Brent Warner 0:08
We’re back with part two of our conversation around technology, security and access, interviewing IVC, Director of Technology Services, Nick Wilkening. This is the HigherEdTech Podcast Season Six, Episode 15.

Tim Van Norman 0:27
Welcome to today’s HigherEdTech Podcast. I’m Tim Van Norman, the Instructional Technologist at Irvine Valley College, an adjunct professor of business at Cypress College,

Brent Warner 0:35
and I’m Brent Warner, Professor of ESL here at IVC. We both enjoy integrating technology into the classroom, which is what this show is all about.

Tim Van Norman 0:44
We’re welcome. We’re glad you’re here with us. So today we’ve got Nick Wilkening again, and this time we’re at a conference. And so it might sound a little different, we’re both. We’re literally sitting right next to each other, and Brent is at home back in Southern California, and so we’re at a conference here, just taking up a room to to do this interview. So, and actually, the conference is about technology and and security and stuff like that. So I think it’s a really appropriate conference for this particular recording as well.

Brent Warner 1:22
Perfect. What’s the name of the conference you’re at?

Tim Van Norman 1:23
Sizzwa, the sorry, I asked Chief Information Security Officer group. So it’s about information security officers in higher education, the technology people in higher education, lots of directors and and above, especially, but a lot of other technology people here at the conference, wonderful. It’s been very interesting all day and a half of it.

Brent Warner 1:54
Good, good. Well, Nick, thanks for coming back. We appreciate it. We’re making up for lost time when we didn’t have you back before. So thank you for coming back.

Nick Wilkening 2:04
Thanks for having me. Yeah, I’m excited. It’s been, it’s been a good conference. And yeah, I’m digging getting back into it. Awesome,

Brent Warner 2:11
awesome. So again, Tim, this is definitely more your area of expertise on when we get started with these conversations. But I will, I will continue to throw in the ignorant questions as we go, and fill out the places where we might not understand all the fine details. But let’s get into it. I mean, there’s a lot to talk about here, absolutely.

Tim Van Norman 2:31
So the main topic we’re going to talk about is emergency preparedness. And as we think about emergencies, often we think about the fact that, oh, this happened all of the sudden, and now, what do we do? But there’s a whole idea of being prepared for them, especially because there’s certain emergencies that we know are likely to occur. We know, for instance, that we live in Southern California, and likely there is going to be a fire, at least somewhere near us every year or two. Now does what does it mean? How can we be prepared? And so we’re thinking about about stuff like that, knowing that there’s certain things we hope we never have to deal with, but there’s also things that we do have to deal with, sometimes more often than we expect, and maybe more often than other people realize. And so as we’ve as we’ve gone through this Nick has been instrumental in a lot of stuff with IVC, with regard to emergency preparedness, especially from a technical standpoint, and I’ve been privileged to be able to be part of an emergency response team. For me, I really joined when it I don’t know if it formed then or what, but over COVID, and all of a sudden, something we never anticipated was front and center for the world. So part of what we what I wanted to talk about as we do this is, how do we as a college get prepared for those foreseen things? Okay, um, obviously we can’t see every possible thing, but there are certain things that we might be at least aware that are likely to happen in the future. So, Nick, I’d love you to talk about the concept of tabletops. So one of the things that we’ve done for preparedness is this thing called a tabletop so talk to me.

Nick Wilkening 4:40
Yeah, good, good question. Excuse me. So to some let me jump right into the concept of what a tabletop is, and then I’ll kind of pivot to how Irvine Valley Collie college and South Orange County Community College District approaches it. So tabletop exercise. Are exactly almost self explanatory, in the sense of, you have a scenario where something bad happens. Let’s use your example of a fire. Hey, there’s a scenario written down on a piece of paper. It says something to the effect of, there’s a fire within a mile of campus. There’s a lot of smoke that’s happening, you know, sets the stage. And then it has what we call kind of injects. There’s different pieces that are added to challenge the people at the table top to think through how they would act if something bad were potentially to happen. And usually, the people at the table tops are decision makers, operations, technology and facilities and maintenance sit on the logistics portion of the emergency operations command structure, which is a full formal structure of how to manage an emergency and an incident, if you will. So each section in in the in the whole entire EOC has the scenario, and all of us role play how we would do our respective actions to prepare for, let’s say, the fire. So for somebody like, yeah, go ahead.

