DATA PRIVACY DAY

As we celebrate Data Privacy Day on January 28, remember that strong privacy starts with strong information security. The two work hand in hand to protect what matters most.

Information security is about preventing unauthorized access, much like putting locks and bars on doors and windows to keep intruders out. Data privacy, on the other hand, is about controlling what information is visible and to whom, similar to closing the curtains so personal details remain private even when someone is allowed inside. Both are essential, and neither is effective without the other.

In today’s threat landscape, personal information in the wrong hands can be used by bad actors to carry out social engineering scams that lead to financial loss, misuse of healthcare benefits, or identity theft. Most organizations, applications, and individuals do not need access to your data, and they should not have it. Being thoughtful and exercising critical judgment about what information you share, and with whom, is one of the most effective ways to reduce risk. While Data Privacy Day emphasizes controlling who can see your information, achieving that control depends on consistent and strong security practices.

- Josep Riera Vuibert, Acting CISO 

How AI is Reshaping Privacy Risk

Artificial intelligence is reshaping how universities operate, bringing both opportunities and risks. Cybercriminals misuse AI to craft highly convincing emails or deepfake voices that impersonate administrators or IT staff, often referencing real university systems or research to gain trust and request access. Drexel’s Interim CIO, Dr. Pablo Molina, recently spoke with the media about how attackers are increasingly using AI to make scams more believable and harder to detect. When used responsibly, AI is a powerful ally that enhances learning, strengthens cybersecurity monitoring, and streamlines administrative processes. Recognizing both its risks and benefits allows universities to protect people and information while continuing to support research, education, and innovation.

Stay Safe:

• Slow down and verify urgent requests through official channels.
• Use only approved AI platforms for university work.
• Do not share HIPAA, FERPA, PCI, FCI, CUI, PII, or research data with public AI tools.
• Enable multi-factor authentication (MFA).
• Follow Drexel’s Generative AI Guidance.

AI is powerful, but vigilance is your best defense.

Something Smells Phishy: Don't Bite! 

The increasing frequency and sophistication of phishing and smishing attacks pose a serious threat to the Drexel community, often leading to financial loss and the exposure of personal information. Smishing uses deceptive SMS messages such as fake job offers, delivery notices, or unpaid ticket alerts to trick individuals into revealing sensitive data.

If you suspect you have received a phishing email in your Drexel account, please report it right away. Prompt reporting helps protect both individuals and the university. For guidance on how to report suspicious emails, visit the Report Abuse webpage.

Avoid Third-Party VPN Risks — Use Drexel’s Secure VPN

Consumer VPN services such as NordVPN and ExpressVPN may appear to offer added privacy, but they can introduce real security and privacy risks. These services may log and monitor user activity, and claims of “no logging” cannot always be independently verified. In addition, VPN providers operating outside the United States may be subject to different privacy and data-handling laws. For these reasons, third-party VPNs are discouraged for accessing university resources.

Drexel’s VPN, powered by Cisco Secure Client, provides a secure, encrypted connection to campus systems and services. It is the recommended method for accessing Drexel files, databases, and applications from off campus. Setup instructions and downloads are available on the VPN webpage.

Higher Ed Security Incidents: A Closer Look

Recently, several major universities, including UPenn, Columbia, and Dartmouth, disclosed significant cybersecurity incidents, reinforcing that higher education remains a prime target for attackers. In some cases, attackers gained access to alumni or donor-related systems and used compromised accounts to send fraudulent messages, while other incidents involved phishing, social engineering, or exploited software vulnerabilities. These examples highlight the importance of strong security practices and ongoing vigilance across the university community.

Cyber Safety Starts With You

Cyber threats are evolving rapidly, and system intrusions remain a significant risk to universities. Protecting sensitive data starts with you. By practicing smart security habits, you help keep our systems safe and our community secure.

• Stay alert for phishing emails and SMS messages and verify suspicious requests before responding.
• Use strong, unique passwords and enable multi-factor authentication where available.
• Keep your devices and software up to date and use Drexel’s secure VPN when accessing university resources remotely.

DUST Up Your Defenses!

Build your cybersecurity awareness and help protect the Drexel community by completing the Drexel University Security Training (D.U.S.T.). Students, faculty, and staff can self-enroll through the DUST webpage and earn a SANS security training certificate.

Information Security Resources

Visit the Drexel Information Security website for cybersecurity news, common scams, FAQs, and guidance.

Review Information Security Best Practices for tips on working and learning remotely.

Report suspected cybersecurity incidents to informationsecurity@drexel.edu.