• CIS Homepage
  • CIS HelpDesk
  • CIS SharePoint
  • CIS Internal Wiki


Skip to end of metadata
Go to start of metadata

Blog Posts

The year 2020 broke all the records when it came to cybersecurity incidents.  Driven by the pandemic and the shift to remote work, there were over 1.4M reports of identity theft in the US, more than double the reported count in 2019.  Malware increased by more than 350% and several colleges and universities have been significantly impacted by ransomware. The higher education industry is particularly vulnerable as it holds tremendous amounts of data about its constituents and is generally considered a "soft target" (easy to attack).  SPU is not immune to these incidents as the University continues to block millions of attacks per day and combat fraudsters impersonating SPU deans and administrators.  The University strives to be diligent about security to protect the SPU community and we need your help!

Change on the Horizon


The rise of incidents has prompted a reciprocal increase in SPU's cybersecurity insurance.  The Department of Education has also taken notice and is contemplating a shift from merely recommending NIST 800-171 cybersecurity standards to requiring institutions to meet them.   There are also new requirements for institutions accepting federal financial aid under CUI and GLBA. The Office of Computer and Information Systems, in partnership with the Office of Risk Management, are working to adapt SPU policies, training programs, and systems to reduce risk and protect the SPU community and our students.  While some changes are necessary, SPU will endeavor to keep them from impacting your important work.  The following are some of the changes approved by the Senior Leadership Council that are coming in the near term.

Cybersecurity Training 

There is a new Cybersecurity and Online Habits training available for you to take as part of the Human Resources compliance training program. Both the Gramm-Leach-Bliley Act and the NIST 800-171 require SPU to have a mandatory cybersecurity training that is used in employee onboarding and repeated annually. Training is also strongly recommended by SPUs cybersecurity insurance provider.  This applies to all faculty, staff, and student employees.  Please complete this training by January 1, 2022.

For a more humorous take on cybersecurity issues, see the videos in last year's cybersecurity awareness month blog post.

Email Data Loss Prevention

Email is not a secure medium and is not safe for transmitting sensitive information. SPU will begin rolling out a new feature called Email Data Loss Prevention (DLP) that will identify sensitive data that should not be sent via email.  During the rollout period, you will see a security warning before you send a message containing sensitive information, and you will be allowed to override the DLP system.  If you get this warning during a normal business process, please request a Business Process Consultation to help you transition to a more secure way of sending or receiving sensitive information.  After the rollout period, the Email DLP system will block any emails containing sensitive data and you will not be able to override it.  

Vendor Cybersecurity Assessments

Completing a Higher Education Community Vendor Assessment Toolkit (HECVAT) assessment is now required for all new vendors that have a software component and is recommended for vendors that are only providing services, but have access to SPU Data.  This includes cloud or SaaS vendors as well as hardware and equipment vendors that include a software component (for example a new HVAC system able to be remotely managed by computer).  This change has been noted in the Enterprise Software Acquisition policy and is required by the Gramm-Leach-Bliley Act and by NIST 800-171.

Protecting Student Privacy


Everyone values privacy and is frustrated when companies are careless with the sensitive information they're entrusted with.  As a member of the Seattle Pacific University community, you share in the responsibility to protect our students by complying with data security regulations and University policies.  The Regulated Data Chart provides a simple overview of which places have the security and contractual protections to store certain types of sensitive Regulated Data. You can also learn more about campus Data PolicyData Laws and Regulations, and Handling Confidential Data responsibly.

Using a Personal Computer for Work

Personal computers and departmentally-purchased computers (unmanaged) do not have the same security and regulatory compliance protections that SPU-managed computers purchased and managed by CIS have.  Personal devices or cloud resources (like Google Docs) used for work purposes are subject to eDiscovery and can be confiscated or seized if they are suspected to contain information related to a lawsuit against the institution.  Protect yourself, your property, and the University by following the Use of Personal / Un-Managed Devices for Work policy.

Use OneDrive for Cloud File Storage

Storage platforms like Dropbox and Google Drive are not compliant for sensitive or regulated University data, such as information protect by FERPA.  OneDrive for Business, along with Microsoft Teams and SharePoint, are the contractually protected platforms approved for storing sensitive documents in the cloud.  


