Skip to main content
Northwestern University
image of left

October is Cybersecurity Awareness Month

The new school year is an exciting time for students, faculty, and staff. Unfortunately, it is also prime time for cyber criminals to attempt to take advantage of people during a busy time. 

In recent years, universities—like everyone else—have become increasingly aware of online threats. Campuses have seen payroll systems compromised by criminals who steal faculty and staff passwords. Often this begins with phishing emails and then use of stolen credentials to redirect direct deposit salary payments. 

The impact of cybercrime is expanding, and we need to ensure systems (including servers and services) and endpoints (desktops, laptops, mobile devices, etc.) are protected from outside threats. To enhance security, specific areas of focus are virtual private networks (VPN), patch management, email security, and privacy. 
 
The following are some of my recommendations to help you avoid becoming the victim of a phishing attack. 

Recommendations For Your Students

Tell your students to watch out for:

Recommendations for Faculty and Staff

Start taking two-factor authentication more seriously.

According to a new report from Microsoft, two-factor, or multi-factor authentication (MFA), helps prevent more than 99 percent of attempted account compromises. MFA protects you from being compromised and protects your email account from being hijacked. If you are on the payroll, it keeps your paycheck safe. MFA is also required to access library databases or course management websites as administrators are concerned about protecting copyrighted materials stored on those networks.

Learn more about DUO, Northwestern University Multi-factor Authentication (MFA) system. 

Always use the VPN when you are off-campus or not at home.

A virtual private network (VPN) is especially important when you’re somewhere with unsecured Wi-Fi or in a location where you have a reason to mistrust the networks. If you’re traveling abroad and uncertain of cybersecurity at your destination, ask your department to provide you with a clean loaner laptop to use for travel (where available); or, if you’re unable to secure a loaner laptop, ask Northwestern IT for tips on how to stay safe while traveling.

Familiarize yourself with Northwestern VPN, and learn how to set it up. 

Never respond to any email or phone call asking you for your passwords or other login credentials.

Yes, even if they have the Northwestern University logo at the top, and they come from “IT SYSTEMS SUPPORT”—even if the subject line is “URGENT: ACCOUNT EXPIRATION.” If you’re legitimately concerned that something may be wrong, call our Northwestern IT help desk number, and ask to confirm whether your account is about to expire. Do NOT call the number included in the phishing email! 

In email links to a University system login page, always double check that the beginning of the URL is your school’s domain and that the site has established a secure connection.

View five guidelines to verify the web site has established a secure connection. If you have any doubt at all about the link—or if you cannot see the full URL in the email—open up a new browser window and search for the relevant login page to be sure you are not being misdirected. Remember that our school domain is northwestern.edu. 

Take extra precautions if you weren’t expecting an attachment via email or if you receive attachments that seem even remotely suspicious.

This advice is especially important if the attachment has a file type you don’t often see (.zip, .rar, .exe, .jar) or if the attachment has no file type extension at all. In the Outlook Web App, you can often preview certain types of attachments or open them as webpages before downloading them onto your computer.

Enable full disk encryption on your computer (especially for your non-Northwestern managed computer(s) at home).

Enabling full disk encryption is easy to do for both Mac and Windows, You should also make sure your computer locks and requires a password after being untouched or inactive for at most five minutes. All new computers that have been through the rigorous setup process performed by Northwestern IT are enabled with full disk encryption. If your computer was not set up by a Northwestern IT support technician, or if you are unsure whether your computer has full disk encryption enabled, please contact the Northwestern IT department.

Set up a system for online backups of your hard drive.

Take advantage of Northwestern University’s cloud-based storage systems. (Currently that storage system is Box, but, in this academic year, the University shifts to OneDrive and SharePoint.) Additionally, Northwestern University installs and uses Code42 Crashplan PRO for continuous backup. Don’t start the school year without feeling confident that, if your laptop fell into the lake or was stolen or was infected, you would be able to start over from scratch without losing anything important. You may be confident you would never fall for any malware masquerading as an emailed calendar invite (we are all fallible!), but your computer is connected to a larger campus network. Your security could be in the hands of a student or co-worker. Make sure you’re in a position to recover from both their mistakes and your own mistakes.

Never give someone remote access to your computer.

Even if they claim they are calling from IT! Even if they know your name and your password and your ID number! Northwestern University IT support will never call you without advance notice.

Always beware of emailed requests for gift cards.

The most recent attack tactic targeted to our faculty and staff was a scam to request gift cards.

If you suspect that something is perhaps a little bit strange about an online message or phone call, it is always better to take a little more time to check things out before responding. Even—especially—if you’re being told that your boss or someone you love asks you if you’re available and needs a gift card immediately. You also have the option to review a list of some recent phishing attempts that Northwestern University IT has caught on our network. 

Learn More

Check my previous blog entry Anatomy of a Phishing Attempt to learn how to spot (and stop) a phishing email. 

Back to top