Tim Van Norman 6:14
So just to interject here for a second, EOC emergency operations center, so this is think of it as something happened, and people need to get together to make a decision so that they’re not everybody’s not playing telephone tag or something like that. So emergency operations center, so there’s a couple of times I’ll interrupt here, just not to break the flow, but to make sure that we communicate what each of these parts are.

Nick Wilkening 6:44
Yeah, good. Good point. So as as the The tabletop is split out, you’ll have 567, tables. Each person gets the scenario. If I’m at the table, I’m in charge of technology. If my counterpart in facilities is there, he’s in charge of how to handle facilities and being prepared. There. We’ve got risk management. There’s any number of different folks that can help in the event that there’s a major event, and we talk through what we would do. So if there’s a if there’s a fire, we state, okay, well, from a technology standpoint, there’s not much that we have to worry about, right? We might need to from the from the on campus perspective, but if we send everybody home because there’s smoke that inundates the campus, which has happened in the real world for us, or, let’s say, God forbid, the fire is close to campus itself, we want to if the policy group or the leadership team, the president, vice presidents PIO, make the determination to move people to a remote work status, then technology will be heavily involved. We need to issue out laptops. We need to make sure phones are working. It’s exactly the same role playing and real world work that we did during the COVID pandemic. So we technology kind of fits in almost every real world issue that potentially comes up, whether that’s an earthquake and we lose cell connectivity because earthquake knocks out all the cell towers, or they’re inundated with everybody trying to use cell phones to even civil disturbance technologies utilized for communication. We have different speakers around campus. We have the ability for messages to come to the phones on campus, which is a system called inform a cast that will actually put a message on your phone that says, civil disturbance in this area, avoid Right? Or if it’s marquees or emergency communication systems, if we work with the PIO to make sure a message is pushed out to our emergency communication system, which is called rave that sends a text to everybody’s phone saying, Hey, don’t come to campus. There’s a fire.

Brent Warner 8:49
Sorry Nick, PIO means?

Nick Wilkening 8:52
Oh, Public Information Officer. So for us at Irvine Valley College, that would be our marketing and Creative Services team. They’re in charge of communication. When it comes to much of how communication is disseminated, like from emails, the police department is in charge of certain communications as well. So it helps with us to understand clear lines of effort of who is doing what, because oftentimes, as we’ve all probably been a part of whenever something intense happens, like an incident, whether that’s an earthquake, a fire, any sort of cyber incident, you don’t really know what to do. Doesn’t matter if you’re an end user or you’re walking by and you see a fire and you’re like, you think you should call 911, but like, what if you are a part of the team that needs to help with that? We need to be able to work through what each of us are doing. We’re not stepping on each other’s toes. Things are not getting dropped, and the tabletops help us role play what that looks like before it actually happens, or in prep to something happening. So and so. One last piece I’ll state to that Irvine Valley College lead. Leadership has had a fantastic approach to being prepared for incidents, I would say one of the best I’ve ever seen in my experience, even in the past two years, we have brought on consultants to have run tabletops. We’ve taken seriously lessons learned that we’ve taken from those tabletops and implemented. We’ve done a lot of work to make sure that our college is prepared for any and every potential issue that can come up that we’re aware of. We can’t predict everything, but we we really try to throw everything on the table and say, Hey, is this a probability that could happen? If it is, then we need to make sure we all understand what’s happening. So I want everybody to know that’s listening, especially if they’re employees or students of Irvine Valley College, that that it’s a very serious thing that we take seriously, and I’m very proud of that. So,

Brent Warner 10:50
Nick, how long does one let’s just imagine there’s one session, right? Let’s is it just for I mean, I know you said that, hey, there’s lots of scenarios that get thrown in the middle of it. But, like, let’s just say it’s a fire tabletop, right? How long does that run for? Like, is it? Is it a 45 minute to an hour thing? Is it an all day or two, you know, a week long thing? Like, I don’t have a sense of the timing and the effort that you guys put into that.

