Cybersecurity Awareness Month - October 2024

It's a collective responsibility to Secure Our World.

Hello NEIU, it's the month of the year to celebrate Cybersecurity Awareness.

This year’s theme is Secure Our World. The theme recognizes the importance of taking daily steps to reduce data breach risks. It reminds us that securing the data we use at home, work, or wherever we go can help Secure Our World and reduce the likelihood of a successful cyber attack. This is a collective responsibility that takes simple steps and a commitment to maintain good security practices.

Intro

Cyber threats are real and can significantly impact those who have been victims. Cybercriminals continue to invent new and more tactical ways to lure their targets to click a link or download an attachment that is malicious to gain unauthorized access to computer systems and data or impersonate someone for financial gain. This year's theme reminds us of simple and practical ways to protect ourselves, our families, and our businesses from cyber threats and focuses on four key ways to do so when online. Each week will focus on a topic and will feature movie clips, training videos, posters, and online games.

• Week 1: Use strong passwords and a password manager
• Week 2: Turn on multi-factor authentication 
• Week 3: Recognize and report phishing
• Week 4: Keep software updated

In addition to the four topics, we will include other good practices to maintain when on or offline.

Events

Recorded virtual sessions

• by the National Initiative for Cybersecurity Careers and Studies (NICCS).

Live sessions hosted by the Computer Science Department

*Attendees will have the opportunity to win $25 Amazon gift cards.

• "From Heuristics to AI-Powered Security: A Case Study with Designing of Effective Honeypot Systems" by Dr. Sencun Zhu. Thursday, Oct. 24 from 9:30-10:45 a.m. on the Main Campus in Alumni Hall. See
• "AI Security and Threat Models" presented by Dr. Mohamed Abuhamad, Loyola University, Chicago. Thursday, Oct. 24 from 5:30-6:50 p.m. on the Main Campus in Alumni Hall. See

Other resources from the Computer Science Department

• The Computer Science Department has provided additional resources for Cybersecurity Awareness Month. To learn more, please visit the .
• Cybersecurity career paths (NEIU degree programs and certifications in cybersecurity).

Thanks, and have a cyber-safe October!

Week One: Use Strong Passwords and a Password Manager

"There are many ways to keep a user account secure, using a strong password is the first basic step" (University Technology Services).

Statistics:

• 35% of respondents said weak passwords were the main reason their accounts were hacked. (Forbes)
• 86% of breaches involve stolen credentials, according to Google Cloud's 2023 Threat Horizons Report.
• 30% of respondents believed their accounts were compromised because they used the same password across multiple platforms. (Forbes)
• 50% of respondents said that account security was the top reason for using password managers. (Bitwarden)

focus

This Week's Focus: Strong Passwords and Password Managers

Using simple passwords like birthdays, holiday seasons, weather, sports teams, anniversaries, hobbies, etc., can be convenient and easy to remember however they also make it very easy and convenient for hackers to crack. According to the National Cybersecurity Alliance, "Using weak passwords is like locking the door but leaving the key in the lock."

With the use of artificial intelligence to carry out cyber crimes, cracking passwords has never been easier but a long and unique password makes a hacker's job more difficult even with the best tools.

Remembering all unique passwords for various accounts has its challenges, but with password managers, users can easily and quickly create unique passwords or passphrases, do not need to remember all their passwords, can seamlessly and securely access accounts on multiple websites and devices, and protect against password reuse and compromise.  

You only need to remember the password to your password manager account. This password or passphrase should be at least 16 characters long and unique.

My role: I am the first line of defense to the system and data I use. The stronger my password or passphrase, the safer my and my organization's data is. Remember, we can Secure Our World when we embrace a good security culture. 

Training videos and movie clips (Log into KnowBe4 and select the Library tab). Enjoy watching!

The materials below provide examples and practical ways to secure your user account:

• (Passwords and Access) (4 minutes). 
• (5 minutes).
• (4 minutes).

Game:  (external link).

Posters: Click on each one to learn more.

Please see the University's Password Management Policy (recently updated).

Week Two: Turn on Multi-Factor (MFA) Authentication

"Using multi-factor authentication is like having someone look out for you" (University Technology Services).

Statistics:

• Around one in four companies have turned to MFA after a cybersecurity breach. (DUO)
• Using MFA on an account makes it 99% less likely to be hacked. (Cybersecurity & Infrastructure Security Agency - CISA)
• 99.9% of hacked accounts did not use MFA. (Microsoft)

focus

This Week's Focus: Turn on Multi-factor Authentication (MFA)

The use of multi-factor authentication (MFA) also called 2FA has nearly doubled since 2020 according to Okta, and the primary reason is that MFA is considered one of the strongest authentication methods. Some surveys report that users see MFA as an additional step that could sometimes be cumbersome, but over time, users have found that MFA lends itself to securing their user accounts where their passwords have been compromised. 

MFA is a tool that requires an additional step in the user authentication process when logging into an account. It is designed to ensure that a user has all the verification information (such as a username, password, and MFA information) before authenticating the user and granting access to the relevant resources. MFA provides an additional layer of security for user accounts.

There are different MFA methods including: 

• MFA push notifications are sent to an MFA mobile app which the user can approve or decline.
• Randomly generated codes are presented on an MFA mobile app or MFA hardware device, or MFA codes are sent via a call, text, or email.
• A PIN (personal identifiable number) is assigned to a user which they must provide during authentication.
• Fingerprint, palm scan, face ID, or voice recognition.
• Security questions that users must answer.

Almost all organizations that provide financial, health, tax, or benefits services or other services that handle personal information require their employees to use MFA and provide MFA to their customers.

My role: I can safeguard access to my data and my organization's information by using all the resources available to help me do so.

Remember, you can Secure Our World when you take responsibility for information security. Below are some simple but practical steps that can help you keep your user account secure:

• Don't delay using MFA if it is available. Learn more about the University's MFA tool.
• Most MFA still require passwords or passphrases. Use strong passwords and don't share them. The longer your password, the more difficult it is for hackers to crack.
• Keep your devices locked when not in use and store them away in your absence. MFA will not protect your user account or information if you leave your computer unlocked and unattended.
• Watch out for phishing attacks. Stop, look, and think before you respond to unsolicited or suspicious emails, texts, or calls.
• Watch out for MFA hacking. Don't approve any MFA push notification that you did not request or share your MFA code with anyone.
• Visit the Cyber Smart Tips page for more good practices.

