It’s June again and SOAR sessions, camps, and all kinds of summer activities are in full swing (including the adorable fawns running around campus), which is why this newsletter is so late in showing up. I assumed that few of you would have time to take a look at my monthly musings on cybersecurity awareness until things settle down a bit. June is rapidly passing by, almost half gone now (more by the time you read this), so here we go with another few hundred words about cybersecurity awareness training, phishing email attacks, separation of personal and work activity, sensitivity labels, generative AI fakes, and any other topic I can squeeze into a couple of paragraphs.
If you didn’t know what some of the items in the previous list were, don’t be alarmed. A couple are very new topics that I want to touch on. Specifically, the idea of separation of personal and work activity and the concept of sensitivity labels (both of which I talked about last month). If you missed May’s newsletter, please take a moment to go back and read it. It also has a fascinating story of a security researcher who got phished.
Last month’s newsletter was not the first time I mentioned keeping personal and work activity separate. It’s something I have revisited a few times over the past several months. Despite my attempts to dissuade everyone from conducting personal business with their Berry email account, I still see indications in our security and email logs that suggest many still have personal accounts attached to their Berry email address. What kind of accounts am I referring to? A short list includes – CapitalOne Bank, Truist Bank, Sam’s Club, Southern Living, People Magazine, Pinterest, Lucky Brand, The North Face, Panera Bread and Lending Tree. I realize some of you may have a business related reason to be in contact with some of these companies through your Berry email. However, I suspect (and that is all I can do, since I don’t read your emails) that much of the activity with these companies is NOT business related and really should be moved to a personal account. If you receive emails from any of the companies above for non-Berry reasons, please take a few minutes to change your registered email address with them. Why do I continue to harp on this issue? I explain it a bit in May’s newsletter, but it boils down to reducing the number of potential ways you might get tricked into following a malicious link or opening a dangerous attachment. So I’ll ask again – please move any and all non-Berry email activity to a personal account.
I included a link in last month’s newsletter about data sensitivity labels. I’ll post here again so you don’t have to jump back to that article (unless you haven’t read it yet – in that case, jump back to May’s newsletter). Sensitivity labels will eventually dictate where you can store certain information and how you can share it with others. We’ll be rolling those changes out after we implement sensitivity labels everywhere. Stay tuned here for more information.
The spring 2025 security awareness training course is now closed. If you did not complete this training, I don’t know what to tell you, as you had several weeks to do so. Don’t worry, we will do training in the fall starting in August and we are planning to once again provide a pretest to be able to bypass parts of the training if you show proficiency in a topic. I hope everyone commits (or recommits) to completing the training. We can implement all the security technology we can afford, but attacks will still get through that you will need to be able to detect. As always, cybersecurity is a shared responsibility, and the attackers get better all the time. They’ve been given quite an assist by generative artificial intelligence with its ability to create convincing phishing emails, impersonate people’s voices, and conduct attacks on a large scale.
Generative artificial intelligence (AI) took a powerful leap forward recently. With the advent of Google’s Veo3 generative AI model, videos generated by AI are getting close to indistinguishable from actual events. We will all have to be much more careful with anything posted online or delivered to us via social media or email. That includes phishing emails we receive by the hundreds each week. Attackers use generative AI to write their phishing emails. This makes them pretty convincing, but the basic red flags for spotting phishing emails are usually still applicable. I list out many of them on this Quick Info page on this site, but the ones to keep in mind now are, one, you don’t have any kind of relationship with the sender, business or personal, and two, it is “urgent” you reply, for any number of reasons. Keep these two red flags in mind as you attempt to spot phishing emails that manage to slip past our email filters. This will only become more and more important as attackers get more sophisticated.
All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn on MFA/2FA everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
Please continue to report those phishing emails! Avoid using “unsubscribe” links and report both spam and phishing via the “Report” button.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so tell me how I can help and inform you.
Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications.
Food For Thought
Back to some music for our food for thought for June! Manchester Orchestra, if you haven’t heard of them, is a band from Atlanta who have been playing music for over 20 years. Their Wikipedia page has all of the details of their two decade career, warts and all. I wish I had discovered them years ago. This little love song from them is not exactly typical of their music, but shows their range. You are free to explore beyond Telepath if you like what you hear, but be prepared for…something different…if you do. If you really want to see what they can do, check out their song The Way, either the official video or the live version, both on YouTube.
Photo Credits: Matthew McConnell, Rette Solomon, Brant Sanderlin/Berry College
June News from Information Security
