computers or its digital networks, it’s not unusual for a problem or two to come up.

And regardless of the type of business you’re in, there’s a good chance that the health and well-being of your cybersecurity is at (or very close to) the top of the list of your priorities. When it comes to the types of threats that are out there, Business Email Compromise (also known as Email Account Compromise) is rapidly emerging as one of THE most prevalent and sophisticated scams worldwide.

According to the FBI, the BEC/EAC scam – between July 2019 and December 2021, accounted for a 65 percent increase in terms of the amount of exposed losses (that includes both the amount of actual and attempted loss in US dollars). What’s more, this type of cybercrime – at a cost of more than $43 billion – has been reported in all 50 states and 177 countries, with more than 140 countries receiving fraudulent transactions.

Yet, for all of its complexity, a BEC/EAC begins with a bad actor who gains access (to a company’s email system) by making it appear as though they are the CEO, owner, or some other executive.

Recently, there was a company in the financial services industry, in which someone tried to log into the owner’s email (from overseas) during a time they were not in the office.

Fortunately, the company was alerted to the issue (by having their systems monitored externally, reviewing all of their logs and events coming in from any devices or emails) and they were able to confirm that the person was not using their email at the time. In doing so, they were able to stop the attack from occurring.

There are other ways to help protect your company and minimize the potential risks associated with a BEC/EAC that includes:

• Changing the password of the owner’s (or other executives) email address(es);
• Use their password vault to generate it and store it in the vault;
• Turn on 2FA (2 factor authentication) for all emails.

If this incident had been successful, they could have sent a request to one of the other staff members to release or send an ACH transfer payment to a false account.  This type of action is very difficult and, often times, is almost impossible to reverse.  The client would have simply been out of that money and on the hook for the amount. As you might expect, the company was very pleased with the action that was taken.

Therefore, it is very important to have the right security tools in place, not just more security tools.  We just can’t say that “if only” they had an EDR, XDR or just an antivirus and a firewall, they would have never gotten the insight to stop this attack.  Rather, it’s a better solution to have someone – or a team of someones – working together as a team for monitoring everything that’s occurring in your environment.

Changing our mindset away from “set it and forget it” when it comes to data security, is a better approach. Otherwise, there’s simply too much at stake.

By Chetrice Mosley-Romero

There is nothing better than on a nice spring, summer, or fall day than to go to a weekend farmer’s market here in Indiana with my family. In fact, with more than 8,000 farmers markets across this country (according to the U.S. Department of Agriculture), it is no wonder that this is a popular thing to do nationally.

But as I was enjoying my local market this past week, which was extra busy since it was National Farmers Market Week, it made me realize how important it is to be sure we are educating our local farmers and small businesses as well as the customer in how to best secure our information.

Credit Card Sales

While farmers are out collecting their produce, it’s important to know that everyone’s information is protected before, during, and after the sale.

It has become quite commonplace to see or use credit card readers at farmers markets. There are many different types, but most of them are connected to the seller’s phone or tablet. This opens up the thought in some people’s minds that their information could be compromised. Generally speaking, these card readers are secure for completing your transactions, but it’s always a good idea to provide customers with a receipt, or if you’re buying an item, to select the option to have a receipt sent to you in a text or an email.

Protecting Your Business

Recently, the FBI issued an alert to the food and agriculture sector stating that ransomware actors were on the hunt to disrupt their seasons. Additionally, 43 percent of cyberattacks involve small- to medium-sized businesses. Since cybercriminals see these industries as lucrative, easy targets, it is important that farmers and small businesses take a few steps – ahead of time – to make sure everyone has a safe shopping experience.

The federal government’s Cybersecurity and Infrastructure Security Agency (CISA) offers a plethora of information on ransomware attacks and ways to protect yourself or your business. To get started, there’s four cybersecurity tips you can follow to help your farmer’s market business and ensure your customer’s information stays safe includes:

• Implementing multifactor authentication (MFA) on your accounts
• Updating software and turning on automatic updates
• Thinking before you click
• Using a password manager

Multifactor authentication

This is a security enhancement that allows users to present two forms of credentials when logging into their various accounts. These credentials can include anything from a password, smart card, or even their fingerprint or face. It fully aims to add an additional layer of security, so that it is harder for cybercriminals to access your personal information.