Training videos (Log into KnowBe4 and select the Library tab)

The materials below provide examples and practical ways to secure your user account:

• (2 minutes). 
• (5 minutes).
• (3 minutes). An external awareness video by Arctic Wolf.
• (2 minutes). An external awareness video by CISA.

Posters: Click on each one to learn more.

Week Three: Recognize and Report Phishing

"When you report, we get stronger" (KnowBe4).

Statistics:

• Phishing attacks account for more than 80% of reported security incidents. (CSO Oline)
• 57% of organizations see weekly or daily phishing attempts. (GreatHorn)
• 68% of breaches involved a human element in 2024. (Verizon)
• In 2023, the average cost of a data breach caused by phishing was $4.72 million. (Upguard)

focus

This Week's Focus: Recognize and Report Phishing

What is Phishing?

Phishing is simply a tactic cybercriminals use to make their target believe a lie and act on that lie for the gain of the cybercriminals. Phishing is usually carried out using different methods including emails, text messages, social media, mobile apps, phone calls, and even QR codes. With the use of Artificial Intelligence, some phishing scams involve impersonating people making them so real that the target could easily fall for them if not cautious.

Phishing has been reported as one of the most common and successful cybersecurity attack methods and accounts for the highest cause of security incidents. This is because it does not often require a system flaw, failure, or a technical tool but plays on human trust and reasoning to succeed. According to KnowBe4, "The problem isn't the lack of software designed to detect, prevent, and protect – it's that human response is a required part of every phishing attack that users seem to be happy to oblige."

We must therefore know how to recognize phishing so we don't fall for it! 

My role: Be aware of the different phishing tactics, and learn how to respond to and report them. A good way to prevent being phished is to stop, look, and think before you respond.

Recognizing and responding to phishing:

• Who is the message coming from and can the sender be trusted? Look for misspellings or unusual texts or characters in the email address, message, or the link provided. Watch out for unfamiliar email addresses or telephone numbers.
• Does it appear to be a random or unusual message even if the person or entity is known? Contact the person or entity directly using known contact information such as their telephone number or visit the organization's website.
• Is the message alarming and are you being asked to take urgent action like verifying a financial transaction, confirming a password change, downloading an attachment, or purchasing items on the sender's behalf? Check first with the helpdesk or information security team for advice.
• Are you being asked for a favor because the sender or caller appears "in need"? Don't take any action that could compromise your or other people's information or send money to the sender. Verify the person first before you respond.
• Are you being offered a service and asked or directed to provide information that may be sensitive such as your login details, MFA approval or code, social security number, DOB, address, etc? End the communication and contact the relevant organization from a known number.
• Are you being asked to scan a QR code from an unknown or unfamiliar source? Don't scan if you don't know. Just scanning a QR code could download malware on your device. Use your device camera to preview the URL before clicking.
• Verify applications before downloading them and download only from trusted sources. Use the verify app feature in your mobile device app store to detect and protect your device from harmful apps.
• Watch out for freebies. If it is too good to be true, it probably is!

Reporting phishing:

You should report phishing as soon as possible to stop it from spreading further. Also, you should mark the email as spam to stop receiving emails from the sender. Different email platforms such as Outlook, Yahoo, Gmail, etc., have features for blocking and reporting phishing, and you should check each platform on how to do so. In Nmail, follow the steps below:

• Select the three vertical dots in the phishing or spam email as shown in the image below:

• Select either block (sender's name), report spam, or report phishing from the options.

You should also forward the email to abuse@neiu.edu so the helpdesk can act on it. 

Training videos and movie clips (Log into KnowBe4 and select the Library tab to see or search for the videos). Enjoy watching!

The materials below provide examples and practical ways of combating phishing:

• (7 minutes). 
• (4 minutes).
• ‎(4 minutes).
• (2 minutes).

Game:

Posters: Click on each one to learn more.

Week Four: Keep Software Updated

“When notified about software updates, especially critical updates, install them as soon as possible. Cybercriminals won’t wait so we shouldn’t either!" (CISA).

Statistics:

• The National Vulnerability Database (NVD) recorded 28,831 vulnerabilities in 2023, up from 25,081 in 2022.
• In 2023, 25% of security vulnerabilities were immediately targeted for exploitation, with the exploit published on the same day as the vulnerability itself. (Qualys)
• 48% of all universities and 70% of the top 500 have software products with known exploited vulnerabilities. (UpGuard)
• In 2023, 40% of ransomware attacks in higher education were due to exploited vulnerabilities. (EdTech)

Focus

This Week's Focus: Keep Software Updated

Software is the heart of every computer and IT service we use. Imagine a world without software for work, learning, carrying out daily tasks, or connecting with people… Imagine a world without mobile apps or online services…

As software is an essential commodity in today’s world, hackers always look for ways to exploit vulnerabilities (weaknesses) in software. The easiest way to do this is to look for software not updated with the relevant security patches. This means that every time a software update is delayed or ignored, it creates an opportunity for a hacker to compromise the computer running that software. If we maintain the latest updates and fixes for the software we use, we benefit from using the latest features the software offers and make our devices and information more secure.

My role: I will use and manage software responsibly to keep hackers out of my business.

Remember, you can Secure Our World when you take responsibility for the appropriate use and handling of software. Below are some practical steps for keeping software updated and staying protected from malicious software:

• Enable automatic software updates on your devices. This makes it easier to keep your devices running secure software.
• If available, set up notifications for new updates from the software vendor or your organization. Delays will leave your devices open to malware.
• Only download software directly from verified sources and app stores.
• There are many apps designed to compromise your device and steal your data.  Don't fall for app freebies!
• Watch out for fake software fixes. If you receive an unusual email, text, call, or a pop-up window to fix your device or update your software, contact IT first to check before downloading the software.

Training videos and movie clips (Log into KnowBe4 and select the Library tab to see or search for the videos). Enjoy watching!

The materials below provide examples and practical ways to secure your user account:

• ‎(4 minutes).
• (5 minutes).

Posters: Click on each one to learn more.  

Live sessions hosted by University Technology Services and Computer Science Department

*Attendees will have the opportunity to win $25 Amazon gift cards.

