Our goal is to raise awareness, to share best practices, and to empower individuals to own their role in cyber security so that they can take steps to improve the security of not only their home lives, but their businesses or organizations they’re affiliated with, et cetera. – Daniel Eliot
The longer the password, the better, the more secure it is, the longer it takes for a cybercriminal to crack it. – Daniel Eliot
And a third one, in addition to strong pass-phrases, enabling two factor authentication, is making sure that the software’s updated on all of those devices. – Daniel Eliot
The 2020 Verizon data breach investigation report actually found in their research that ransomware accounts for nearly 80% of malware infections in the educational services industry. – Daniel Eliot
Parents should let their children know that if the child feels uncomfortable with any messages or images that are sent to them, that they should feel empowered, they should feel comfortable reporting it to the teacher and the guardian immediately. – Daniel Eliot
When you’re done with your camera, it’s always good to cover it when not in use. – Daniel Eliot
All of it is free and open to the public, and schools themselves can take these resources and co-brand them and repurpose them for their own communities and push them out. – Daniel Eliot
Annette Stevenson: Today, we are joined by Daniel Eliot, NCSA’s director of education and strategic initiatives. In his role, Daniel brings together the federal government, the state and local governments, academia, and the private sector to discuss cutting-edge issues and to implement high-quality, large-scale education awareness efforts. Daniel, thanks for joining us today.
Daniel Eliot: Thanks for having me.
Annette Stevenson: Can you start by explaining the role that your organization plays in protecting the public from cyber threats?
Daniel Eliot: Sure. The National Cyber Security Alliance, which was actually founded in 2001, has been creating and deploying cyber security awareness efforts for the last almost 20 years. And so our goal is to raise awareness, to share best practices and to empower individuals to own their role in cyber security so that they can take steps to improve the security of not only their home lives, but their businesses or organizations they’re affiliated with, et cetera.
Annette Stevenson: I’d like to touch on a couple of issues that have impacted school communities. One is cyber bullying, and that’s not a new topic but it continues in the student space. And the other is Zoom bombing. That’s a little bit more recent in the headlines, I believe, where school boards are conducting public meetings and there’s been some incidents that we’re calling Zoom bombing. So, can you talk to us a little bit about how schools can prepare their students and how they should address the cyber bullying issue? And then also on the Zoom bombing side, what can the school communities be doing about that?
Daniel Eliot: Yeah. You know, we’ll probably never be devoid of menacing behavior, but I think there are quite a few things we can do to minimize the opportunity for it to surface.
Annette Stevenson: Okay.
Daniel Eliot: One component of this is creating a toolbox for educators and students. This technology toolbox should have, one, I think, approved technologies that educators and students should be using, and administrators, so that they know what technologies to use. And also, it should have an appropriate level of training and guidance on how to configure those approved technologies, configure the privacy and security settings of those technologies. For instance, when it comes to Zoom bombing, people should know how to create passwords for their virtual sessions so uninvited participants can’t join. To limit bullying, people should know how to limit chatting capabilities for participants or file sharing capabilities. If you don’t provide a toolkit of approved technologies, and then once you have those approved technologies, guidance on how to configure those, then you leave it up to each individual to create their own solutions for how to host a meeting or how to facilitate a course or whatever it is. And that’s a dangerous approach to take for everyone involved.
Annette Stevenson: You said earlier the word empower, and I think that’s important here, that the tools and the toolbox that you’re mentioning, that’s empowering individuals and organizations to take control of that situation. Would you say that’s accurate?
Daniel Eliot: That’s definitely accurate.
Annette Stevenson: Okay. When schools shuttered in March, many school districts worked to provide each student with a personal device so that they could continue their instructional time online. What is the importance of differentiating between the use of personal and school-issued devices?
