It’s unlikely that anyone started 2020 with the expectation that we would all be so reliant on being remote. Unfortunately, this pandemic is exactly like other emergencies in that it has attracted malicious elements seeking to make a profit. It won’t have escaped cyber criminal’s attention that a large amount of devices that were previously connecting via sheltered institutional networks are now logging on from less defended home connections.
An example is the excellent and informative Coronavirus Resource Centre Map produced by Johns Hopkins. A malicious individual has already set up an copycat site, which presents the same map, but spams the user with Amazon affiliate links.
With that in mind, how can we protect residents who are suddenly remote?
In a perfect world, we’d all to the right thing, but students are going to click on the wrong links, they are going to run programs they shouldn’t, and they will use the same passwords in multiple places. There is no group that is immune to making mistakes, and even if students do the right thing most of the time, attackers only need to get lucky once. With that in mind, we can’t fully trust a student’s computer.
This means we need to be careful about opening any attachments we are sent and rely on storing data in cloud systems rather than locally. Now is also a great time to turn on multi-factor authentication (MFA) everywhere, and for everyone. The options for MFA you have available will depend on the system you and your students use to sign in, but they almost all support MFA in some regard (such as Active Directory, Shibboleth, and CAS).
In addition to the technical measure of enabling MFA, you need to have a robust approach to identifying residents when they contact you. This can take many forms, but as a general principle, when you receive a request from a resident, you should verify it by making contact using a separate channel. For example, if they send you an email, you could verify by calling them on their listed number and asking them to confirm. If they call in to you, you might send them an email to confirm. Processes like this force an attacker to impersonate someone via two different channels, which is considerably harder than just one.
Incidentally, a strong verification procedure is also a requirement of California’s new Consumer Privacy Act, so there is no better time to ensure you have a process you can rely on.
Most organisations will have already set up a COVID-19 information page and are sending out emails to keep residents informed. This is an essential way to start communication, but email but doesn’t have much security around it and where practical you should move the conversation to other channels.
The StarRez Housing Portal is a great resource in this regard. Communicating that you have information via email and sending the resident to a Housing Portal link automatically removes external eyes that can’t log into your systems. Similarly, collecting information behind a login adds a layer of trustworthiness to the information submitted.
Where this isn’t an option, remember that a video or phone call is many times more secure than an email ever will be, though it lacks the one-to-many capabilities that we often need. Regardless, it’s still a good option to consider for sensitive communications, such as discussing a subject’s health information.
While this isn’t cyber security per se, it’s still relevant to protecting residents in these times; remote students still need forums to communicate, collaborate and share their thoughts and feelings.
E-learning platforms provide forums for classwork, but this doesn’t allow for ad hoc social conversations that would occur in hallways. Consider setting up a channel such as Teams or Slack so that you can make a place for that activity and lead the conversation. If you don’t do it, it’s likely that your students will make one unofficially.
Shared activities can still be social events online. Consider what programs you can run for remote students, and ways they can interact with each other at distance. If you have StarRez Rez 360, now is a great time to pay additional attention to each student’s engagement with those activities. Being remote can be isolating, and we are all going to need to look out for each other.
Consider what advice students are going to need while they aren’t physically present. Many will be new to participating remotely, and it’s a learning experience we can all share. There are many tips and tricks to optimizing the remote learning, and the constant stream of communication will be reassuring for the recipients.
And with that in mind, we’ll share one of ours: make sure all the files you care about are backed up to the cloud – ransomware, or just plain accidental deletion can ruin your day.
As this situation evolves, here are some helpful resources in your discussions and planning:
StarRez Customer Emergency Management Resources & Support (requires Login):
What is the most effective social media strategy for student housing?