Cybersecurity for VASCOs: Protecting Sensitive Data

Threat 1: Phishing Attacks

What it is: Fraudulent emails designed to trick you into revealing passwords, clicking malicious links, or downloading malware.

Common Scenarios:

• “Urgent” email from “VA” requesting you verify student information via link
• Fake student email asking you to open attachment or click link for certification documents
• Spoofed IT department email claiming your password will expire, directing to fake login page
• “Dean” or supervisor requesting wire transfer or confidential student information

Impact: Account compromise, data theft, ransomware infection, financial fraud.

Threat 2: Unsecured Data Storage

What it is: Sensitive information stored in locations without appropriate security controls.

Common Scenarios:

• Student records in personal Dropbox, Google Drive, or email accounts
• SSNs and benefit info in unencrypted Excel spreadsheets
• Physical documents left unsecured on desk overnight
• Backup USB drives containing sensitive data without encryption

Impact: FERPA violations, identity theft, regulatory penalties, institutional liability.

Threat 3: Weak Authentication

What it is: Insufficient password security or lack of multi-factor authentication.

Common Scenarios:

• Simple, reused passwords (VeteranServices2024!)
• Passwords written on sticky notes near computer
• Shared accounts or passwords among office staff
• Multi-factor authentication disabled for convenience

Impact: Unauthorized system access, data exfiltration, impersonation.

Threat 4: Insider Threats (Unintentional)

What it is: Well-meaning staff accidentally creating security vulnerabilities.

Common Scenarios:

• Emailing student records to personal email to work from home
• Discussing student cases in public spaces (coffee shops, hallways)
• Leaving computer unlocked when stepping away from desk
• Using public WiFi to access student information systems

Impact: Data exposure, FERPA violations, privacy breaches.

Practice 1: Strong Authentication

Practice 2: Secure Data Handling

Digital Data:

• Only use institutional systems (never personal cloud storage)
• Encrypt sensitive files (built into Office, Google Docs)
• Delete data when no longer needed (don't hoard)
• Use secure file transfer methods for sharing
• Never email SSNs or sensitive data unencrypted

Physical Data:

• Lock filing cabinets containing student records
• Shred documents before disposal (cross-cut shredder)
• Never leave sensitive documents unattended
• Lock office when leaving, even briefly
• Minimize printing of sensitive information

Practice 3: Email and Communication Security

Identifying Phishing Emails:

• Verify sender address carefully (hover over name to see actual email)
• Be suspicious of urgent requests, especially financial or password-related
• Don't click links in unexpected emails, navigate directly to websites instead
• Hover over links to preview destination before clicking
• When in doubt, contact sender through known channel to verify

Sending Sensitive Information:

• Use institutional secure email system or encrypted file sharing
• Never include SSNs in email body, use last 4 digits only if necessary
• Verify recipient address before sending (typos = wrong person)
• Use BCC for group emails protecting student privacy

Practice 4: Device Security

• Computer security: Enable automatic screen lock (5 minutes max), use full disk encryption, keep software updated, never leave unlocked
• Mobile device security: Require passcode/biometric lock, enable remote wipe capability, avoid accessing sensitive data on public WiFi
• Remote work: Use VPN for off-campus access, never use public computers for student data, ensure home network is password-protected
• USB drives: Encrypt if used for sensitive data, never leave unattended, properly dispose when no longer needed

Required Training Components

Module 1: Data Classification & Handling (Annual)

• What constitutes sensitive veteran data
• FERPA requirements and implications
• Proper storage, transmission, and disposal methods
• Real-world case studies of breaches

Module 2: Phishing Awareness (Quarterly)

• Identifying phishing attempts
• Common social engineering tactics
• Simulated phishing tests (coordinate with IT)
• Reporting suspicious emails

Module 3: Incident Response (Annual)

• Recognizing security incidents
• Immediate response steps
• Who to contact and when
• Documentation requirements

Module 4: Emerging Threats (Semi-Annual)

• New attack vectors and scams
• AI-powered phishing and deepfakes
• Ransomware trends
• Updates to security policies

Scenario: Clicked phishing link

Response: Notify IT security immediately. Change all passwords. Monitor accounts for unauthorized activity. If work device, disconnect from network until IT clears it.

Scenario: Lost/stolen device with student data

Response: Notify IT security and supervisor immediately. If device has remote wipe enabled, initiate. Document what data was on device. May require notifying affected students depending on data sensitivity.

Scenario: Accidentally sent email to wrong person

Response: Contact recipient immediately requesting deletion (call, don't email again). Notify supervisor if sensitive data disclosed. Document incident. May require breach reporting if FERPA data exposed.

Daily Security Habits:

• Lock computer when leaving desk
• Verify email senders before clicking links
• Secure physical documents before leaving
• Log out of systems when finished
• Question unusual requests for information

Weekly Security Review:

• Review sent emails for misdirected messages
• Check for software updates on devices
• Audit who has access to sensitive files
• Shred accumulated paper documents
• Review and delete old data no longer needed