• "From Heuristics to AI-Powered Security: A Case Study with Designing of Effective Honeypot Systems" by Dr. Sencun Zhu. Thursday, Oct. 24 from 9:30-10:45 a.m. on the Main Campus in Alumni Hall. See
• "AI Security and Threat Models" presented by Dr. Mohamed Abuhamad, Loyola University, Chicago. Thursday, Oct. 24 from 5:30-6:50 p.m. on the Main Campus in Alumni Hall. See         

Thank you for participating in this year's Cybersecurity Awareness Month. 

Cybersecurity Awareness Month - October 2023

It's easy to stay safe online.

2023 marks 20 years of Cybersecurity Awareness Month! 

This year’s theme is “It's easy to stay safe online.” The theme aims to make actionable steps positive, approachable, and back-to-basics to help people protect themselves from cyber criminals. It reminds internet users that there are plenty of simple ways to stay secure when online. -Cybersecurity and Infrastructure Security Agency (CISA)/National Cybersecurity Alliance (NCA)

Cyber threats can be scary, and for good reason. Malware can be lurking in a suspicious email or text and all it takes is a click or a download for a breach to occur and cause severe damage to an organization. During Cybersecurity Awareness Month, we will share best practices and tips to help us stay cyber-safe everywhere we go. We will learn how simple and practical steps can prevent cyber attacks from being successful.

This year’s campaign will focus on the following four key practices that are simple and actionable for both individuals and businesses. 

• Week 1: Security culture and you
• Week 2: Enable multi-factor authentication 
• Week 3: Recognize and report phishing
• Week 4: Keep software updated

Events

National Cybersecurity Alliance (NEIU participants will be joining other Illinois universities).

• Behavioral science presentations:

1. Friday, Oct. 6 at 1:00 p.m. EST (noon CT). .

2. Tuesday, Oct. 24 at 5:00 p.m. EST (4:00 p.m. CT). .

• Game show: Tuesday, Oct. 10 at noon EST (11:00 a.m. CT). .

In-person sessions and a trivia night hosted by the Computer Science Department.

1. Women in Cybersecurity Panel discussion: Tuesday, Oct. 10 from 3:00-4:00 p.m. in Room CBT 149

2. Cybersecurity information session - cybersecurity career paths (NEIU degree programs and certifications in cybersecurity): Thursday, Oct. 19 from 3:00-4:00 p.m. in Room LWH 1001

3. : Monday, Oct. 30 from 4:30-5:30 p.m.

* The Computer Science Department has provided additional resources for Cybersecurity Awareness Month. To learn more, please visit the .

Thanks, and have a cyber-safe October!

WEEK ONE: Security culture and you

An organization's security strength and resilience depend on the culture that drives it. - UTS

Statistics:

• Nearly 90% of all data breaches happen because of poor cybersecurity posture (Balbix).
• 79% of consumers polled said organizations have an obligation to take reasonable steps to secure their personal information (Computer Weekly).
• Human error is the main cause of 95% of cybersecurity breaches (IBM).

focus

This week's focus: What is a security culture and how can you contribute to it?

Security culture is defined as the ideas, customs, and social behaviors of a group that influence its security. By helping to create a strong security culture, we can protect our organizations and homes from cyberattacks. (Knowbe4)

A strong security culture promotes principles and practices to protect a community from events that could compromise its critical resources and operations. It requires partnership and ownership across all members of that community to engage in these practices.

My role: Information security is a shared responsibility and I can be proactive in cultivating a culture of good practices by knowing what to do and caring enough to do it. 

An organization’s employees are at the center of everything; they can either be easy prey, or they can become an effective human layer of defense (Knowbe4). Remember, it's easy to stay safe online when we embrace a good security culture. 

The videos below provide more insight into what an information security culture is with a few examples of good security practices such as securing passwords and how to prevent being phished.

Training videos (Please click on the Library tab):

•  (4 minutes)
•  (5 minutes)
•  (4 minutes)

Game:  (external link)

Posters:

WEEK two: Enable multi-factor authentication 

Wouldn't it be nice to provide the best security for the things that are valuable to you so you worry less about their safety? Multi-factor authentication enables individuals and organizations to protect their user accounts so they worry less about the safety of the information held in the accounts. - UTS

Statistics:

• According to Microsoft, multi-factor authentication prevents 99.9% of automated assaults on its platforms’ websites and other online services.
• 99.9% of hacked accounts did not use MFA (Microsoft).
• Google’s data showed that having a text message sent to a person’s phone for additional verification prevented 100% of automated bot attacks that use stolen passwords and 96% of phishing attacks that try to steal passwords.

focus

This week's focus: Enable multi-factor authentication (MFA)

The use of multi-factor (MFA) or two-factor authentication continues to grow as security trends show that MFA plays a key part in reducing data breaches resulting from compromised user accounts.

In addition to a username and password, MFA enforces verification from a user logging into an account to prove their identity in multiple ways before the user can access the account. The additional verification method is registered to the owner of the account and only the owner can provide the verification. Additional verification methods may include:

• A push notification to an MFA mobile app which the owner can approve or decline.
• Randomly generated PIN codes on an MFA mobile app or from an MFA hardware device.
• A call or a text message to receive a PIN code.
• Fingerprint, palm scan, face ID, or voice recognition.

Almost all service providers offer MFA and it is important to enroll to use MFA if it is available. The more user accounts you enable MFA on, the safer your information is and the less worried you can be about changing your password frequently unless you believe it is compromised. Examples of services that offer MFA are:

• Financial services
• Social media
• Online retail stores
• Email services
• Internal Revenue Service (IRS)
• Credit monitoring services
• Airlines

My role: I can protect myself and my organization by using and managing my user accounts securely. 

Remember, it's easy to stay safe online when we take responsibility for information security. Below are some simple but practical steps that can help keep our user accounts secure:

• Don't delay to use MFA if it is available. Learn more about the University's MFA tool.
• MFA still requires the use of passwords or passphrases. Use strong passwords and don't share them. The longer your password, the more difficult it is for hackers to crack. Change it at least once every six months if MFA is enabled.
• Keep your devices locked when not in use and stored away in your absence. MFA will not protect your user account or information if you leave your computer unlocked and unattended.
• Watch out for phishing attacks. Stop, look, and think before you respond to unsolicited or suspicious emails, texts, or calls.
• Watch out for MFA hacking. Don't approve any MFA push notification that you did not request or share your MFA PIN with anyone.
• Visit our Cybersecurity Tips for more good practices.

