With Spring Break coming next week, I wanted to get this out to everyone this week, but I have been slow on the execution of that goal. Spring Break! Yes, we are already there, with the six week plunge to the end of classes coming immediately after. I’m sure everyone probably needs to catch their breath. I only have a couple of things to share this month, so this newsletter will be brief.
First, I want to apologize for the numerous snafus we have encountered withe the new cybersecurity awareness training platform. The delayed roll-out in the fall, the broken course this semester…it hasn’t gone well and we are evaluating what our next steps are in regards to providing cybersecurity awareness training. Like it or not, it is necessary, not only to meet our compliance and insurance requirements, but to make sure everyone continues to pay attention to sketchy emails (and report them!) and continues to securely manage their various digital credentials, both work and personal.
We have options. We can choose to use micro-segment training that can be assigned in response to either clicking a (real) suspicious link or in response to how well users are able to spot phishing emails that are part of a training campaign. Other options include training platforms similar to our current one, with course elements changing each training session and the possibility of testing out of the course based on a pre-test. There are also “long course” training options that I wouldn’t wish on my greatest enemy. Another option would be to hold one hour face-to-faces, in-person training sessions each semester which you would be required to attend instead of taking advantage of the convenience of simply completing training at your desk, on your laptop, or on a mobile device. You are welcome to post comments as to your preferences in the comments. Don’t bother to post “none of the above”…I’ll put those on a digital wall of shame. Just kidding…maybe.
The other topic for this month is a tried and true regular. I’d like to share information on the type of phishing emails we are seeing more of this semester, as that generally does change over time. There has been a rise of phishing emails from legitimate services, like DocuSign, Microsoft, Google, and other companies that regularly send out attachments and links. What happens is the attacker will first register a dummy account with these services, or gain access to a legitimate account. Then they will post, share or attach a file from this service via email. They are banking on the legitimacy of the sender, in this case Microsoft, Google, DocuSign, or another company, to fool you into opening the attachment or clicking on the link in the email. They present the file as an invoice, or a salary or budget notification or some other tempting type of message to convince you to open it.
As usual, the thing to do is to stop and take a breath. Then think about the email. Were you expecting an email like this? Is this the normal channel for this kind of information? Is there a way to verify the authenticity of this email without opening it? The answer to the first question is the most critical, unless you are in a position that requires you to deal with emails from companies or people you may not know. The answer to the second question now becomes important. Is budget information send via email? How about performance evaluations? Invoices? You need to determine if this is the correct way to handle this type of information and if not, be VERY suspicious.
Now you’ve gotten to the third question. If you can’t contact the sender through a known good alternate channel, say, via a phone number you have for a contact at a particular company or some other method, you ALWAYS have the option to send the email to me, by reporting it via the “Report” button in your Outlook client or on the Outlook Web Access portal. If it is a valid email, I will send it back to you with a “thank you” for being suspicious. If not, then, again, thank you for being suspicious and reporting phishing emails. If you are uncertain about the validity of an email, go ahead an send me an email explaining that you are unsure about an email you have reported so I will know you are unsure about it. I do get enough reports that I will generally believe you if you simply report it, unless I am aware that it is certainly valid. Those of you who have reported the reminders about cybersecurity awareness training as phishing should have gotten them back…if not, you will get more until you complete it.
HOWEVER: If you are still receiving reminders to complete the “Password Management” course, please let me know, as the training platform did not properly un-enroll some people from the course and is still sending reminders about the broken course.
That’s all I have this month. I hope everyone’s Spring Break is/was fabulous.
All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn on MFA/2FA everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
Please continue to report those phishing emails! Avoid using “unsubscribe” links and report both spam and phishing via the “Report” button.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so tell me how I can help and inform you.
Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications.
Food For Thought
I watch these occasionally and even this magnificent piece of artistry is not the best example of what I’ve seen wood-turners produce, but it is flashy and starts with an unusual raw material with some epoxy added to it. It is long (13min), but very satisfying if you get a chance to watch the whole thing.
Featured Image: Photo by Jeswin Thomas on Unsplash
June News from Information Security
