October is National Cybersecurity Awareness Month and the cybersecurity team at the University of Toronto Mississauga (UTM) are highlighting the best practices to prevent cyber-attacks.
Like other universities, UTM provides very high bandwidth internet access, making it a potential target for cyber-criminals. As cybersecurity threats increase in complexity with the prevalence of internet-connected devices, the need for cybersecurity and good cyber hygiene grows in importance.
According to the Canadian Center for Cyber Security, cybercrime is the most common cyber threat facing Canadians, Canadian organizations, and Canadian educational institutes.
In 2016, when ransomware—a form of malware that threatens to publish personal data or blocks computer system access to it until a ransom is paid—infiltrated the University of Calgary’s systems, over 25,000 students remained without on-campus Wi-Fi access for two weeks.
Over the past two years, more than 50 nations have published some form of strategy document outlining their stance on cybercrime and cybersecurity. This past September alone, among other similar incidents, two Southwestern Ontario hospitals became the targets of cyber-attacks.
So, what does cybersecurity look like at U of T? And how can students and staff at UTM better protect themselves against cyber threats?
To answer these questions, we met with Luke Barber, UTM’s Information and Instructional Technology Director, and Selena Panchoo, UTM’s Information Security Analyst.
The Medium: Why would a cyber-attacker target an educational institution?
Luke Barber: On a grander scale, hackers target universities because of their intellectual property and research. If you’re talking about one of the very sophisticated hacks, they are looking to skip ahead in terms of the research and development. Like many other businesses, we have a wealth of personal and identifiable information, and that’s always a rich target for hackers.
TM: What is the cyber security office at UTM doing to prevent a security breach?
Selena Panchoo: A big part of [prevention] has to do with communication between the information security groups across all three campuses because if someone notices something that seems unusual, and they share that with the other campuses, everyone can work together.
LB: Another example of prevention would be end-user education. That’s part of the cybersecurity awareness program that Selena has put together. End-user education is essentially the human firewall.
TM: October is Cyber Security Awareness Month. How are you and your team outreaching to students on campus?
SP: Part of it is done through the service desk. Anytime anyone comes by there, the people at the desk offer to look at their phone and make sure that all of their settings are secure. This includes setting a pin or encryption and making sure they have updated their phone. Those are things that really make a difference. Other things we’re doing include sharing daily tips on our Twitter account.
TM: Phishing emails are now very sophisticated. What kind of information should students and staff pay attention to?
SP: I think the first thing is to define what a phish is. A phishing attempt is a fraudulent message, and usually it’s created and sent to an individual or group with the intent of getting personal information, username or log-in details, or banking information. What students and staff want to be careful of is making sure that when they receive an urgent message that says, “Hey, you need to respond to this,” or “Could you purchase this for me?” or “Could you take a look at this file,” they stop and ask whether the message is from the person they think it’s from. Phishing messages usually look a lot like the original sender. Sometimes, they’re full of spelling errors and grammatical errors. Sometimes, they are obvious, but these days they look pretty close to what you might expect from your bank, or some other account you may have with an organization.
LB: Some of the things we tell our staff and faculty to keep in mind, which would apply to anyone, is that there’s a monetary reason why phishing is done. Phishing is much easier to do than complicated hacking. Phishes are so cheap to send. You might look at one and go, “that’s silly. It’s full of typos, and it’s RBC. I don’t even bank with RBC. I can’t believe someone would fall for this.” But, they’re sending millions of them, and so, at some point, they’re going to find someone who does not notice the typos, and is an RBC customer, and they’re going to click on it.
TM: If someone clicks on the attachment, what should the person do next?
LB: One thing we do encourage students and faculty to do is come to the service desk because, beyond that, you’re probably looking at trying to run some antivirus or malware, which isn’t necessarily an accessible thing. I would also encourage students and staff to change all their passwords.
SP: The reason it is great to go to the service desk instead of trying to contact an individual person through email is because multiple people can then deal with the issue right away.
TM: If you could give students advice on how to best maintain good cyber hygiene, what would it be?
LB: Make sure your device is both locked and encrypted. Do not install or plug other things into your laptops because they could have the same payloads that the email virus could have. Also, a good guiding principle is to give away the absolute least amount of information that you need to. That’s what someone needs to be critical of.
The I&ITS department will continue to host cybersecurity activities during October like the Cyberbullying panel discussion on October 28 from 10 a.m. to 12 p.m. at the Maanjiwe Nendamowinan building. The event will discuss online harassment and how to report cyberbullying.
For more information on I&ITS cybersecurity tips, visit their newsletter, I&ITS News.