Training videos: (Please click on the Library tab)

•  (5 minutes)
• (5 minutes)
• (5 minutes)

Poster:

WEEK THREE: rECOGNIZE AND REPORT PHISHING

It is easier and cheaper to manipulate people using social engineering to gain access to information, IT systems, or buildings than to use technical tools. Why? People can easily be convinced to ignore simple security practices that are there to protect them if they believe they need to act immediately or show goodwill in response to a request. - UTS

...So you need to be able to recognize phishing so you don't fall for it!

Statistics:

• 91% of all attacks begin with a phishing email to an unsuspecting victim (Deloitte).
• Education was the most targeted industry in 2022 for phishing, with attacks increasing by 576% (Zscaler).
• Human error is the main cause of 95% of cybersecurity breaches (IBM).

focus

This week's focus: Recognize and report phishing

Phishing is a tactic used by cybercriminals to trick people into believing something to make them divulge sensitive information or click on a malicious link. This could then be used by cybercriminals to carry out harmful activities, including gaining unauthorized access to IT systems and information, impersonating individuals for financial gain, carrying out ransomware attacks, etc.

Phishing scams are becoming very sophisticated and almost believable if you don't know what to look for. They are usually carried out through emails, text messages, social media, and phone calls.

Most phishing attacks share common characteristics and often use familiarity or current issues to increase the likelihood of a victim falling for these scams. The goal is always to steal vital information or compromise IT systems which could then be used to carry out further attacks. 

A good way to prevent being phished is to stop, look, and think to be sure before you respond.

Recognizing phishing:

• Who is the message coming from and can the sender be trusted? Look for misspellings in the email address, message, or the link provided. Watch out for email addresses or telephone numbers that you are not familiar with.
• Does it appear to be a random or unusual message even if the person/entity is known? Contact the person or entity directly using known contact information such as their telephone number or visit the organization's website.
• Is the message alarming and are you being asked to take urgent action like changing your password, downloading an attachment, or purchasing some gift cards? Check with the IT department or information security team for advice.
• Are you being asked for a favor because the sender or caller appears to be in need? Don't take any action that may compromise your or other people's information, or purchase items on behalf of someone.
• Are you being offered a service and asked or directed to provide information that may be sensitive such as your login details, MFA approval or pin code, social security number, etc? End the communication and contact the relevant organization from a known number.
• Watch out for freebies. If it is too good to be true, it probably is!

Blocking and reporting phishing:

It is important that you report phishing as soon as possible to stop it from spreading further.  You should also block the sender from sending other emails to you. Different email platforms such as Outlook, Yahoo, Gmail, etc., have different ways of blocking and reporting phishing and you should check each platform on how to do so. In Gmail, follow the steps below:

• Select the three vertical dots in the phishing email as shown in the image below:

• Select from the options listed to either report spam, or report phishing.
• After reporting it, block the sender and delete the email.

My role: My responsibility is to protect the information that is valuable to me and the University by identifying phishing scams and responding to them appropriately.

Training Videos: (Please click on the Library tab)

•  (5 minutes)
• (4 minutes)

Game:  (external link)

By identifying phishing scams, responding to them appropriately, and reporting them promptly, we keep ourselves and the University safer. Remember, it's easy to stay safe online when we embrace a good security culture. See the posters to learn.

Posters:

WEEK FOUR: KEEP SOFTWARE UPDATED

THINK TWICE BEFORE PUTTING OFF UPDATES!

"Many people might select “Remind me later” when they see an update alert. However, many software updates are created to fix security risks. Keeping software up to date is an easy way for us to stay safer online." - CISA

Statistics:

• Over 8,000 vulnerabilities were published in Q1 of 2022 (Comparitech).
• According to Unit 42, 48% of ransomware cases began with software vulnerabilities (Palo Alto).
• 57% of cyberattack victims said their breach was due to unpatched vulnerabilities, and 34% knew of the vulnerability but failed to apply patches in time (Cyrebro.io).

focus

This week's focus: Keep Software Updated

Software solutions are designed to facilitate processes so that we can carry out daily activities efficiently. Software providers have the responsibility of identifying flaws in their solutions and providing fixes and updates to address these flaws to maintain software functionalities and security and to prevent opportunities that hackers could use to exploit their software.  

Hackers are always looking for ways to exploit vulnerabilities (weaknesses) in software and the easiest way to achieve this is to look for software that is not updated with the relevant security patches. This means that every time a software update is delayed or ignored, it creates an opportunity for a hacker to compromise the computer running that software. However, if we maintain the latest updates and fixes for the software we use, we not only benefit from using the latest features the software offers, but we also make our devices and information more secure.

My role: My responsibility is to keep the software on my devices up-to-date.  Below are some basic steps to follow:

• Turn automatic updates on. This makes it easier for software to be downloaded and installed as soon as they are available without you having to check every time.
• Watch for software notifications. Your device will always notify you when there is a new update or your organization may ask you to update software used for work. Don't ignore the notification but act responsibly and update the software as soon as possible.
• Software and app downloads: Only download software directly from verified sources and app stores. 
• Don't fall for app freebies. You may be downloading malware on your computer!
• Watch out for fake software fixes. If you receive an unusual email, text, call, or a pop-up window to fix your device or update your software, contact IT Helpdesk directly to check before you respond to it.

Training Videos: (Please click on the Library tab)

•  (2 minutes)
• (5 minutes)

To keep our devices and information safer, we need to ensure the software we use is kept up-to-date. Remember, it's easy to stay safe online when we embrace a good security culture. See the poster to learn.

Poster:

Thank you for participating in this year's Cybersecurity Awareness Month.  

Purpose

Data Governance sets out the standards for handling data from when it is created or collected to its disposal to protect its confidentiality and integrity.

Policy

The policy establishes three data classification groups that define the sensitivity levels for university data based on the privacy legislation governing each group, legal requirements and the University's information security and data privacy policies and principles. The classification groups also set out the requirements for handling the data under each category. 

