April News from Information Security

Hello, faithful (or first-time) reader! Welcome to the April information security newsletter. While I generally post these the first Monday of the month, this newsletter has been delayed for a number of reasons. First, I did not want to release a newsletter on April Fool’s Day. There would have been WAY too much temptation to participate in the foolery, and I want you to feel like your time is not being wasted. Then, I had the temerity to drive for hours to get in the path of totality for the April 8th solar eclipse and neither wanted to spin a newsletter around that topic or be out of the office when it dropped. That brings us to this release date, April 15th, tax day (in the US, at least). I won’t spend words in this newsletter talking about tax time suggestions, as I included tax tips in our biannual cybersecurity awareness training.

This brings me to our first topic. Have you completed your biannual (yep, that means twice a year) cybersecurity awareness training? If you have, you got tax season tips to help you securely handle this process. If you haven’t taken your training yet, you still have to complete the tax tips section…sorry, not sorry. I know many of you question the need for this 20-30 minute intrusion into your schedule each semester. You’re busy. You have other things to do, like teach classes, attend classes, or other work. We do this not because I get a rush out of stealing the time from you each semester, but because over 90% of successful cybersecurity breaches start with a successful phishing attempt. Phishing emails will get delivered to your inbox. We can’t stop them completely without risking interfering with normal email traffic.

Which makes YOU the first line of defense against those that slip past our filters. We have provided you with tools to report these emails so that we can then remove them from the inboxes of those who might not be as savvy as you in spotting them. The Report Message button should be available in your Outlook toolbar or in the Outlook app on your mobile device. You can report phishing or spam with this button, or mark something that was improperly sent to your Junk folder as something you want to receive. If you do not see the button, please contact the Technical Support Desk so a technician can evaluate why it is not visible to you. To make the most effective use of the button, please take the cybersecurity awareness training, get confident in recognizing the indicators of phishing emails, and report them to us. Security is everyone’s responsibility, as we are only as strong as the weakest link in our chain of protection, unless those who can recognize danger report it to us as soon as possible. Cyber-attackers don’t tend to send phishing emails to the Director of Information Security (although some very lazy ones have), so I need your help to fend off the many attacks we receive each day.

A final note on our biannual cybersecurity awareness training…the last day to take the course will be May 6th and it will not be available after that date. Please take the time to complete it soon.

The Office of Information Technology is continually striving to improve our security stance. Our decisions are not always popular, but many have been absolutely essential to increasing our security level to meet government requirements and make our defenses stronger. I’ve mentioned a number of topics in previous newsletters about how you can help and why you should help. This upcoming change will be another one that garners its share of dislike, even hate. We will (at a yet to be determined date) eliminate a phone call as a possible second factor for our MFA setup. Phone numbers can be spoofed and are not as secure as using an authenticator app on a smart phone. Again, we have not determined a date to implement this change, but once it is active, you will have to run the Microsoft Authenticator app on your smart phone or use an alternative second factor, other than a phone call. There are hardware “keys” available that plug into USB ports or connect to mobile devices via near-field communication (NFC). If you don’t have a compatible smart phone, one of these devices will be your only option for a second factor.

To offset the annoyance (yes, I know it will be annoying for some of you to move away from using phone calls as your second factor), we will be implementing new login policies that will evaluate whether or not you need to use MFA. The policies will take into account your location (on campus or off) and if you are using a college provided and maintained device, or a personal device, and other contributing factors. This will hopefully reduce the need for MFA during day-to-day activities. Progress like this is made possible due to changes in our Microsoft licensing that we made starting back in the summer of last year. Our end goal is to be more secure and less intrusive. We can all evaluate how well we accomplish that goal later this year. More details will be sent via email in the next few weeks.

That’s all for this newsletter. Short and to the point, like the cybersecurity awareness training for this semester.

All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.

Please continue to report those phishing emails! Avoid using “unsubscribe” links and report spam via the “Report message” button, just like you would a phishing email.

If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so tell how I can help and inform you.

If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the website.

Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted, like Cybersecurity Awareness Month.

Food For Thought

Yes, our food for thought section can’t get away from the April 8th eclipse. Here are a couple of videos, both of which were originally published pre-eclipse, that explain why this one was so special (and why I and others drove hours to be in the path of totality).

This is a very simple explanation of why this eclipse was special.
This video does a technical deep dive into the periodicity of eclipses. Geek out!

Featured Image: Stan Honda/AFP/Getty Images via CNN.com

Author

(Visited 147 times, 1 visits today)

2 thoughts on “April News from Information Security

  1. Can you guys send me one of these now? “There are hardware “keys” available that plug into USB ports or connect to mobile devices via near-field communication (NFC). If you don’t have a compatible smart phone, one of these devices will be your only option for a second factor.”

    1. We can definitely put you into the first group we use these with. Once we finalize the device model and know our pricing, I’ll get back with you.

Comments are closed.