The last 2 years have seen a dramatic increase in cybercrime.  From 2019 to 2020, there was a 435% increase in ransomware attacks, digital attacks aimed at stealing private data and holding it for ransom.  80% of these attacks used fake emails, known as phishing, to trick people into giving up their personal information.  Here at home, SPU students are scammed out of thousands of dollars every year by online scams and fraud.  How can you protect yourself?  Learn best practices for staying safe online to protect yourself and your wallet.  For more information visit  StaySafeOnline.org

Job Scams

Occasionally you may receive an email scam offering an employment opportunity from someone who appears to be associated with SPU. Please delete these messages and do not respond. All legitimate jobs at the university are posted on  SPU's Handshake platform . Employers on Handshake are vetted to guarantee their trustworthiness.  Here is a  blog post  with more information to help you identify and avoid employment scammers. If you have any questions about the legitimacy of an email message please forward it to  help@spu.edu.     NEVER purchase gift cards or provide your banking information before confirming a job is legitimate.

Phishing

Phishing scams often come in the form of email messages attempting to steal your username and password. DO NOT reply to these messages or follow web links where you must confirm or enter your username and password.   If you have questions about the legitimacy of a message, trust your instincts and proceed with heightened caution. Most "account alerts" are not only sent via email but posted within your account settings/messages of the secure web site in question. If possible, navigate directly to your account through a secure web connection (https:) to verify the legitimacy of account alerts. And remember - we are here to help! If you ever have any question as to the legitimacy of an email, the please forward it to help@spu.edu for assessment. See last year's Cybersecurity Awareness Month  blog post   about phishing for additional information.

puppy

Protect Your Password

SPU will  NEVER  ask you to send or verify your login credentials or other personal/confidential information via email. Your account credentials should not be shared with anyone! Learn Password Best Practices.

Share With Care

Assume that any information you enter online is public unless you are using a known, trusted, secure site. Be careful when posting to social networking sites (Facebook, Twitter, etc.), personal web pages, and blogs since these are great places for people to find personal information about you for identity theft. Once you post something, you can't take it back! 

A good rule is to only post information you would be willing to put on a banner in a public place. 

Back it Up

Protect your valuable work, music, photos and other digital information by making an electronic copy and storing it safely. If you have a copy of your data and your device falls victim to ransomware or other cyber threats, you will be able to restore the data from a backup. Use the 3-2-1 rule as a guide to backing up your data. The rule is: keep at least three (3) copies of your data, and store two (2) backup copies on different storage media, with one (1) of them stored at another location.

Keep a Clean Machine

Keep all software on internet connecting devices – including personal computers, smartphones and tablets – current to reduce risk of infection from ransomware and malware. Configure your devices to automatically update or to notify you when an update is available to ensure you always have the latest security updates protecting you.

Warning From the U.S. Department of Education

Federal Student Aid (an office of the U.S. Department of Education), has issued a warning related to an ongoing IRS impersonation scam, as seen here and copied below. Students and employees at institutions with ".edu" email addresses are particularly at risk of being targeted with these scams. SPU students, faculty, and staff should be watchful of for any emails that appear to be from the IRS and claim to disclose information about your "tax refund payment" or "recalculation of your tax refund payment." If you receive an email like this, please delete it and do not click on any links. Contact CIS with any questions.

Notice from the U.S. Department of Education follows:

The Internal Revenue Service (IRS) posted a warning of an ongoing IRS impersonation scam that appears to primarily target educational institutions, including students and staff of institutions that have ".edu" email addresses.

The Treasury Inspector General for Tax Administration and IRS Criminal Investigation has been notified about the suspicious emails that display the IRS logo and use various subject lines, such as "Tax Refund Payment" or "Recalculation of your tax refund payment." The emails ask individuals to click a link and submit a form to claim their refunds.