Nick Wilkening 11:18
There is – so it depends. The ones we’ve done on campus can range from two to three hours. There was a couple that we did in tandem where we did like a tabletop in the morning, we ate lunch, and then we did a scenario in the afternoon. But they’re anywhere from three to four hours. Most recently, though, in November, I think we did it’s called the enhancing partnerships, interagency collaboration. I think I’m probably butchering that, but it basically stands for epic, and that is a tabletop exercise that ran like eight hours, and it was in a high school in orange, I think. But basically a lot of interagency partners. We had Cal Orange County Fire Authority. There was multiple different police departments, the Orange County Sheriff. There was multiple K through 12 districts, Irvine Valley College, lot of different there was hospitals. We got a briefing from the hospitals, level one, trauma centers. We heard from all of the different specific, different agencies that would be involved in responding to an incident, and then we all role played throughout the whole day, we had Laguna Beach Unified FMO director sitting right next to me. We learned so much from them about how you can rent generators, you can have them brought in like it was a huge logistics piece, but a huge lessons learned. And we took a lot of that information back. We just got the lessons learned from everybody about a month ago. So you can have them vary with not only your own internal team. It can also be multi state, multi County. It can be massive tabletops. And it really, truly is, I would say it does a good job of ensuring that you understand what you’re supposed to do. However, there’s a big disconnect between what you do in a tabletop and how you act in the action in the midst of an incident, so it’s important to bridge the two to make sure that if there is an actual incident, your lessons learned are like rotated back in to your tabletop exercise. Hey, we had a fire two years ago. We planned for this. This is when it really happened. Holy cow, was completely different than we expected. Here’s the real meat and potatoes of our lessons learned. Let’s role play our new lessons learned from it. So it’s, it’s a cyclic process.

Tim Van Norman 13:40
So what types of things – we’ve talked about a couple of them – what types of things have we covered in some of these tabletops?

Nick Wilkening 13:46
Good, good. Question. Yeah, so we did, we did a tabletop on earthquakes. We did a, I think we did a tabletop on floods. So if water takes over campus or we have critical services affected by a flood. We did a ransomware or cyber incident, where you come into the office one day and all of all you see on your screen is, you know, a message that says your computer’s been locked paid X number of Bitcoin in the next 12 hours, or all your data is gone across all the computers we’ve done buyers. That was a big one. We did civil disturbance. I believe we did a few others that but, but those were the big rocks, because those are the ones that potential, when you look at risk and probability, the probability matrix that states, if there is a potential they can have a big impact like an earthquake. We just don’t know how to ever prepare fully for an earthquake, because that’s such an unpredictable event, but it is probability wise, probably somewhat high that we would be in some sort of earthquake zone in the next. Next X number of years fires, another one, highly probable that we’re going to be affected by smoke potential for actual fire itself. And we also work with our district peers down at Saddleback College. And you know, they have a similar but also somewhat different probability matrix for their area, right they’re in a more hilly area. They’re near, so floods are not going to be as probably impactful for them, but fires are going to be more highly impactful for them. So even the disparity between the two campuses, with Irvine Valley being flat in the middle of a metropolitan area or suburban area, comparative to Saddleback, where it’s a little more remote, hilly, even though we’re in the same district. And then you look at a TEP, which is also our sister campus as well. Each have their own personality and their own needs. One thing I learned or thought of recently was each college is its own little organism. That’s a city, if you will. And I mean, we have health and wellness like a hospital, we have food services, we have a full police department, we have our own internal technology department. We’re independent of the greater, you know, area, the greater organization, if you will. We manage everything internally. So if you think about it, having our own tabletops and our own crisis management team in our own EOC Emergency Operations Center, makes a lot of sense. We are our own organism. We have to be prepared for this. And I think to Tim’s point earlier, it’s certainly reassuring knowing that we have taken that seriously. You know, we are dissimilar from even our own sister College, and yet we take it very seriously. They take it very seriously. We work together. We find similar similarities where we can, but at the end of the day, we want to make sure we’re doing the best for the safety and security for all of our students and faculty and staff. Yeah, so

Brent Warner 16:51
Nick, one of the things I’m thinking about here is, like, so I know that you and your team go through this process, right? But like, just kind of thinking of like, faculty, or, you know, classified staff, or you know, who might not be involved with this. And then the that emergency happens. So you also have to consider kind of the unreliability of people in an emergency, crazy emergency situation, where people, you know, start, you know, running around like chickens with their head cut off and all these kind of things, right? And so what can people who haven’t gone through these processes do to be better prepared to respond in ways that are responsible? Is there? I mean, because if we haven’t gone through that training, it’s a little easier when we know what’s going on. But if it’s just like suddenly earthquake hits, I’ve never done the training. I meant to do it last year. I forgot to do it right. Those types of things happen. So how do how do you deal with that? And what can people do to make sure that they’re better prepared, like individually?

