October marks Cybersecurity Awareness Month, and across the university, the Information Technology and Information Security departments took the time to spread messaging around cybersecurity.
Since 2004, the United States has recognized October as Cybersecurity Awareness Month in an effort to bring awareness to the subject across all sectors.
“You’re always trying to layer different components of security tools, whether they’re administrative or technical to help protect the environment,” said Tom Schindler, the university’s associate director of Information Security.
Higher education is a difficult setting for information security due to the balance between what should be protected and restricted and what content is inclined toward academic purposes, Schindler said.
Specifically, the university faces a large issue frequently with email accounts because of the large number of accounts still active but not regularly used. For example, in regard to cybersecurity issues, accounts of alumni or students taking a semester off may be targeted by phishing scams, Schindler said.
“What we end up seeing with those is they’re getting compromised because they’re re-using a password,” Schindler said. “Some site they signed up for ends up getting breached, and then that password is basically in the wind, and it’s the same password they used [for their university account].”
When it comes to keeping an account safe, Schindler said users should not re-use the same password and implement a multifactor authentication (MFA), such as short-messaging service or SMS. An SMS message sends a code or password to a trusted device where it alerts a user to validate the login.
The university is looking to phase out the voice recognition option for the MFA system, Schindler said.
“If you have the voice option set up and someone has your password, what they’ll do is basically MFA-bomb you,” Schindler said. “What that is, is where you just keep forcing MFA, so as that choice, you’ll get a phone call until you finally approve.”
Attackers can then easily get into accounts because of confirmation given over the phone with voice recognition, he said.
Older devices may also make it easier for attackers and scammers to breach into someone’s information because of older operating systems and their inability to withhold updates. Schindler regularly sees this around campus, he said, since not all students have the capability and access to newer technology.
“Keeping up with the technology changes and making sure your systems are up-to-date and then having MFA set up and using password managers is the other piece of it,” Schindler said. “I think it’s hard for people that aren’t in [IT] to understand and keep up with [the changes].”
Outside of education, communication, banking and application forms — all containing personal and private information — are floating across the digital world. With that in mind, personnel in the information technology and security disciplines are in-demand as the work requirements evolve, Schindler said.
As of Sept. 6, the U.S. Bureau of Labor estimated the projected percent increase of workers between 2022 – 2032 within the information security discipline is 32%.
Schindler said academic programs and curriculums geared toward cybersecurity at the university must be constantly updated due to the different threats in order to prepare students pursuing cyber-related jobs.
Besides students concentrating on majors surrounding cybersecurity, the Information Systems department will conduct phishing simulations on all university emails. A phishing email will be sent as a test to users, and if someone is unsuccessful in recognizing the message as a scam by clicking on the link or inputting personal information, an alert will appear on the screen telling the user they have been phished, Schindler said.
“It’s not meant to be any kind of punishment if you click on the message,” Schindler said. “It’s just more informative [to provide more training].”
Anthony Zacharyasz is co-general assignment editor. Contact him at [email protected].