The phishing website requests that taxpayers provide the following information:

  • Social Security Number (SSN)

  • First Name

  • Last Name

  • Date of Birth

  • Prior Year Annual Gross Income

  • Driver's License Number

  • City

  • State/U.S. Territory

  • ZIP Code/Postal Code

  • Electronic Filing PIN

The U.S. Department of Education encourages institutions to visit the IRS web page—irs.gov/newsroom/irs-warns-university-students-and-staff-of-impersonation-email-scam—which contains details about the phishing campaign. We also ask that you share the web page widely with students and staff to raise awareness about this scam.

Recipients of this scam email should not click on the link in the email, but they can report it to the IRS. For security purposes, recipients should save the email using the "save as" feature and send that file as an attachment or forward the email as an attachment to phishing@irs.gov.

Taxpayers who believe they may have provided identity thieves with their information should consider immediately obtaining an Identity Protection (IP) PIN. An IP PIN is a six-digit number that helps prevent identity thieves from filing fraudulent tax returns in a victim's name. This is a voluntary IRS opt-in program.

Taxpayers who attempt to e-file their tax return and find it rejected because a return with their SSN already has been filed should file an IRS Form 14039, Identity Theft Affidavit, to report themselves as a possible identity theft victim. To learn about the signs of identity theft and actions to take, visit the Identity Theft Central web page on irs.gov.

If you believe your institution has been targeted or breached, report the incident immediately to CPSSAIG@ed.gov and FSASchoolCyberSafety@ed.gov. Include the following:

  • Name of the institution

  • OPEID – School Code

  • Date the incident occurred (if known)

  • Date the incident was discovered

  • Technical details of the incident (if known)

  • Extent of the impact

  • Remediation status (what has been done since discovery)

  • Institutional points of contact

Thank you for your attention to this matter. Federal Student Aid is committed to working with institutions to combat cybersecurity attacks and protect student financial aid information. If you have questions about the information included in this announcement, please email FSASchoolCyberSafety@ed.gov or call 202–377–4697 between 7 a.m. and 5 p.m. Eastern time Monday through Friday. We look forward to working with you and thank you in advance for your efforts to safeguard student information and secure your institution.


October 2020 is the 7th year of National Cybersecurity Awareness Month (NCSAM). NCSAM continues to raise awareness about the importance of cybersecurity across our Nation, ensuring that all Americans have the resources they need to be safer and more secure online. 

The Department of Homeland Security and the National Cyber Security Alliance (NCSA) are proud to announce this year’s theme: “Do Your Part. #BeCyberSmart.” This theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability, and the importance of taking proactive steps to enhance cybersecurity. NCSAM emphasizes  “If You Connect It, Protect It.”

For each week of Cyber-Security Awareness Month, CIS will present a short but entertaining video emphasizing simple steps you can take to #BeCyberSmart! Take these steps so, "If you connect it, you can Protect it," both at work and at home. These videos were produced by Adobe in conjunction with the National Cyber Security Alliance (NCSA) staysafeonline.org where you can find a wide range of topics, to include information and resources to share with your kids to help keep them safe in this digital world. 

Do Your Part. #BeCyberSmart


Topics


Security Awareness Week 1: Passwords

Passwords provide the first line of defense against unauthorized access to your computer and personal information. The stronger your password, the more protected your computer will be from hackers and malicious software.


Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone with an authenticator app like DUO! 

Shake up your password protocol. According to NIST guidance, you should consider using the longest password or passphrase permissible. Get creative and customize your standard password for different sites, which can prevent cybercriminals from gaining access to these accounts and protect you in the event of a breach. Use password managers to generate and remember different, complex passwords for each of your accounts.

Security Awareness Week 2: Data Handling 

The use of data helps make our lives more convenient and streamlined which likely means the proliferation of online data and devices are here to stay. There is one best practice that each of us can apply that will help personal data stay more secure – only share on a need-to-know basis.

Never click and tell. Limit what information you post on social media—from personal addresses to where you like to grab a coffee. What many people don’t realize is that these seemingly random details are all that criminals need to know to target you, your loved ones, and your physical belongings—online and in the real world. Keep Social Security numbers, account numbers, and passwords private, as well as specific information about yourself, such as your full name, address, birthday, and even vacation plans. Disable location services that allow anyone to see where you are—and where you aren’t—at any given time.

