Keep campus cyber-secure by following these 8 security measures 

By Erik Fretheim
Director, WWU Cybersecurity Program 

The higher education community is on alert this autumn as cyberattacks against college campuses continue to rise. Common targets include student, faculty, and staff accounts and finances accessed through malware-loaded phishing attempts, but more sophisticated hacking attempts to steal intellectual property and university data are also on the rise. As cybercriminals become more sophisticated, so should your personal and institutional cybersecurity practices. College and university communities can better protect themselves by following the latest and greatest cybersecurity rules. It’s Cybersecurity Awareness Month – what better time to make sure you’re up to speed on the latest tips in keeping your devices, data, and intellectual property secure? 

1: Don’t reuse passwords.  

Cyber criminals like to harvest passwords from poorly defended sites, like social media and casual accounts. They then test the same username, email and password combinations against banks and other valuable targets. Having different passwords for different accounts prevents them from succeeding. Having a different password is especially valuable for high value accounts. Are you using the same or similar passwords for different sensitive accounts out of expediency? Don’t.  

2: Use two-factor authentication.  

Two-factor authentication works by texting, emailing, or phoning you with a code whenever you log in to an account with your username and password.  Because the cybercriminal does not have access to your phone or email, even if they found a password you reused, they will not be able to get into your account. Deactivate or temporarily disable your phone number if you find that your phone is missing and your digital accounts are compromised. 

3: Lie when answering account verification questions.  

These questions are used to verify it is you when you lose your password or are talking with a representative on the phone. Companies believe it is information only you would know, but so does everybody who reads your social media (which by the way, is not as private as you think). A few years ago, the Director of the CIA had his account hacked because his wife’s mother’s maiden name was on social media. If you can’t remember the fake answers you’ve given, create an alter ego and remember it to help keep your story straight. 

4: “S is for Secure” -- only visit sites using https (the little lock appears on the browser), not http, when on a public WiFi.  

When a website uses https, the content of the site, including information you send it, is encrypted between your computer and the destination. That means criminals can’t intercept the data and read your information. Using only https sites is a good idea even when not on a public WiFi. 

5: Don’t share your password with anyone.  

That includes tech support, the helpdesk, or the friendly IT guy. Any legitimate support person with a legitimate need has the means to access your account without your password. Your password is like your signature. If a support person helps you by resetting or changing your password (because you answered the verifications correctly) the first thing you should do is change it again yourself. If you let a friend use your password because it was the only way to save a kitten, change your password immediately (once the kitten is safe). 

6: Activate the Firewall and Anti-virus software on your computer.  

The firewall is a tool which acts like a lock on the door stopping everyone on the Internet from letting themselves freely onto your computer without your permission. Every computer comes with Firewall software as a part of the operating system. Often, companies add additional firewall software and want you to pay for it. There is no need. The Firewalls and anti-virus software which come with your computer work well if you keep your operating system updated. 

7: Hover over links in emails and messages, including from people you know. Don’t even think about clicking links from names and addresses you do not know.  

Cybercriminals are getting cleverer and are sending messages and emails from what look like your friends’ and families’ social media accounts or emails. So no matter who it’s from, it’s a good idea to hover over any embedded link for a second, which will show where that link will take you – look at the bottom of the window. If it doesn’t look legit, it isn’t. And of course under no circumstances should you click on links in emails and messages from unknown people. You did not win the Irish Lottery, your rich cousin has not died (or you would get registered paper mail from the attorney, not an email), and you’re the last person anyone outside the country would ask to have hold onto to $10 million for them. 

8: Avoid QR codes like the plague.  

We’ve gotten used to QR codes in lieu of menus, pamphlets, and other hardcopy material during the pandemic, but tread very carefully. Because you can’t read the QR code yourself, you don’t know what it is really telling your device to do. Cybercriminals love QR codes because they can make their own stickers to trick your phone or computer and paste them on top of a legitimate QR code, say at a restaurant, on an event poster or in a waiting room. And be especially careful about downloading apps using QR codes. 

Erik Fretheim is the director of Cybersecurity programs at Western Washington University.  Prior to coming to WWU, Fretheim was on the faculty at City University of Seattle.  Lieutenant Colonel Fretheim retired from the US Army Reserves where he served on the faculty of the United States Military Academy at West Point for 19 years, as well as serving in Iraq and at various other posts.   Fretheim served in senior technical and leadership roles including as a CIO, CTO, and consultant for a variety of companies including MCI, Siemens, I5 Digital, Peek Traffic and others. He is a graduate of the United States Military Academy (BS), Long Island University (MBA), and Air Force Institute of Technology (MSEE, Ph.D.).  

 

Wednesday, October 5, 2022 - 11:45am