Daniel Eliot: Yeah, I think this question not only applies to students, but also to administrators and faculty themselves. It’s a best practice to use your school or work-issued devices only for school or work-related activities to cut down on the potential of the device being infected by malware or ransomware. Because what we do for work is very different than what we do for pleasure, such as playing games, where there are opportunities for malware to be downloaded, and shopping, where there are malicious advertisements that could infect the device. And so we want to have a strict differentiation between the two to protect the device. And this is where configuring permissions comes in handy. So, for instance, the school’s IT should probably make sure that students don’t have the authority to download any unauthorized software programs onto the devices. They should come prepackaged with the authorized software programs that they need to use. Those students don’t need administrative access to the devices, and the same goes probably for the school employees. So, a lot of it can be remedied with just access controls, I think.
Annette Stevenson: Okay. And that blurring of the lines as far as students being at home in their home space and they’re on a school device, but then they’re in their off time. And I think the same could be said even as professionals have moved to remote work scenarios. Is there anything that you would suggest around router usage and passwords and things like that, that both parents and just professionals in their roles at home should be aware of?
Daniel Eliot: Well, in particular, each router will come with a manufacturer’s password. So, one of the first things you need to do is make sure that the password for your router is changed to a unique and lengthy passphrase. In the form of a sentence is usually helpful, like, “I like to eat ice cream on Sundays,” and change some of the characters in there. But the longer the password, the better, the more secure it is, the longer it takes for a cybercriminal to crack it.
Annette Stevenson: Yeah. So, that’s just a basic protection that everyone should be doing.
Daniel Eliot: Basic protection, a lot of cyber security comes down to some of the very basics. All your devices in your home, make sure you change the manufacturer’s password to one that’s unique to that device and long. Making sure that all your passphrases on all your devices and accounts are lengthy and unique. Making sure that you enable two factor authentication on all of your accounts. And a third one, in addition to strong passphrases, enabling two factor authentication, is making sure that the software’s updated on all of those devices. Those three basics go really far in protecting your home and work devices and accounts.
Annette Stevenson: Wow, that’s huge, because they are simple, but maybe folks aren’t taking time to do that just in the course of busy life.
Daniel Eliot: Yeah. Stop clicking “postpone” on those updates.
Annette Stevenson: Yeah, good reminder. So, with respect to safety, specific safety and security features. What are some of the features that a school should look for if they are considering a platform for student use? Is there any specific standout features that would be helpful?
Daniel Eliot: Yeah, I think for virtual platforms in particular in my mind is, a lot of people grapple with which ones are the best to use, et cetera. I think, and with any platform, one is evaluating how you can configure the permissions of the participants. So, can you restrict file sharing among participants or video sharing? How much power does the host or moderator have within that platform? That’s really important. I also think for platforms, can they be private, so not publicly advertised or available? So how can you restrict how broadcasted they are to the general public if you want to keep them private? I also think if you’re having individual sessions, how can you lock those down with unique passwords that only the participants or those invited can use to enter that particular session?
Annette Stevenson: Okay.
Daniel Eliot: I have two more, I think. One would be, this one goes back to how much power the host has, is can they expel someone quickly from the meeting? So, if someone is causing a ruckus, can they mute them, or can they expel them completely from that session? Which I think is incredibly important. And lastly, I think is a really important one, particularly when we’re talking about HIPAA and students’ data rights and all of that is, are the meetings encrypted? So, can you have a session that is encrypted so that it cannot be manipulated? And so those are just a few I would consider as you’re evaluating different platforms.
Annette Stevenson: It sounds like that extends across platforms you might consider for students or conducting meetings as well, really.
Daniel Eliot: Oh, yes. Oh, yeah.
Annette Stevenson: Okay. You may have touched on some of this already, but with respect to ransomware and that being a big concern in the education sector because of the confidential data that is stored by a school district, is there anything around ransomware attacks that you would … And with students learning and having their instructional time at home now, how can districts continue to defend themselves against ransomware attacks?
Daniel Eliot: Yeah, this is a big one. The 2020 Verizon data breach investigation report actually found in their research that ransomware accounts for nearly 80% of malware infections in the educational services industry.
Annette Stevenson: Oh, wow.