Stay protected while connected. Before you connect to any public wireless hotspot—such as at an airport, hotel, or café—be sure to confirm the name of the network and exact login procedures with appropriate staff to ensure that the network is legitimate. If you do use an unsecured public access point, practice good Internet hygiene by avoiding sensitive activities (e.g., banking) that require passwords or credit cards. Your personal hotspot is often a safer alternative to free Wi-Fi. Only use sites that begin with “https://” when online shopping or banking.

Security Awareness Week: 3 Computer Theft

Having something stolen from you tends to leave an indelible feeling of violation and injustice. If what is stolen is an electronic device (e.g. laptop, phone, flash drive), not only is the property gone but so is your data. Stolen data can be a more damaging long term than the loss of the physical device itself. The data could be personal or company data. If the device is able to be used by the thief, there are many ways the device can become of value.


The most important best practice is to not leave devices unattended in public places. This includes a locked car. In many cities, car break-ins are extremely common. Even if you think your risk might be lower, don’t take a chance. Take your devices with you!

Security Awareness Week: 4 Phishing and Ransomware

Phishing, we’ve heard of it, but what does it mean? In summary, it is a tool and method attackers use to try and coerce people into clicking on a malicious site or download, potentially leading to a security issue.


Ransomware is an especially dangerous consequence of falling for a phishing attempt. Ransomware is software that locks down data by encrypting it and won’t be unlocked through decryption until a ransom is paid. To protect yourself from ransomware:

  1. Be wary of suspicious emails and look for the signs.
  2. Make sure your antivirus software is up to date and running. It’ll help stop the ransomware in its tracks.
  3. If ransomware is installed, then if you’ve backed up your data, you can ignore the threat and restore the data. Unfortunately, in many cases and especially for large enterprises, the cost of the ransom is significantly less than the cost to restore the data, even if it’s backed up. Therefore, the first and second layers of protection are critical.

Bonus Episodes: 

Removable media


Removable media and devices are portable hardware. The most common is a USB flash drive but other forms could be an external hard drive or SD card.

When it comes to cybersecurity best practices, removable media and devices must only be plugged or inserted into your computer if you trust/know the source.


Vishing Scams

Security Awareness is not just for computers.  “Vishing” which is defined as the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to trick individuals to reveal personal information, such as bank details and credit card numbers.


How to spot a vishing scam

Here are some of the tell-tale signs of a vishing scam:

  • The caller claims to represent the IRS, Medicare, or the Social Security Administration. Unless you've requested contact, none of these federal agencies will ever initiate contact with you by email, text messages, or social media channels to request personal or financial information. In fact, be skeptical of anyone who calls you with an offer.
  • There's a frantic sense of urgency. Scammers will try to tap into your sense of fear, using threats of arrest warrants and problems with your account. If you get one of these phone calls, remain calm and never give out your own information. Hang up and do your own investigation.
  • The caller asks for your information. They may ask you to confirm your name, address, birth date, Social Security number, bank account info, and other identifying details. To trick you into thinking they're legit, they may even have some of this info on hand. The goal is to get the remaining info that they don't have yet.

CIS HelpDesk Support and Hours


If you have questions or need more information 

Submit a Helpdesk Request via the Portal:  www.spu.edu/cishelpdesk

The CIS HelpDesk can be reached by phone at (206) 281-2982

Monday – Friday         7:30am – 5:00pm

Email any time at  help@spu.edu

Office Hours 
Monday - Friday 7:30 a.m. - 5:00 p.m.

Due to COVID-19 Protocols, In-Person support is available by appointment only. 

(Contact the HelpDesk or submit a HelpDesk Request to make an appointment)


During this time there may be a need to work from home using a personal laptop or home computer. The following are guidelines on how to securely and legally use a personal device for your SPU work in order to minimize risk to the University. Review the Use of Personal / Un-Managed Devices for Work policy for details.

If you need a loaner computer or laptop to work from home effectively, please coordinate with your supervisor.

Using Web Applications (tick)


Using web applications such as Canvas, Banner, Slate, Webmail, or Office365 poses very little risk from a personal device.  