Nick Wilkening 17:49
That’s a fantastic question. One thing I will say is there are representatives on all of the different tabletop exercises for faculty and classified. We make sure that that’s definitely a big part of operations. So there are folks that can be you can you can go through to ask specific questions about the tabletops, to see the lessons learned, to be prepared. I think as a, let’s say, a lay user or a general you know, member of the team, I would say having a good communication plan with your supervisor is always a good plan to have, because oftentimes communication is going to be kind of awry, and communication is the one thing that is the most challenging piece, I think, in most incidents, is getting the right message out at the Right time and have it not be confusing, delayed, not helpful. Like conflicting. Oftentimes, the messages are coming out, and it’s conflicting because everybody’s trying to do the right thing, but you want to get that information out at the most appropriate ways possible. One thing we did during COVID that I thought was a very successful model is we had a daily EOC Emergency Operations call called where every constituent group was represented. We had health and wellness, we had PD. We had everybody that was the folks at the table that needed to help triage and manage the situation there, and then they would go back and communicate to their to their groups, or the dean or the manager or vice president, they were able to communicate. So why I say having a good communication plan with your supervisor is more often than not, your supervisor is going to get that communication from their supervisor and all the way up to the President, and that message will more than likely come through that chain of command, if you will. So it’s good to have that establishment, whatever that looks like, right? If it’s teams or if it’s just calling and making sure my boss knows I’m safe. Hey, my family is safe. We had an earthquake. This is what’s happening. I want you to know I’m accounted for, and you can. Focus on what you need to that from a management standpoint, that’s not only helpful, but it’s also from a crisis management standpoint, Hey, how is Tim’s family doing? You know they were in the impact zone. Think of the eating fires that happened. Hey, did we have folks that lose their homes? What can we do to rally around them and help them? Right? That’s still an active incident in my mind. I know it’s closed out formally, but there’s still people that don’t have homes. There’s still people that are driving around their their neighborhoods completely crushed right now. So to me, that that never, we never lose that incident in their in their struggle. So I think that’s important. What you can do at home, to be prepared. I recommend everybody have some sort of, you know, and it doesn’t have to be a full doomsday prepper where you’re you’ve got a full like underground layer, but being smart and pragmatic to make sure that you have the basics at home. You’ve got fresh potable water, you’ve got food, if you can afford an a generator and you want to have something like that available for you to protect critical circuits in your home, whether that’s your refrigerator or you’ve got, like your internet that you want to have access to, having an am FM radio, small things that you can keep in your garage that make sure that you can stay safe and your family can Stay safe for 72 hours until things have calmed down, and hopefully emergency services and supply chains can open after a major incident. That’s what I recommend everybody do. Make sure you have around 72 hours of self sustained, contained food, water, everything else that you need, your prescriptions, everything to make sure that you can stay healthy through that time. Is what I would say, between now and the next incident, invest the time. It doesn’t have to be a huge purchase at Costco. Buy a food ration kit this week. In a couple weeks, buy another one, and make sure you have 72 hours for every person in your in your home.

Brent Warner 21:54
Okay, so we’ve talked a lot about, like, kind of physical dangers and, like, some of the, some of the, you know, a little bit of the digital stuff. But we’re also, I think we’re, we’re hoping to talk a little bit too about security issues, right? Security issues, maybe some of the more technical side of these, or the or the, you know, problems that happen with so let’s, let’s take a look at this. What should people expect? So, like, if there’s some sort of security issue going on, maybe on campus, maybe online, you know? And again, they’ve got multiple worlds now that we’re dealing with, what are the things that we can start paying attention to? What are the things that we can start preparing for? This is a gear shift here. But I think it’s worth, worth spending some time on this conversation, which is, you know, around that side of like, how do we protect ourselves in there’s so many things coming at us from all different directions, right? How do we make sure that we’re kind of prepared to the best that we can be for those