Daniel Eliot: So, ransomware is the thing to be educating your employees and students on. Education is still a critical component of this, helping users identify what ransomware looks like, but there’s also a lot more than just that end user education. Districts can also whitelist applications or blacklist applications, which prevents unauthorized applications from being downloaded or run. They can limit, as I said earlier, administrative access, so that employees or students are limited to how much they can do on their devices as far as downloading applications or programs or accessing certain types of sites. Making sure that the devices are running security software. What are those basics, such as antivirus software, and how are users managing the updates to all of these devices?
Daniel Eliot: So we say updates are important. We give everyone their own devices, but then how are we making sure that they’re actually updating them? Are those updates being pushed from a central administrative function, or is each individual user responsible for updating? And if that’s the case, then how are we helping them understand the importance of updated software, of running their antivirus software, of not downloading malicious software and how to evaluate what applications they can and cannot run on their device? So, a lot of it is education, but there are some technical pieces of it that districts can take or schools can take to protect themselves as well.
Annette Stevenson: Now, talking about protecting students, so children are home and they’re learning remotely and they’re also just online more, in front of the screen more right now. What role do parents play? They play a big role obviously in keeping their kids safe, but what tips can you offer for parents if they are looking to put into place protective measures? I know you’ve talked about certain controls and things like that. Is there anything additional that can be offered up for the parents?
Daniel Eliot: Yeah. So I’ll say that there are, many browsers and programs offer parental controls, which are good to help prevent children from going to, accessing certain sites, et cetera. But that doesn’t replace a conversation with your child. It doesn’t teach them secure behaviors. It just prevents them from accessing certain stuff. So, one piece of it is, have a conversation with your child about the dangers of being online. And for a remote learning environment in particular, parents should let their children know that if the child feels uncomfortable with any messages or images that are sent to them, that they should feel empowered, they should feel comfortable reporting it to the teacher and the guardian immediately. Sometimes in these virtual environments students feel like they’re disconnected from their teachers, but they should feel empowered to reach out to the teacher or the guardian immediately.
I would also say parents should reinforce to their children that if anyone online asks the student for any personal information, their name, address, password, that they should not give it out. So, having this conversation is really important for parents. I would also say, and this is particularly right now as more students are home and we’re playing more games online to entertain ourselves, that parents should probably play the game that the children are playing so that they understand the environment that these children are immersing themselves in. So, put themselves in the shoes of the students, see what exactly information is being requested from this game or what permissions are able to be configured within the game. But that also applies to any online environment. The parents and the children should configure privacy and security settings on these different environments together so that they both learn.
Annette Stevenson: Yeah.
Daniel Eliot: And I’ll just say, the National Cyber Security Alliance, we often will publish tip sheets. And we issued a great tip sheet on our website titled, “Tips for Parents Raising Privacy Savvy Kids.”
Annette Stevenson: Oh, great.
Daniel Eliot: And that’s posted on our website, and it talks a little about some of the conversations you can have and some of the tips I just mentioned. We’re currently working with EDUCAUSE to develop some tip sheets for back to school security, which will be released in the next few weeks. So, I’m excited about those.
Annette Stevenson: Oh, that’s awesome. Okay. And we’ll be glad to post links and such along with the podcast so that viewers can take a look at where those are on your site.
Daniel Eliot: Great.
Annette Stevenson: One other thing, video conferencing has become so, so prevalent right now. It was available before but obviously has become really, really prevalent, replacing the in-person time. So, video conferencing services that students might be using, they might be using Zoom or other platforms that offer a view into the student’s home. Is there harmful information that can be gained if someone who is ill-intentioned were able to see a student in their home environment? Is there anything harmful or dangerous about that?
Daniel Eliot: Sure. Think about this convergence of work, home and schooling. So, one, if parents are working from home, they might have confidential information for their work that might be seen if a student has their camera on. Or say they’re sitting in front of a window, and outside in the window, the blinds are open or the curtains are open, and you can see the cross streets from a street sign. There is confidential information that can be displayed. And so we always encourage parents and students both to, if they’re going to be in a virtual session where the camera’s on, to really evaluate what’s in that background, ideally to have a neutral background, just a blank wall. Or, all of these platforms now, or a majority of them, are allowing you to create your own virtual background with just a photo that you … It could be a fun classroom activity of creating your own virtual background. Whatever it is, having a neutral background that doesn’t really showcase the inside of a student’s bedroom or inside of your home is really the best practice. Giving away less information is always better.