Downloading Files / Storing Sensitive Data 


If you download reports or store files that include sensitive data such as Student ID numbers, you must take proper precautions to remain compliant with data security and privacy regulations.  See the Regulated Data Chart for information on the systems we have contractual protections for, and review the applicable Data Laws and Regulations that govern the information you are working with.  

DropBox / Google Drive / etc.  

While convenient, it is unlawful to store regulated data (such as FERPA) on personal cloud storage platforms.  The University provides OneDrive for Business for this purpose. See the Regulated Data Chart for details on which types of regulated data are contractually protected in OneDrive for Business.

Device Security


It is important to keep your device secure, particularly if you are working from a shared home computer.  Remember to log off of SPU resources or lock devices when you are not present.  Review the Use of Personal / Un-Managed Devices for Work policy for details.

Held every October, National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online. Week one was all about recognizing the online threats and taking responsibility for your security, Own IT. Week two gave you simple steps to make your online presence safe and secure, Secure IT.  Week three covered the threats that are out there and how to protect yourself, Protect IT.


Welcome to week four where we will share some stories that demonstrate the sophistication of the threats out there and how a little awareness and simple steps can protect you.  


Topics

Phishing Attempt by Phone 


PeterGunst@DigitalLawer reported on Twitter that he, “Was just subjected to the most credible phishing attempt I've experienced to date.”

Here were the steps:

Phone Call

 1) "Hi, this is your bank. There was an attempt to use your card in Miami, Florida. Was this you?" Me: no.

2) "Ok. We've blocked the transaction. To verify that I am speaking to Peter, what is your account number?" Me: <gives account number>

3) "We've sent a verification pin to your phone." ~ Gets verification pin text from bank's regular number ~ Me: <reads out the pin>

4) "Ok. I am going to read some other transactions, tell me if these are yours. ~ Reads transactions ~" Me: Yes. These are all legitimate transactions I made

5) "Thank you! We now want to block the pin on your account, so you get a fraud alert when it is used again. What is your pin?" Me: Are you kidding me, no way.

6) Ok! But then we can't block your card Me: that is bs. ~ hangs up, calls the fraud department of bank ~

Details of what was really going on:

Once I gave my account number, the attacker used the password reset flow of the bank's online web site to trigger a text message from the bank.

They used this to gain access to the account. Then read some of my transactions to give the call more credibility

They needed the pin to send money. They failed at that step. Everything before the "what is your pin" seemed totally legitimate.

Their English was perfect. The bank verification code, sent by the expected number, tricked me. The asking for my pin over the phone... not so much.


Stay safe out there people. And now... joyfully resetting all my passwords, filing a police report, getting additional fraud detection in place. Never a dull moment!

A Close Call


Here is a story from a guy who is now a Cyber Security Expert.

"When I was the target of a social engineer. I used to work at a bank and would come in early to open the branch, and review accounts and the previous day’s work. Looking back, it seems likely that someone was watching me.

One morning, someone called claiming to be a private banker from the Midwest. The person was desperately trying to help a high-profile bank customer.

His tone of voice was deliberate and excited, but he held off being pushy and desperate (a good balance for a social engineer). He said that he was trying to complete some new account paperwork on behalf of the client (not uncommon) and he just needed two pieces of information. He claimed he could see that the customer opened an account at my branch and had used a federal government-issued ID to do so. Initially, I was happy to help, and as I had the social engineer on the phone, I brought the customer information up on my system.

I asked him again for the information he wanted, and I found what he was asking for on my system. At that point, though, I hesitated. I was about to reveal confidential customer information over the phone, to an unknown individual. Instantly, my attitude changed and alarm bells started ringing in my head. I immediately hung up the phone.

I sat there for a minute, thinking about the conversation and what just happened, and got angry. The social engineer had almost fooled me. After I cooled off, I called bank security to report the incident. I thought about just how close I had come to being part of a social engineering con. I thought about where that social engineer might have used the data. It could have been used to open a fraudulent account at another bank, or for a fake identity to sell on the dark web."