The categories are summarized below:

• Restricted: Data governed by privacy laws and legal agreements. Examples are social security numbers, health records, credit card information, financial records, commercially sensitive information, intellectual property data, unpublished University plans, strategies or research plans and proposals, sensitive IT system information, etc.

• Internal: Internal to the University and only shared with external parties when required by law, contractual obligations, or authorized by the data owner. Examples are internal memos, disciplinary information, performance review, unpublished financial and audit reports, unpublished salaries, organizational restructuring, coursework, third-party contracts, course transcripts, assessments, test results, etc.

• Public: Available in the public domain such as University website contents, employee and student directory information, policies, procedures, published financial or audit reports, statistical data, etc. 

Furthermore, the policy defines the procedures and the roles and responsibilities for implementing the data governance process along with guidelines for complying with the policy.

Information Handling Requirements

The University's information security standards are the baseline requirements for using University or personal devices for work purposes and for handling University data. The legislation governing each data type may require additional handling procedures that must be implemented alongside the baselines to enable compliance with the requirements of the legislation. 

To learn how the University implements data governance, see the Data Governance Policy.

91Porn is committed to safeguarding student, employee, and other business data. One of the ways to protect data is to provide hard disk encryption on all employee computers (desktops and laptops).

The best way to protect sensitive data is to store it in secure storage areas provided by the University, such as the shared network drives/folders or Google Drive where access is restricted and secure and data is backed up regularly. However, there are situations where data is stored on desktops or laptops to support work, and hard disk encryption provides security for such data.  

Encryption on a computer's hard disk makes it difficult to access the data stored on the computer without the right access privileges or decryption keys. If a device is lost or stolen or there is an online threat to gain unauthorized access, the data stored on the device is protected due to encryption. This will reduce the possibility of a data breach and help protect individuals and the University from adverse circumstances. 

Encryption works by scrambling real data and converting it to a non-readable format. The University provides full hard disk encryption which works by encrypting the hard disk of the computer including files, the operating system, and applications on the computer.

Limitations

Hard disk encryption only protects files while they are on your computer. Hard disk encryption will not apply to files:

• shared via email;
• transferred to or stored in shared network drives/folders or Google Drive.

An encrypted file will no longer be encrypted when it leaves your hard disk unless transferred to another encrypted hard disk or encrypted USB drive.

If an encrypted computer is left unlocked and unattended, anyone close to the computer can access the data stored and encryption will not protect against unauthorized access.

Note: Information on how to maintain file encryption for different use cases will be available in due course.

Operating systems and approved encryption software 

The following are the supported operating systems for hard disk encryption:

• Windows OS 10 and up: Dell Encryption
• Mac OS 10.14.6 and up: Mac FileVault. See .

Data Backup

Usually, hard disk encryption will not impact how you access your files or corrupt your files, but it is important that you back up your data before enabling hard disk encryption. To learn how to back up your files or to get support, email helpdesk@neiu.edu or follow the .

Encryption on employee-owned computers

Enabling hard disk encryption to protect data is good practice at home or work. If you wish to enable encryption on your personal computer, please see the user guide below for Windows and Mac computers:

• Windows: 
• Mac:

FAQ

Windows Computers

How long will the installation take?

A few minutes between 5-10 minutes. After this, your computer will reboot or you may be asked to restart your computer. The encryption process will start after the computer is restarted.

What happens if my computer shuts down or restarts during installation?

Like any software installation, shutting down or restarting your computer will stop the encryption software installation and you will need to start the process again.

Will I be able to continue working during the software installation?

No. You will not be able to work for 5-10 minutes during the installation.

Will I be able to continue working during the encryption process?

Yes. The process will run in the background and should not affect your work. 

Will encryption affect how I access my files?

Encrypting data does not restrict the ability of a user to view, create, change, rename, copy, move, share, or delete their files and folders as usual.

Will I be able to share encrypted files with others?

It depends:

Yes, if the encrypted files are shared with USB drives. When transferring files from an encrypted hard disk to a USB drive, you will be prompted to encrypt the USB before files can be transferred.

No. Encrypted files shared via email or transferred to the shared network drives/folders or Google Drive will lose encryption. Encrypted files will only remain encrypted when they are stored on an encrypted hard disk or USB drive.

MAC Computers

How long will the installation take?

After about a minute, the computer will restart. When you log into the computer, it will ask you to confirm encryption. The entire process should not take longer than 2-3 minutes to complete.

Will I be able to continue working during the software installation?

No. You will not be able to work during the installation.

Will I be able to continue working during the encryption process?

Yes. The process will run in the background and should not affect your work. 

Will encryption affect how I access my files?

Encrypting data does not restrict the ability of a user to view, create, change, rename, copy, move, share, or delete their files and folders as usual.

I do not have a Self-Service application in my Applications folder.

Please contact helpdesk@neiu.edu or (773) 442-4357 and a technician will check if your Mac is currently enrolled in our Mobile Device Management system. 

I do not see the Encrypt My Computer icon in the Self-Service application.

There are several possible reasons why you do not have the FileVault Disk Encryption - NEIU: 

1. Did you previously run the Novell Migration & Login Improvements? If you haven’t, you may need to do so. It can be run via the Self-Service application.

2. Are you logging into the computer with a generic account or is a generic account currently on your computer? You can check by going into the System Preferences / Settings —> Users & Groups. The generic account may be named neiustaff. If so, please contact the Help Desk and a technician will either rename the account or, if the account is not being used, will remove the account.

3. Your Mac may also need to be re-enrolled into our Mobile Device Management system. Please contact the Help Desk to inspect or troubleshoot the issue

How is this process different than if I were to turn on FileVault manually?

It is essential that the Self-Service process is used.  This process will escrow a digital security key with our management system and allow the Service Desk technicians to troubleshoot technical issues and assist with unlocking the computer if the password is forgotten. 

Does encryption change how I use my password to log in?

After your computer has been encrypted, the computer will prompt you to enter your computer password before completing boot up. If your computer password is the same as your NetID password, the computer will automatically log you into the NEIU network after you log into the computer.

If the two passwords are different (not synchronized), the computer will prompt you to synchronize the two by entering both your NetID password and then your computer password. This will change your computer password to match your NetID password. 

Will I be able to share encrypted files with others?

You can share your files with others but any files which leave your computer will no longer be encrypted. 