Annette Stevenson: Yeah, especially out in that public virtual space.
Daniel Eliot: Yeah. And you know, when you’re done with your camera, it’s always good to cover it when not in use. Some laptops are now building in the ability to cover the camera into the actual device itself. But if you don’t have that capability, put a Post-it Note or a piece of tape over the camera. But just cover it when you’re not using it. Because there have been instances of cybercriminals who have been able to tap into your laptop or device or toy that has a camera, so many things have cameras, and be able to look into the child’s bedroom or look into your home. So, it’s always good to just turn that functionality off or block it when you’re not using it.
Annette Stevenson: Yeah. Boy, that’s a scary threat right there, what you’ve outlined. So, you mentioned that you have some tips coming out, and I’m certain that your website may be the place where you’ve got a lot of resources available. Can you tell us how viewers can access your website? Where does that live?
Daniel Eliot: Yeah, so the National Cyber Security Alliance’s website is staysafeonline.org. And in the top right corner there’s an orange button called resources library. And that’s where individuals can really access all of the tip sheets and infographics that we make available. All of it is free and open to the public, and schools themselves can take these resources and co-brand them and repurpose them for their own communities and push them out. We also co-lead National Cyber Security Awareness Month, which is coming up this October. It’s recognized every October, and each year we run a champions program. And it’s now open, and I encourage each school and district to sign up as champions. And what that involves is receiving a champions toolkit full of great resources that they can use to spread awareness to their different communities in October. And again, it’s completely free and it’s just to promote cyber security awareness across the country. And so, it’s in collaboration with the federal government, the Cyber Security and Infrastructure Security Agency. But yeah, you can learn more about all the champions program, Cyber Security Awareness Month and all of our resources at staysafeonline.org.
Annette Stevenson: And key that you mentioned is that this is all free and schools can use this as they would, they can distribute it to their community. Is that correct?
Daniel Eliot: That’s correct.
Annette Stevenson: Awesome. That’s great. Well, I really want to thank you for giving such important information and joining us on this episode. Thanks for joining us, Daniel.
Daniel Eliot: Thanks for having me. It’s been a pleasure.
Daniel Eliot is director of education & strategic initiatives at the National Cyber Security Alliance (NCSA). In this role, he’s responsible for NCSA’s educational portfolio, and helms one of NCSA’s most successful initiatives, CyberSecure My Business, which is a national program designed to help organizations of all sizes learn to be safer and more secure online. Mr. Eliot assembles the federal government, state and local governments, academia, and the private sector to discuss cutting-edge issues and create and implement high-quality, large-scale education and awareness efforts. Daniel is an accomplished speaker and champion when it comes to cybersecurity, and regularly speaks at events across the country and collaborates on regional and national cybersecurity initiatives.
Prior to his tenure at NCSA, he worked both within and in an advisory capacity to small businesses. Most recently, Daniel worked at the University of Delaware in their Office of Economic Innovation and Partnerships as the manager of technology business development. While there, he developed specialty programs to help small business start and scale. One such effort was Delaware’s small business cybersecurity program. This state-wide program is designed to help Delaware’s small businesses identify threats; develop cybersecurity readiness plans and processes; detect breaches; and respond to and recover from successful cyberattacks. Because of his efforts, the Delaware SBDC became one of the national leaders in small business cybersecurity education and outreach. In 2018, Daniel received a letter of commendation from Governor John Carney’s Cyber Security Advisory Council for his efforts addressing cybersecurity awareness and education across Delaware.
Outside of cybersecurity, Daniel has taught at Temple University in their Center for Social Policy and Community Development and managed a portfolio of technology-based projects for the National Center for College Costs, a technology start-up out of DePauw University.
Daniel holds a B.S. and M.S. from Indiana University, Bloomington