A Q&A with Kevin Lanning, UNC-Chapel Hill Chief Information Security Officer
What is your strategy for information security at Carolina?
Collaboration is critical. We collaborate with IT directors across campus, as well as faculty and staff, so that we design and maintain the strongest architecture possible to keep Carolina safe. We constantly assess the strengths and weaknesses of our systems and make adjustments so that we are more resilient to intrusions. We also run devices that prevent, detect and defeat intrusions so that we can react very quickly to protect the University. While the Security Office has to do a fair amount of reactive work because of the number and regularity of attacks, we want to be proactive as much as possible.
We collaborate with other research universities and partners so we can anticipate what intruders might do tomorrow rather than just being reactive to what they did previously. We also rely on user awareness. Everyone can help protect Carolina’s information resources by being cautious and vigilant.
How many “cyber attacks” do we see every day against our campus and how does it compare to what other organizations, both public and private, face?
Every day we see thousands of intrusion attempts against our information systems. These attacks are attempted in a variety of ways at all hours of the day. We see a lot of what I’ll describe as “knocking on the door,” testing to see how vulnerable systems might be. Those knocks on the door and attacks come from all over the world. We monitor our systems 24/7 to keep campus safe. We certainly aren’t alone in this battle — every university and company faces this challenge.
What does the prevalence of attacks say about the extent of the problem and the threat to individuals and organizations?
I think it tells us that cyber threats and information security risks are a part of the new normal. We get smarter and faster about safety measures, but the bad guys respond, adapt and pursue new strategies as well. Cyber security can no longer be something practiced just by IT professionals. Everyone who does any sort of business online needs to take personal responsibility.
How worried are you and how worried should we be as individuals?
I’m not sure “worried” is the right word. Only information security folks should worry all day, every day about our cyber security. The average person shouldn’t.
The best thing anyone can do is to be aware and vigilant. Awareness means reading articles after a security breach — understanding what happened, why it happened, who is affected and acting quickly if you believe sensitive information is in danger. Even if you weren’t a customer at a specific company, being aware of what’s happening is important. It will give you context if your own information is breached in a similar situation.
What are the primary ways we can protect ourselves from cyber threats?
Awareness, education and vigilance are so important. As a private citizen, the best thing you can do is be completely aware of all of your cyber information — social media accounts, credit and banking accounts, etc., and default to being very protective. You are your own best asset in the fight against cyber security threats.
Have the safest, most secure passwords possible and make sure you use a different password for each of your accounts. That way, if one password is compromised, an intruder does not have access to all of your other accounts. If an online site, like a bank, offers a second authentication factor (like a code sent to your smart phone), use it! It’s also helpful to keep an offline copy of your essential information in a safe place. I’ve seen so many people lose essential documents, including irreplaceable photos and personal files, to malware (e.g., a virus).
If you suspect an IT security issue on campus, you should call 919-962-HELP or follow the advice of local campus technical support staff. We have found that rapid response is very effective in resolving problems before attackers have a chance to steal sensitive information.
October is National Cyber Security Awareness Month. Visit ITS News throughout October for posts offering cyber security advice from experts and other tech tips. For additional cyber security tips and to check out the activities and resources associated with National Cyber Security Awareness Month, visit the national campaign’s website.