Learn, Do, Secure

91Porn has an obligation to protect the data it holds about individuals from the time of collection to disposal. Social Security Numbers (SSNs) are some of the data the University collects and processes to carry out its operations. It is important to safeguard SSN information against unauthorized access and limit unnecessary dissemination to reduce the possibility of identity theft.

To achieve this, the University has instituted its Identity Protection Policy to fulfill the requirements of the Identity Protection Act (5 ILCS 179/1, et seq.). The purpose of the policy is to comply with the State of Illinois and federal regulations related to the collection, use, or disclosure of SSNs as defined by the Identity Protection Act (5 ILCS 179/1, et seq.). The Identity Protection Act requires each local and state government agency to draft, approve, and implement an Identity-Protection Policy to ensure the confidentiality and integrity of SSNs the agencies collect, maintain, and use.

To support all employees who handle SSNs in complying with the Identity Protection Act requirements for handling SSNs, the University has developed some training slides on Identity Protection. This training is mandatory.

My responsibility

All employees who handle SSNs to carry out their job functions play an important role and are responsible for keeping SSNs secure, from authorized access and misuse. To carry out this responsibility, employees are required to:

• Read and comply with the Identity Protection Policy,
• Complete the ,
• Report any incident relating to unauthorized access or misuse of SSNs immediately to ServiceDesk@neiu.edu.

For questions about the training, please contact uinfosec@neiu.edu.

Cybersecurity Awareness Month - October 2022

#See Yourself in Cyber

"This year’s campaign theme — “See Yourself in Cyber”&�Բ�����;— demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people. This October will focus on the “people” part of cybersecurity, providing information and resources to help educate CISA partners and the public, and ensure all individuals and organizations make smart decisions whether on the job, at home or at school – now and in the future. We encourage each of you to engage in this year’s efforts by creating your own cyber awareness campaigns and sharing this messaging with your peers."

                                                                                         -Cybersecurity and Infrastructure Security Agency (CISA)

We recognize the need for cybersecurity every day to keep our information safe. This October, the University is participating in National Cybersecurity Awareness Month. 

Though threats to cybersecurity may regularly make the news, we know how to guard against them but we can’t do it alone. We all need to play our part! During Cybersecurity Awareness Month, we will share best practices and tips to keep us cyber-safe everywhere we go. To turn away cyber attacks, a little knowledge teamed with critical thinking skills can go a long way!

The overarching theme for this year’s awareness month is “See Yourself in Cyber.”&�Բ�����;Each week will feature one of the following themes, a training video, a game, and posters. It is going to be a fun and cyber-safe month!

• Week 1 - Cybersecurity at work
• Week 2 - Watch out for that phish!
• Week 3 - More than just phishing
• Week 4 - Cybersecurity at home

Training

Information security training is available to all employees on the training page. 

Thanks, and have a cyber-secure October!

WEEK ONE: CYBERSECURITY AT WORK

#See Yourself in Cyber

"The best defense against cyberattacks is not technological cybersecurity solutions but the strengthening of the human element." - Perry Carpenter, cybersecurity veteran, author and chief evangelist-security officer for.

Facts and Figures

• 42% of schools have students or employees that circumvent cybersecurity protections. -Impact My Biz
• Nearly three-quarters (74%) of ransomware attacks on higher ed institutions succeeded. -Inside Higher Ed
• Ransomware attacks on U.S. schools and colleges cost $6.62b in 2020. - Darkreading
• 95% of cybersecurity breaches are caused by human error. -

focus

This week's focus: Cybersecurity at Work.

No matter what our job role is, when we see ourselves in cyber, we recognize the need and take responsibility to protect the data, devices and other IT resources we use for work.

My role: Stop, Look and Think! It does not matter the type of cyber attack we face, when we stop, look and think, it goes a long way to protect us from taking actions that could compromise the information that is valuable to us and the organizations we work for. Click on each image below to learn more.

Additional CONTENTS

• Training video:  (2 minutes).
• Game:  (external link).

*Some additional resources on cyber awareness have been provided by the Computer Science Department. To learn more, please visit  at NEIU.

To learn more about being #cybersmart, visit the Cybersmart page. 

WEEK two: WATCH OUT FOR THAT PHISH!

#See Yourself in Cyber

"Very smart people are often tricked by hackers, by phishing. I don’t exclude myself from that. It’s about being smarter than a hacker. Not about being smart." -Harper Reed

Facts and Figures

• Phishing attacks account for more than 80% of reported security incidents. -
• 57% percent of organizations see weekly or daily phishing attempts. -
• According to the results of , almost 20% of all employees are likely to click on phishing email links and, of those, a staggering 67.5% go on to enter their credentials on a phishing website. 
• 95% of cybersecurity breaches are caused by human error. -

focus

This week's focus: Watch Out for That Phish!

How do hackers operate? They use tactics to convince or scare their victims into taking an action. These tactics come through different methods. The following are some methods they use:

• Phishing: The use of an email to trick you into giving out sensitive information or taking a potentially dangerous action, like clicking on a link or downloading an infected attachment. Hackers do this using emails disguised as contacts or organizations you trust so that you react without thinking first.
• Vishing: Phone-based social engineering is voice phishing or “vishing.” Like phishing, vishing is when the hacker calls you and tries to con you into surrendering confidential information.
• Smishing: Smishing stands for “SMS phishing” or phishing that occurs through text messaging.
• Pretexting: When a hacker calls and creates a story (usually impersonating a senior colleague or IT service in the organization) to get information from their victim. Oftentimes, the victim feels the need to trust the caller and give out information.

My role: hackers enjoy phishing, but we don't have to be the bait. Let's be the human firewall (a barrier) between the hacker and the information that is valuable to us and the university by identifying phishing tactics and responding to them appropriately.

Before taking an action, Stop, Look and Think! Click on each image below to learn more.

Additional CONTENTS

• Training video: You will learn how phishing works, red flags to watch out for when requests for login information are involved, how people can fall for bait, and tips for staying secure.

1.  (5 minutes). 
2.  (4 minutes).

• Game: Test your ability to identify phishing emails, try Google's  (external link).

