Attacks Are Relentless
Protecting NIH from Cyber Attacks—How You Can Help
Picture this: You open your NIH laptop in the morning and find an email asking you to provide your NIH login credentials for verification purposes. You pause to think—would NIH really send me an email like this? You hit the Report Phishing button in Outlook, sending the email for security review. Next, you open a Word document containing an RFP you’re preparing for a new virtual collaboration tool. You ping your information systems security officer (ISSO) to ask for an update on the security review process—your ISSO tells you that everything is on track for your deadline and assures you that her team will make sure the tool will keep your program’s data safe. You switch back to Outlook where you draft an email to a colleague and attach a PDF containing sensitive information. Before hitting send, you make sure to encrypt the email so that the PDF can’t fall into the wrong hands.
This is the vision that the NIH Cyber Safety Awareness Campaign has for each of us—the seamless integration of cyber-safe attitudes and behaviors into all of our roles, from scientist to administrator.
The headlines around cybersecurity in health care are sobering: each and every day, high-profile health organizations around the world are being targeted by cyber criminals who seek to steal data, disrupt operations and pursue financial gain at the expense of patients, staff and science. NIH is not immune from these types of attacks. In fact, more than 98 percent of email to NIH servers is blocked because it contains dangerous malware or spam. This amounts to more than 23 million malicious emails a day.
The reality is that as cyber threats and actors become more sophisticated and aggressive, organizations like NIH are increasingly vulnerable. The good news is that each one of us, regardless of our role, has the power to help keep NIH safe by practicing cyber safety on a daily basis. As NIH director Dr. Francis Collins noted last December, “Cyber safety is not solely the responsibility of staff in information technology, security or privacy functions. It is the concern of the whole NIH community.”
If you’re feeling uncertain about what cyber safety means for your role, the NIH Cyber Safety Awareness Campaign is here to help. The campaign, an Optimize IT Security initiative, has a website (https://ocio.nih.gov/InfoSecurity/Pages/CyberSafety.aspx) that is constantly being updated with new, easy-to-understand one-pagers on a variety of cyber safety topics such as phishing and acquisitions. The website also provides contact information for security and privacy staff who can help answer your questions and publishes new stories each month about real-life cyber safety incidents that have happened at NIH. The campaign invites you to bookmark the site and share it with your colleagues.
The campaign also hosts a variety of engaging events each week, providing interactive presentations at all-hands meetings, professional affiliation and networking events and more. If you’d like staff to present to your audience or if you feel your group would benefit from receiving monthly cyber safety emails with helpful tips and real-life stories, email Jothi.Dugar@nih.gov.
For NIH’ers who are ready to deepen their commitment to cyber safety at NIH, the campaign invites you to join the NIH Cyber Champion Program, a network of engaged employees at all levels and across all roles who are committed to improving adoption of cyber-safe behaviors at NIH. By becoming a Cyber Champion, you’ll join a cadre of more than 40 volunteers who have already stood up to embrace their commitment to cyber safety by spreading the word through their own networks.
Regardless of your title, IC or function, you are an essential part of NIH’s security posture. Your daily decisions regarding cyber safety matter and they can be the deciding factor between keeping NIH safe and exposing us to cyber risk. By learning more about cyber safety at NIH, you are making a meaningful commitment to protect our people and our science from cyber threats.