Software updates

Updating your software is wildly important for a variety of reasons. They help patch security flaws and protect your data. Having hackers take advantage of weaknesses found in your software is the last thing you want to worry about. Make sure that you are being proactive when it comes to updating your software.

Think before you click

Hackers often times use phishing and other methods to target users. These methods are designed to trick unsuspecting individuals into giving confidential information to them. Often times, they will take credit card numbers, Social Security numbers, passwords, etc.

Password managers

Managing your passwords can be hard sometimes, but using a password manager is a good way to keep your passwords unique, strong, and safe.

To learn more about the latest cybersecurity tips, best practices, resources and more, visit our Indiana Cyber Hub website and follow us on social media on Twitter and Facebook.

By Chetrice Mosley-Romero

One thing we all wish for is for something to make our lives easier. To simplify things.

We’re already stressed by school, work, and taking care of our families that, at times, it can feel as though you don’t have enough energy left to worry about something like making strong and secure passwords for all our accounts.

Passwords that are strong and unguessable can be hard to remember and it’s more than a little frustrating when you forget your password. At the same time, using personal information, including our name, birthday, or other family member’s names, to create a password (and then re-using them) has made it much easier for cybercriminals to hack into your accounts.

So much so, it leads to the kind of data breaches you hear about in the news on an almost daily basis. Thankfully, there’s a better solution that’s both convenient and secure. What is it? A password manager!

We have all been told that a password should be complex and at least 12 characters in length using a combination of uppercase and lowercase letters, numbers, and special symbols (i.e. punctuation); maybe even a phrase within it. The longer it is, the more protection it provides for you to be avoid being a victim of identity theft or someone stealing your money or account information. But if you are like me, I have countless accounts online for work, kids, finances, social media, medical, and so on. So coming up with a different password for every online account I have can be daunting to say the least. So why work hard when you can work smart AND be more secure?!?

Here’s how it works: A password manager is a program that generates and stores all passwords in a safe location. You can think of the safe location as a vault. Having this vault is designed to help you manage all of the passwords you rely on and use to protect your accounts – with a single, master complex password.

If you are looking into getting yourself, or your family, a password manager, you have a lot of options to choose from. There are three types of password managers called offline, online, and stateless. The most popular and widely used password managers are online, so we’ll focus on that as an option that’s out there for you to consider.

Keep in mind, too, as with a lot of things, there are ‘free’ versions of some of the more popular password managers that you can download and use, but many of these providers also offer a wider range of services at a cost – depending on the number of accounts you need (or can afford based on your budget) and how much security is required.

Also, be sure you are using a company with a stellar reputation. The password manager I use, for example, is not only great, but also very honest with me (and it’s millions of users) when they suspected a cyber breach. (Even the best can get hacked.) But they responded fast and with integrity. That means as much to me as their secure systems.

An Added Bonus to Family Accounts! Many password managers allow for you to set it up on your kid’s devices, in which you as a parent will have access to in case you need to check in on their accounts. Moreover, many use the family accounts for aging parents as well so that if that if they get sick, you can take care of their affairs and have access to their accounts in a secure way.

As a starting point, here’s a list of some of the best password managers to consider from our good writers at CyberNews.com, including:

• LastPass
• Dashlane
• Bitwarden
• RememBear
• 1Password
• Keeper

You can also google “password managers” for more options but be sure you are researching the company before subscribing and use a strong master password.

Being secure doesn’t have to be inconvenient and frustrating. With tools like a password manager, you can simplify your life, enjoy some well-deserved peace of mind, and keep your accounts safe from cyber attackers.

More cyber tips can be found at https://www.in.gov/cybersecurity.