Facebook Scam


Davin received a private message on Facebook from the ‘Facebook Freedom Lottery’ claiming he and others had won amounts up to $150 000. At first, he didn’t believe it. Businesses don’t give money away out of the blue and to win in a lottery you need to buy a ticket.

However, moments later his cousin who he hadn’t spoken to in some time sent him a Facebook message about the winnings. His cousin claimed that he had also won and noticed Davin’s name on the list of winners. He claimed he had already received his winnings after going through a relatively easy process.

Trusting his cousin, Davin began the process for accepting the prize money which required him to first pay a small upfront fee of $250. Once this was paid, he was to receive the money into his nominated bank account for which he provided details. The next day he was informed that since the prize money was sitting in a bank in America, he would have to pay an ‘international transfer fee’ which could not be subtracted from the winnings for some complex legal reason.

Davin reasoned that since his cousin had managed to receive the money, then he must have gone through the same process and so he would also pay this additional fee.

Over the next two weeks, Davin paid five more fees, each time believing it would be the last. Eventually, in desperation, he spoke to his cousin and asked how many fees he paid before he received his winnings. Davin’s cousin had no idea what he was talking about and told him that he had only just regained control of his Facebook account after it had been hacked.


It then became clear to Davin that he had been scammed. There never was any prize money and the Facebook message was part of the scam. By this time, Davin had already sent $1500 and handed over a wealth of personal information to scammers.


Helpful Links


Homeland Security National Cybersecurity Awareness Web Site  CIS HelpDesk Phishing Scams Page  The National Security Agency (NSA) Information Page  National Cyber Awareness Alerts 


CIS HelpDesk Support and Hours


If you have questions or need more information 

You may visit the CIS HelpDesk Monday – Friday 7:30 am-5:00 pm in Lower Marston Hall

Submit a Helpdesk Request via the Portal: www.spu.edu/cishelpdesk

The CIS HelpDesk can be reached by phone at (206) 281-2982

Monday – Friday         7:30am – 5:00pm

Monday – Thursday    5:00pm – 9:00pm

Saturday                      9:00am – 1:00pm

Email any time at help@spu.edu

Beginning Monday, September 30th, and continuing through the rest of the academic year, the CIS HelpDesk will offer extended support hours (evenings and Saturdays).

Office Hours 
Monday - Friday 7:30 a.m. - 5:00 p.m.

Extended Hours
(Telephone, email, and classroom support, CIS HelpDesk visits by appointment)
 
Monday - Thursday 5:00 p.m. - 9:00 p.m. 
Saturday 9:00 a.m. - 1:00 p.m.




Welcome to week 3 of National Cybersecurity Awareness Month (NCSAM). NCSAM is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online. NCSAM 2019 will emphasize personal accountability and stress the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. This year’s overarching message – Own IT. Secure IT. Protect IT. – will focus on key areas including citizen privacy, consumer devices, and e-commerce security.






Topics

Identity Theft and Internet Scams

Today’s technology allows us to connect around the world, to the bank and shop online, to control our televisions, homes, and cars from our smartphones. With this added convenience comes an increased risk of identity theft and Internet scams. #BeCyberSmart on the Internet at home, at school, at work, on mobile devices, and on the go.

Did You Know?

  • The total number of data breaches reported in 2018 decreased 23% from the total number of breaches reported in 2017, but the reported number of consumer records containing sensitive personally identifiable information (PII) exposed increased 126%.
  • Credit card fraud tops the list of identity theft reports in 2018. The Federal Trade Commission (FTC) received more than 167,000 reports from people who said their information was misused on an existing account or to open a new credit card account.
  • Consumers reported $905 million in total fraud losses in 2017, a 21.6% increase over 2016.