WEEK THREE: MORE THAN JUST PHISHING 

#See Yourself in Cyber

"Social engineering bypasses all technologies, including firewalls." -Kevin Mitnick, KnowBe4

"Hackers find it easier and cheaper to manipulate people using social engineering to gain access to information, IT systems, or buildings than to use technology. Why? People can easily be convinced to ignore simple security practices that are there to protect them if they believe they need to act immediately or show goodwill in response to a request." -UTS

Facts and Figures

• 98% of Cyber attacks involve some form of social engineering. -
• Up to 90% of malicious data breaches involve social engineering -
• On average, social engineering attacks cost companies $130,000.00 through money theft or data destruction. It is important to note that social engineering can lead to broader breaches. In those cases, the totals can reach hundreds of thousands, if not millions of dollars
  
  -

focus

This week's focus: More Than Just Phishing

What is Social Engineering? Social engineering is simply the art of convincing someone to trust you so that they take an action you want them to take for your advantage. Victims usually lower their guard and give up sensitive information if they trust someone.

Social Engineering is more than phishing. This week focuses on other most common social engineering methods beyond phishing. These methods include pretexting, baiting, quid pro quo, tailgating, and the use of social media. 

• Pretexting: When a hacker calls and creates a story (usually impersonating a senior colleague or IT service in the organization) to get information from their victim. Oftentimes, the victim feels the need to trust the caller and give out information.
• Baiting: When a victim is lured into taking an action in exchange for an item. The victim might give out information or click on a link that would then be used by the hacker to carry out malicious activities against the victim or the organization they work for. For example, a victim could get an email from a utility service company or a product vendor asking them to complete a survey in exchange for an Amazon gift card. The survey link would be the entry point that the hacker uses to compromise the victim or their organization.
• Quid Pro Quo: Like baiting, victims are lured into taking an action in exchange for a service. For example, the victim might get a call supposedly from social security services offering them some type of benefits and the victim then gives out their social security number which could be used to impersonate them. 
• Tailgating: This is when someone without authorization gains access to a building or an office area by following closely behind someone with authorization. The attacker usually pretends to be busy with something or someone or carrying an item or engages the victim in a conversation and hopes that the victim would allow them in based on goodwill. 
• Social Media Reconnaissance: This is when the attacker uses social media to learn more about their victim and/or the organization they work for. The attacker then uses the information gathered to build a friendly relationship with the victim over a period of time to gain the victim's trust and then lures the victim into taking an action. 

My role: Let's watch out for requests offering us goods or services in exchange for an action they want us to take or social media connections including professional connections, job or business opportunities, etc. 

Additional CONTENTS

• Training video: You will learn how pretexting and some other social engineering attacks work and how to identify and respond to them:

1.  (5 minutes). 
2.  (15 minutes).

Before we respond to a request for sensitive information, download or access a shared file, accept a new friend or professional connection or allow someone into a restricted area, Stop, Look and Think! Click on each image below to learn more.

If you have any questions or would like to provide some feedback, please email uinfosec@neiu.edu. 

WEEK FOUR: CYBERSECURITY AT HOME

#SeeYourselfInCyber

"Security used to be an inconvenience sometimes, but now it’s a necessity all the time." -Martina Navratilova

"Cybersecurity is not for the passive nor the reactive minds but for those who proactively see the need to maintain good practices and own the responsibility to secure the data they handle everywhere and all the time". - UTS

Facts and Figures

• 20% of organizations experienced a breach because of a remote worker. Data breach costs increased by over $1 million whenever remote work was a causal factor. -
• According to , individual SSN can retail for as little as $4 on the darknet, and passport information sells for $62.61 on the dark web. -
• A clone credit card with pin sells for as little as $15 on the dark web. -
• It takes victims, on average, 6 months and approximately 200 hours of work to recover from identity theft, and an average loss of $1,100 per victim. - 

focus

This week's focus: Cybersecurity at Home

Working remotely has become a way of life for many over the last two years. Once a luxury, working from home has become all but a necessity and has brought with it many information security risks and challenges. This week's focus is keeping cybersecurity top of mind at home; both when working and in our everyday lives.

Non-office environments such as homes, hotels, cafeterias, sport centers, etc., are usually very conducive for hackers to operate as these settings are considered to have lesser guards in place than an office. For this reason, we have to continue to maintain good practices wherever we are, take responsibility for how we handle data and the IT resources we use and remain vigilant to keep the hackers out. Below are some essential security hygiene to maintain:

• Use a strong password and don't share it.
• Use multi-factor authentication - password only is not enough! Beware of unsolicited DUO or any other multi-factor authentication requests e.g. to provide a pin or approve a Push. Decline such requests. 
• Keep the software/applications on your devices up to date.
• Maintain active anti-virus software on your devices.
• Store and share sensitive data securely. Dispose of sensitive papers and unwanted devices securely. 
• Don't circumvent manufacturers' security settings on your devices.
• Use social media sensibly and keep your communications and data private. Be sure of the friend or professional requests you accept.
• Don't be phished! Beware of emails with attachments to download, or soliciting sensitive. information from you including your password, social security number, driver's license details, etc.
• Beware of bogus websites and the links you visit. If unsure, use a search engine to look up the website address.
• Use available awareness and training resources to keep you current on cybersecurity. See the University's cyber smart tips page.
• Report any suspicious or actual incident as soon as possible to IT. When you report, we get stronger!

As we wrap up the last week of National Cybersecurity Awareness Month, the key takeaway is to #SeeYourselfInCyber. This means that your cyber security responsibility cannot be delegated. You have to know it, own it and do it! Click on the images below to learn more:

Additional CONTENTS

• Training video: 

1. (5 minutes).
2. (15 minutes).
3.  (2 minutes).

Learn, Do, Secure

The developed a set of standards called Payment Card Industry Data Security Standards (PCI-DSS) to protect payment card information. Merchants and organizations that collect, process, store, or transmit payment card information must comply with the security standards.

The University is committed to protecting the privacy of payment card information (cardholder information) it processes to comply with the PCI DSS requirements by establishing a policy and a procedure to standardize the process for handling payment card information from the time of payment authorization to completion and ensure that the appropriate controls are in place to safeguard this information against any data breach.

To support the employees who handle cardholder information and operate card payment systems in complying with the PCI DSS requirements, the University is providing training on PCI DSS. This training is mandatory.   