Nick Wilkening 22:59
Yeah, let me talk about the cyber preparation. I think that’s going to be probably the biggest thing I would I would want folks to take away from you know how they’re so, if you think about it, from the minute you wake up to the minute you go to bed, you are connected to an information device, a computing device. And even then, I would probably hazard a guess that 24/7, you are connected to an information device. Whether you have a wearable that you sleep with, you have a CPAP machine that potentially has a connection to Wi Fi that’s checking, you know, real time data you like everything that can pull an IP or utilize an IP is an information device in my definition. And I think it’s incumbent for for everybody to to appreciate how much that’s given us comfort and ease, and it’s made life so much easier, and at the same time, it’s also introduced a lot of potential issues when it comes to bad actors or folks that are trying to do bad things for us, what I try to recommend everybody do in just basic cyber hygiene is kind of three or four things. One, always auto update your software. That’s such an easy preventive thing that you don’t have to necessarily put too much work into so on your phone, you open up your phone, there’s settings in iOS or Android to be able to auto update all your apps, and the reason why we do that is oftentimes the software vulnerabilities that are built in are on old versions of software. So if somebody is trying to launch a bad malicious software campaign, they look for a certain type of old software with open vulnerabilities, and they launch attacks against it. So it’s a very easy. Actor for bad actors. That’s kind of the first point. The second one is around password management. And this one’s important because this is such an easy thing nowadays for malicious bad actors to to to get into your accounts. It’s called credential dumping, but it’s the easiest way for someone to get into your account is by pretending to be you. So if they can identify your email or your username and your password is weak, it’s very easy for someone to log in and pretend to be you and do lots of bad things. So what I recommend people do is they create strong, long and remember like memorable passwords. And the easiest way to do that is to build what are called pass phrases. So you can think of it as simple as three words, 234, words, the more words that you put together, the higher entropy or the higher encryption is associated with it, the stronger encryption, I should say so. And it can be anything you want. I’m looking in the room right now. I’m seeing chair, picture exit. Those three words could be a password for me to my phone, let’s say, and I’m going to have a very difficult it’s going to be a very difficult password for a computer to guess, or what’s called brute force against, because it’s got lots of unique letters the the words are long, which creates more ability For higher encryption so that that’s the first part. The second part is to create a unique password for every single application you’re logging into. And I think that’s the most onerous thing for most people, right? If I’m logging into my bank account, it’s a lot easier for me to use that same username and password for my LinkedIn account and my Facebook account and my whatsapp and every single application across the spectrum. But here’s the problem, if you use password 123, for your bank account, now, all I have to do is I get access to your bank accounts. I get access to your Facebook, your whatsapp, your LinkedIn. I can be you for a day, and I can do bad things with your name and your profile and your persona, that that that’s an icky feeling, right? Even just saying it out loud makes me feel like, Whoa. That’s a huge invasion. That’s That’s not cool, right? So having unique, strong passwords for each of those applications is really important, right? You for my one application. It might be chair table sign. My next one be chair exit light switch, right? But at least I can remember it easily. It’s not a bunch of different, you know, special characters and members. There are password managers. That’s a great way for you to remember one login, which would be your login into the password manager, and then the password manager will encrypt and hold on to all of those passwords for you. So like a one password is a great Password Manager. Oftentimes, iOS has its own password manager. There’s password managers for Android, there’s there’s open source password managers. It’s meant to make life easier so that we can encrypt. The last and final piece, I would say most people should try to do is encrypt multi factor authentication whenever you can. And we kind of talked about that in the first interview. But basically, if your business account, your bank account, your social media. If they offer multi factor authentication, please turn it on. It’s your best way, and it might be a little inconvenient, but it is your best way, at this point, to prevent even somebody who knows your password from getting into your account, because let’s say you did everything right, and they just get lucky. Maybe, maybe the odds are just lucky, they guessed your password. If you have multi factor authentication enabled, that means if they get in with that legitimate password, they still have to bypass your phone or your something, your email to be able to get into that specific application, your your social media or your business account. So three things good password management, enable multi factor authentication and work on auto updates for your software. Those are the three things the vast majority of folks can do that will greatly reduce their risk.

