In recent months, the University of Utah has rolled out ongoing cybersecurity security upgrades—just one instance of how the U’s Information Security Office (ISO) protects the university and its community members.
But the ISO cannot do it alone. You, too, must do your part.
Now more than ever, the internet consumes a huge part of our lives—at work, school and home. Constantly being connected means, by default, increased risks to your privacy and security every single day. This is especially true in a university setting.
“A lot of our devices are interconnected. So, if one machine on the network is infected, all other machines on the same network are at risk of being infected as well. And that's what we see all the time,” Data Security Analyst Ariel Baughman said, adding that threat actors often target higher education institutions and their constituents.
For these reasons and more, it’s increasingly important to learn and implement information security best practices.
For the seventh year, the ISO will participate in Cybersecurity Awareness Month (CSAM), an annual initiative to ensure people have the resources they need to stay safer and more secure online. For the second year, the University of Utah has been designated a CSAM Champion.
This year’s theme is "Do your part. Be cyber smart.”
Baughman, who works for ISO’s Governance, Risk & Compliance team, and Chris Stucker, associate director for ISO’s Identity & Access Management team, said the U community can be cyber smart by creating strong passwords, using a password manager, enabling multifactor authentication (MFA), watching closely for phishing emails and other scams and taking advantage of the U’s cybersecurity resources, among other things.
Stucker said he believes a password manager and multifactor authentication are the best tools that people can use to protect themselves and the university.
“A password manager is one thing that we recommend because it makes good password hygiene much easier. You only have to remember one master password and you can make that super hard—for instance, 48 characters long. And once you log in to it, it handles all the rest,” Stucker said. “It creates passwords randomly, it doesn't reuse them and it fills them in for you. Most also warn you if you’re using a weak password or one that’s been compromised.”
Password managers, he noted, can also protect users from phishing because they generally aren’t fooled by websites that mimic others. So if you are prompted to enter credentials on a malicious site, your password manager won’t autofill them because it’s never saved information for that site. If the password manager balks, Stucker said you should wonder why, and you should be very cautious in proceeding.
Still, passwords can be broken, so anytime you can use MFA or two-factor authentication (2FA), you should, Stucker said. Although some campus users have protested the security measure, Stucker noted that MFA is becoming standard practice. In fact, his 14-year-old granddaughter said all her friends use MFA.
“We do it all the time,” she told Stucker. He asked how long she’s used MFA: “Since we've had social media.”
“And I asked her, ‘Do you think it's hard? Is it kind of a pain?’ She said, ‘No, it's just what we do. It's just what you have to do to use it.’”
That’s now the case for UMail and Office 365, which threat actors frequently target with phishing schemes. While Duo 2FA adds a layer of security to those accounts and decreases the number of successful phishing attempts, it doesn’t prevent you from receiving a phishing email. The ISO filters many out, but some still slip by.
If you received a phishing email and clicked on it, Baughman said that’s a good opportunity to let your colleagues and others around you know what’s circulating, forward it to phish@utah.edu delete it, and change your password as soon as possible.
“So many people click on phishing emails. Yet when someone clicks on one, they're often embarrassed and maybe they don't want to share that with others around them,” Baughman said. “But we're all human. We all make mistakes.”
Outside of work, she uses everyday interactions or casual conversations to bring awareness to cybersecurity. For example, Baughman said, “Whenever I go over to someone's house and I ask to connect to their Wi-Fi, and they tell me the password, I'll tell them maybe they should change it [because it’s still the default password or it’s too simple].”
In addition to following all the CSAM work-from-home cybersecurity tips, Baughman said about once a month she checks to see which devices are connected to her home network.
“A lot of the time, people will find devices that they're unfamiliar with. So I recommend checking that every month and kicking off devices that aren’t yours,” she said.
Those kinds of conversations and actions should be the norm, Stucker said.
Although no one knows what the future holds, Stucker said it’s likely many people will continue working and learning remotely, or move to a hybrid model. That extends to every facet of how we communicate or share information, from ordering food through mobile apps to virtual doctor appointments. None of it will just go away, he said.
“This is a good time for us all to think about the increased importance of cybersecurity, and the increased importance of protecting your identity, and being online safely and smartly,” Stucker said. “It's time to plan this way for the future, not just for work or school, but for your whole life.”
Simple tips to stay cybersecure
- Create a strong password and don’t reuse it
- Use a password manager
- Use multifactor authentication (MFA) when available
- Use the campus VPN to access university resources while off-campus
- Watch for phishing emails and other scams (e.g., text messages, phone calls)
- Tell your colleagues about phishing emails you’ve received — you might prevent them from clicking on one
- Send and store restricted and sensitive data properly
- Be cautious about the personal information you share on social media and don’t geotag your posts
- Make sure your home network is secure, and check for unknown devices
- Read the university’s information security policies and rules
- Take the ISO’s security awareness training
Learn more: Cybersecurity Awareness Month
Cybersecurity Awareness Month (CSAM) is an annual initiative sponsored by the Department of Homeland Security and National Cyber Security Alliance to ensure people have the resources they need to stay safer and more secure online. This year’s theme is “Do your part. Be cyber smart.”
This October, please consider taking a few moments to visit the Information Security Office’s CSAM website and check up on your cyber hygiene. Topics include:
Meet the computer forensics experts who investigate the U's cybersecurity incidents.