Q&A With Richard Biever, Duke University’s Chief Information Security Officer
Take the CyberSecurity Pledge
As part of National Cybersecurity Awareness Month in October, Working@Duke talked with Richard Biever, Duke University’s chief information security officer, about how he leads efforts to protect Duke’s data in a world of escalating threats and breaches.
What are your biggest concerns as chief information security officer at Duke?We live in an era in which computer security cannot be guaranteed. Watching breach after breach in the news, from the United States Office of Personnel Management and Target to some of our peer institutions, makes us aware that not only could a breach happen, but it probably will happen at some point. This highlights the need for us all to take a reasoned and measured approach to focus our efforts on protecting sensitive Duke data.
Read MoreWhat are the biggest issues you see at Duke?Lost or stolen devices are a big area of risk because we put so much of our lives on these systems, and they can just disappear. We’ve had faculty, staff and students whose laptops were left unattended, stolen out of cars or even their homes. On campus, a hacker could find a web server that hasn’t been patched, gets into that system and defaces a public website. And of course phishing is still the number one security issue we address daily. Last month, we locked almost 100 accounts because they were compromised. We still see people fall for fraudulent email messages and give up their account information or open attachments that infect their computers. Most of these incidents are opportunistic and avoidable. Everyone should encrypt their device, patch their system, and think twice before they click.We’re also seeing a trend in higher education of increased targeted attacks, where hackers try to gain access to specific data or accounts. Higher ed is a natural target because of our open network and because we get to work with a lot of really interesting and valuable research data.
What is the CyberSmart Pledge, and why should people sign it?Our goal this fall is to provide guidance for the 70,000-plus people who access Duke data and systems while they’re at home or away from campus. It’s about easy things you can do to protect yourself, your own data and your access to Duke systems and data. The pledge is focused on helping people make informed common-sense decisions.We've moved past the point of security being an IT problem. It's everybody's responsibility, because the most secure system in the world can be bypassed if one person makes a mistake, such as exposing their password via a phishing message. Good security is all about the basics: keep your machine patched; don’t save sensitive data on an unencrypted USB drive; use multi-factor authentication not just for Duke systems but everywhere. If you have kids at home, either don't let them use the same computer you use, or set up a different account on that computer for them to use. The basic idea behind the pledge is encouraging everyone to think twice before doing something on your computer or the Internet that could lead to an account or machine compromise, or exposure of sensitive data.