Common Internet Scams

As technology continues to evolve, cybercriminals will use more sophisticated techniques to exploit technology to steal your identity, personal information, and money. To protect yourself from online threats, you must know what to look for. According to the FTC, these are the top three kinds of threats reported in 2018:

  • Identity theft is the illegal acquisition and use of someone else’s personal information to obtain money or credit. Signs of identity theft include bills for products or services you did not purchase, suspicious charges on your credit cards or new accounts opened in your name that you did not authorize.
  • Imposter scams occur when you receive an email or call from a person claiming to be a government official, family member, or friend requesting personal or financial information. For example, an imposter may contact you from the Social Security Administration informing you that your Social Security number (SSN) has been suspended, in hopes, you will reveal your SSN or pay to have it reactivated.
  • Debt collection scams occur when criminals attempt to collect on a fraudulent debt. Signs the “debt collector” may be a scammer are requests to be paid by wire transfers or credit cards. In 2018 there was a spike in requests for gift cards and reloadable cards as well

Simple Tips to Protect IT

The bottom line is that whenever you’re online, you’re vulnerable. If devices on your network are compromised for any reason, or if hackers break through an encrypted firewall, someone could be eavesdropping on you even in your own home on encrypted Wi-Fi.

  • Shake up your password protocol. According to the National Institute of Standards and Technology, you should consider using the longest password or passphrase permissible. Get creative and customize your standard password for different sites, which can prevent cybercriminals from gaining access to these accounts and protect you in the event of a breach. Use password managers to generate and remember different, complex passwords for each of your accounts. Read the Creating a Password Tip Sheet for more information.
  • Be up to date. Keep your software updated to the latest version available. Maintain your security settings to keeping your information safe by turning on automatic updates so you don’t have to think about it, and set your security software to run regular scans.
  • Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone, an authenticator app, or a security token (a small physical device that can hook onto your key ring).
  • Practice safe web surfing wherever you are by checking for the “green lock” or padlock icon in your browser bar: this signifies a secure connection.
  • Avoid free Internet access with no encryption. If you do use an unsecured public access point, practice good Internet hygiene by avoiding sensitive activities (e.g., banking) that require passwords or credit cards. Your personal hotspot is often a safer alternative to free Wi-Fi.

Resources Available to You

If you discover that you have become a victim of cybercrime, immediately notify authorities to file a complaint. Keep and record all evidence of the incident and its suspected source. The list below outlines the government organizations that you can file a complaint with if you are a victim of cybercrime.


5 Steps To Protecting Your Digital Home

More and more of our home devices including thermostats, door locks, coffee machines, and smoke alarms are now connected to the Internet. This enables us to control our devices on our smartphones, no matter our location, which in turn can save us time and money while providing convenience and even safety. These advances in technology are innovative and intriguing, however, they also pose a new set of security risks. #BeCyberSmart to connect with confidence and protect your digital home.

Simple Steps to Protect IT

  • Secure your Wi-Fi network. Your home’s wireless router is the primary entrance for cybercriminals to access all of your connected devices. Secure your Wi-Fi network and your digital devices by changing the factory-set default password and username. For more information about protecting your home network, check out the National Security Agency’s Cybersecurity Information page.
  • Double your login protection. Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device such as your smartphone, an authenticator app, or a security token a small physical device that can hook onto your key ring.
  • If you connect, you must protect it. Whether it’s your computer, smartphone, game device, or other network devices, the best defense is to stay on top of things by updating to the latest security software, web browser, and operating systems. If you have the option to enable automatic updates to defend against the latest risks, turn it on. And, if you’re putting something into your device, such as a USB for an external hard drive, make sure your device’s security software scans for viruses and malware. Finally, protect your devices with antivirus software and be sure to periodically back up any data that cannot be recreated such as photos or personal documents.
  • Keep tabs on your apps. Most connected appliances, toys, and devices are supported by a mobile application. Your mobile device could be filled with suspicious apps running in the background or using default permissions you never realized you approved—gathering your personal information without your knowledge while also putting your identity and privacy at risk. Check your app permissions and use the “rule of least privilege” to delete what you don’t need or no longer use. Learn to just say “no” to privilege requests that don’t make sense. Only download apps from trusted vendors and sources.
  • Never click and tell. Limit what information you post on social media—from personal addresses to where you like to grab coffee. What many people don’t realize is that these seemingly random details are all that criminals need to know to target you, your loved ones, and your physical belongings online and in the real world. Keep Social Security numbers, account numbers, and passwords private, as well as specific information about yourself, such as your full name, address, birthday, and even vacation plans. Disable location services that allow anyone to see where you are and where you aren’t at any given time.








  • No labels