Technology and Device Security Essentials

You are a Target

• Many phishing attacks seen at U of I have pretended to be Deans, Athletic Director, Department Heads, etc…
• A recent successful attack redirected from a Google doc to a fake login page, which immediately authenticated to email, which tricked the user into approving Duo
• Fraud was attempted against U of I last summer, which included a caller from a spoofed phone number, and emails from a bogus domain name
• Other universities have experienced phishing, as well as ransomware 
• Attackers are not just after you, they are after your colleagues and their intellectual property as well

Do your part, BeCyberSmart!

Defend your Accounts and Devices

• Don’t use a U of I password on any other sites
• Use a password manager (like Keepass, 1Password, or Lastpass) instead of browser autosave of passwords
• Enroll in “Secure MFA” at next password change, which limits voice and text-message account attacks
• Enable multi-factor authentication on your personal accounts
• Monitor your personal accounts through Have I Been Pwned 
• Set a PIN or use biometrics (fingerprint or face ID) on your personal devices
• Don’t open unexpected attachments or click unexpected links - verify with the sender
• Prevent identity theft
• Prepare for travel
  • Take only what you need when traveling – backup unneeded data and remove it from your devices, leaving it on OneDrive in case you need to access it 
  • Encrypt your device to protect data if lost
  • Avoid public WiFi (airports, coffee shops) and use your phone hotspot, a MiFi device, or VPN
  • Double-check that you have everything – it is easy to forget items at airport security
  • When traveling internationally:
    • OIT can supply a clean/computer or tablet to minimize data loss
    • A computer is a sign of wealth in some countries – minimize use in public to avoid being targeted

Safeguard University Data

• The university is obligated to protect the data collected and generated as outlined in the privacy statement.
• Use the principal of least privilege when determining data access. Only those with a legitimate need to know and proper authorization should be granted data access.
• Follow all applicable regulatory standards including HIPAA, FERPA, Idaho PII laws.
• Exercise caution when sharing data outside the University of Idaho. Ensure you have proper authorization to share data if necessary.

Help Your Staff

• Encourage them to take the annual IT security and phishing training seriously – many recent issues were exactly as described in the training
• Encourage them to cross check with you if the request is somewhat out of the ordinary: call you back on a known number, etc.
• Encourage them to report phishing emails (Report Phish button in Outlook) or other IT security concerns
• Be sensitive that your legitimate requests don’t mimic the known scams – “Can’t talk right now but go buy me…”
• Use your U of I account for official business, and not personal accounts

Report Incidents

• It is critical that any lost or misplaced technology or perceived technology security issues get reported quickly to security@uidaho.edu – your reports can help protect others
• Timely reporting is critical for legal and contractual compliance, as well as to ensure coverage under Idaho cyber liability insurance

Remember we are here to help. Contact your TSP or Local Support for assistance.