Brent Warner 29:35
And they’re not too hard – the reality is – right? Like, I mean, a little a little inconvenient on some parts, but not, not that much and so and definitely doable,

Tim Van Norman 29:46
I would argue that one other thing I would love to have everybody do, store your data in Google Drive, OneDrive, Dropbox, something, because I don’t know. How many times I’ve had somebody come to me and say, This laptop has all of my information and it just fell down the steps or something, and now maybe that becomes a cyber incident basically, simply because they didn’t have it backed up. So it’s an old term, backing it up, but you know what? Back it up, and with some of these tools now it can be automatic. Literally, the work I do when I download a file, it’s automatically up in the cloud again. You know? I just keep it automatic, so then I don’t even have to think about it anymore. And that really, that would have saved me. If people had done that, that would have saved me literally days, if not weeks, worth of work. I literally one time had to try to break into a dead guy’s computer to get information out. Okay, no way I can ask him the question. Yeah, right, you know. And so it’s things like that that, if you can store it in the cloud. It is really secure up there. And so it’s both a security and a protection. Because I don’t, I also don’t know how many times a thumb drive, oh, I’ve got it stored on a thumb drive, and somebody hands me a thumb drive, and it’s been through the wash machine a couple times, yeah. And now that’s no good so All

Nick Wilkening 31:23
right, yeah, good, good point. Absolutely. I’ll add one last piece. All of information security is kind of governed by three principles, the principle of confidentiality, the principle of integrity and the principle of availability. So this called the CIA triad, and if any of those legs get knocked down, your information security posture is greatly reduced. And the CIA triad works in different industries, so like, if you’re working in, let’s say, research and development and you want to protect a lot of your secrets, that has a high confidentiality right? That’s encryption that’s ensuring you have data encrypted in transit and at rest, like you have lots of layers around confidentiality, integrity basically means that the data is true and that it’s not been manipulated through Malicious or bad, bad means. And then availability is actually the one that we, I think, utilize the most in higher education. If I can’t get an application delivered to you, if I can’t get data delivered to you, that’s an attack on availability. So Tim’s point about backing up. If I don’t have access to the data. It’s unavailable to me. I am now taking an impact in my information security posture. I think that’s an important piece to think about. If our website goes down, availability is lost. If we can’t deliver canvas right to faculty, to students, if my site, all of these applications are unavailable. I in mind when we have an information security incident, right? So that’s an important piece that I want to make sure, Tim, you know to your point about making sure you back up your data to a cloud based provider 100% that’s a good, good piece of advice.

Brent Warner 33:16
Excellent. Well, I think we, we’ve covered a lot more. We’ve got just tons of information, so many things to kind of consider here. And I think this is a pretty good run for for both of these sides. So the kind of the physical security and the digital security, how are we making sure that we’re good for all of these things? Nick, I know we could just keep on talking and talking, and so we’ll, we’ll definitely be a little bit more proactive on having you on regularly, you know, maybe once or twice a season, so that we can kind of keep updates and see what’s going on. But I think for now, we’ll let you get back to the conference and all the work and learning more, so that next time you have even more updates for us on how to how to stay safe.

Nick Wilkening 34:01
I appreciate the time. This is awesome. I think I love what you guys are doing, and it’s a great it’s a great time being here. It’s awesome.

Brent Warner 34:10
Thanks so much.

Tim Van Norman 34:13
Thank you for listening today. For more information about this show, please visit our website, at the higher ed tech podcast.com

Brent Warner 34:19
As always, we do want your feedback, so please go to the higher ed tech podcast.com and let us know your thoughts

Tim Van Norman 34:26
For everyone at IVC that’s listening. If you need help with technology questions, please contact IVC technical support. If you have questions about technology in your classroom, please stop by A322 or contact me. Tim Van Norman AT tvannorman@ivc.edu

Brent Warner 34:40
And if you want to reach out to me about the show, you can find me on LinkedIn at @BrentGWarner.

Tim Van Norman 34:46
I’m Tim VanNorman

Brent Warner 34:47
and I’m Brent Warner, and we hope this episode has helped you on the road from possibility to actuality. Stay safe everybody.