It’s May again, and (most of) the students have retreated to their homes until the fall. Some have graduated and left Berry until some uncertain future date. It is the time for many projects to take off running toward completion. This summer brings with it a change in leadership for the college, which will no doubt cause many adjustments to everyone’s routine. I hope everyone’s projects and summer work go smoothly and prove successful. I have a project or two of my own to complete this summer and will be detailing some of the work I’ll do for them in June’s newsletter. This month I have FOUR topics to discuss, three of which are familiar to readers of previous newsletters, and one which will be new to most people.
Quickly, the first topic is completing this semester’s cybersecurity awareness training. The official deadline has passed and those who have not completed it are late completing their work. If you have not completed the training, please take a few minutes to do this. Those who complete the training will be rewarded in the next few weeks, and those who do not…will not be rewarded. More details forthcoming.
Our second topic is about phishing, but beyond reminding everyone that you must stay on your guard with any emails (or texts, or phone calls), I want to relate the story of a cybersecurity expert who fell for a phishing attack. Troy Hunt runs the Have I Been Pwned website that I have mentioned in previous newsletters where you can see what data breaches have affected you and your data. Troy does cybersecurity for a living, yet fell for a phishing attack against his MailChimp account. He details the event on his website, recounting what contributed to his failure, what he learned from the attack, and how companies actually handle your data, particularly your email address.
He explains how a combination of fatigue and a wickedly subtle phishing email combined to fool him. His explanation of how the well-crafted email created just enough urgency, without going over the top, is a prime example of how sophisticated phishers have become. Granted, Troy is a “big fish” to catch for an attacker, with major “street cred” going to the group who hooked him, along with being able, had he not responded as quickly as he did, to exploit a group of people who would NEVER consider any email coming from “Troy Hunt” to be malicious. It is an interesting read and I encourage you to do so. while considering how even the most security conscious can be phished (That doesn’t let any of you off the hook, it just allows you to not feel so bad about it!).
Our third topic stays in the realm of email, with a reminder to please try to keep personal activity out of your Berry email account. I have written about this before, but was unaware of just how prevalent the issue was. While investigating a malicious email, I had to run a query for every email a user had received in a 24 hour period. As I glanced at the subject lines and senders, I realized that over 90% of those emails were completely unrelated to Berry work. They included social media notices, sales flyers for all kinds of stores, health and wellness emails trying to sell the next best thing to keep you healthy, and a bunch of other emails that were definitely not work-related.
The issue here is not so much that we just don’t want you using your Berry account for personal activity and business, but the fact that, by doing so, you are allowing a slew of emails into your Inbox that could be dangerous. Malicious posts and emails from social media are ubiquitous, sales flyers may or may not be from legitimate stores and outlets, and various news and pop culture emails lead to websites that may not be safe to visit. (Pretty) Please, move all of these things to your personal email account and reduce the amount of potential attack vectors in your Inbox.
Finally, I want to introduce the idea of sensitivity labels to those who are not familiar with them. Sensitivity labels are digital “tags” that can be attached to everything from emails and documents, to Teams discussions and other digital mediums, like aggregate data sets. We’re in the process of rolling out sensitivity labels via our Microsoft Office 365 services and applications, which include Outlook, Teams, PowerBuilder, OneDrive, SharePoint, and other resources. Those of you who have worked with our Enterprise Analytics department are most likely aware of them. Sensitivity labels allow us to manage and automate the protection of sensitive, private, or controlled data. Once an email, document, conversation, or data set has a sensitivity label, we can dictate where that data can be stored, transmitted, shared, or published. It is a major step forward for data protection and we will be providing more information as we move forward with the roll-out. If you want to get ahead, here is a Microsoft article on sensitivity labels that will do a great job of explaining their usefulness.
That’s all for May! Again, I hope everyone’s summer activities go well and our leadership transition goes smoothly. There have been LOTS of people working to make that happen and I want to thank you if you are one of these folks.
All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn on MFA/2FA everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
Please continue to report those phishing emails! Avoid using “unsubscribe” links and report both spam and phishing via the “Report” button.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so tell me how I can help and inform you.
Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications.
Food For Thought
Did you wonder why President Trump ordered that the penny no longer be minted? Have you ever wondered how much it costs to make a penny? HINT: It’s more than a penny. The same goes for the nickel, but it’s even worse. Take a peek at this video from one of my favorite YouTubers CGPGrey discussing why we should stop making the penny AND the nickel, and maybe even the dime…
Featured Image: Photo by Jacob Bushey/Berry College
August News from Information Security