My responsibility

All employees who handle cardholder information and operate card payment systems play an important role and are responsible for protecting this information and card payment systems. To properly carry out this responsibility, employees are required to:

• Complete the . There are three modules located under the Library menu,
• Read and comply with the University’s PCI DSS Policy,
• Report any incident relating to mishandling, misuse, or any other breach of cardholder information or card payment devices immediately to ServiceDesk@neiu.edu.

For questions relating to the PCI DSS training, please contact uinfosec@neiu.edu. 

Learn, Do, Secure

What is MFA?

Multi-factor Authentication is a tool that provides additional protection for user accounts by ensuring that account owners verify account access requests before any access is granted. This is achieved by providing additional verification along with your Net ID and password when logging into some NEIU applications and accounts (Nmail, VPN, NEIUworks, and Employee Self-Service Portal).

Why is NEIU implementing MFA (DUO MFA)?

Compromised user accounts have become the easiest way that cybercriminals use to gain access to your data, attack organizations to infiltrate IT systems, steal information or disrupt an organization's operations. 91Porn is implementing DUO MFA to provide strong access control to your data and the information and IT resources you use for work. By using MFA, your user account has more security making it less susceptible to being compromised since your Net ID and password along with an additional form of verification is required, which DUO provides using the DUO mobile app on your device or a DUO hardware token.

Am I required to use DUO Multi-Factor Authentication? 

Yes. Staff and faculty will only be able to access the applications protected by DUO MFA once their smartphone devices are enrolled to use DUO mobile app or when they have been issued DUO hardware tokens. 

Where can I download the duo mobile app? 

The DUO mobile app can be downloaded from Apple App Store and Android Play Store.

HOW DO I ENROLL MY SMARTPHONE TO USE DUO MFA?

You can enroll your smartphone to use DUO MFA by following the University's DUO Device Enrollment Instructions. Also, see .

Does it cost me anything to use DUO MFA on my smartphone? 

No, there is no cost to download the DUO mobile app on your smartphone. The DUO mobile app will send push notifications to your smartphone.

Do I have to use DUO every time I want to log into an application?

No. DUO's "trust this browser" and "remember me" features make it convenient to use DUO by reducing the number of times that you'll be prompted for DUO MFA if you are using the same device and the same browser. These features are set to remember you for 12 hours.

To use these features, follow the DUO MFA Remembering a Connection Guide.

Note: User experience may vary depending on the application a user is logging into.

If I use my device for DUO, what information will DUO have access to?

DUO does not use any additional information other than your mobile phone number. During the enrollment process, you may decline to share data. For more information refer to and .

Note: DUO mobile app will never access your photos and will only use your camera to scan the QR code to help set up DUO. If you have enabled access to your camera when adding your DUO account, you can remove the permissions by going to the Apps section under the device settings, looking for the DUO mobile app's permissions, and disabling the camera access.

If I have no data plan or internet connection, can I still use DUO?

If required, the DUO mobile app provides options that work without a data plan or internet connection. Although if you have an internet connection, the app makes two-factor authentication as easy as sending you a DUO Push notification but if you don’t, you can use the app to generate a six-digit passcode and enter that instead.

Read more about.

I do not wish to use my personal device for DUO?

Using the DUO mobile app is preferred but DUO hardware tokens can be assigned by UTS User Services.

How can I request a DUO hardware token?

Send an email to UTS User Services at helpdesk@neiu.edu, or call (773) 442-HELP (4357) to set up an appointment to collect a hardware token.

Can I register a new phone number after I have the DUO MFA service?

Yes. Please contact UTS User Services to re-enroll your new device.

CAN YOU USE A HARDWARE TOKEN AND A PHONE?

No. Smartphones are the preferred option. If you don't have a smartphone, you can request a hardware token.

I have lost my smartphone or hardware token. What should I do?

You should inform the UTS User Services as soon as possible to disable DUO on the lost device and to provide an alternate option.

Can I use the Duo Mobile App or hardware token when traveling abroad?

Yes, you can use DUO mobile app and hardware tokens when traveling to receive push notifications or passcodes.

DO I NEED DUO MFA TO USE university ZOOM? 

NEIU Zoom requires authentication using your NEIU credentials. You will need to use DUO for additional verification to authenticate into your Zoom account.

Note: If you are already logged into Nmail, you will not need to authenticate to use Zoom when using the same browser. 

I forgot my smartphone or hardware token at home, what should I do?

You should contact UTS User Services for a temporary option. 

If I think that my smartphone has been compromised, what should I do?

You should inform the UTS User Services as soon as possible to disable DUO Service. Learn more about.

I have lost or damaged my hardware token, what should I do?

Please report it to UTS User Services as soon as possible. Depending on the situation, you may be required to pay for a new hardware token.

I receive an unsolicited duo PUSH NOTIFICATION, what should I DO?

If you receive a DUO Push that you did not request, deny the request and change your account password immediately. Denied requests are automatically reported to UTS.

If I have more questions about DUO MFA, who should I contact?

Send an email to UTS User Services at helpdesk@neiu.edu, or call (773) 442-HELP (4357).

Cybersecurity Awareness Month - October 2021

Do Your Part. #Be CyberSmart! 

October is Cybersecurity Awareness Month. We recognize the need for cybersecurity every day to keep our information safe, and this month we join others to celebrate cybersecurity by sharing tips to stay cyber safe. To turn away cyber attacks, a little knowledge teamed with critical thinking skills can go a long way!

This year's overarching theme, “Do Your Part. #BeCyberSmart.”, emphasizes the role that we each play in online safety and the importance of taking proactive steps to maintain cybersecurity at home or work.

During this awareness month, we will focus on the following themes. To read more about each theme, click on the theme's title.

• Be Cyber Smart
• Phight the Phish!
• Explore, Experience, Share
• Cybersecurity First 

As part of the University's effort to improve information security awareness, information security awareness training is now available to staff and faculty on the training page. Staff and faculty can access the available course modules from this page. 

Thanks, and have a cyber secure October!

Be Cyber Smart

#CyberMonth #Cybersecurity #InformationSecurity 

Facts and Figures

• Human error constitutes over 95% of data breaches. (IBM)
• The average cost of human error in cybersecurity breaches was reported as $3.33 million. (IBM)

Being cyber smart is not just for IT professionals! We all have a responsibility to employ good security practices to better secure the data, devices, and other IT resources we use. We contribute to a more secure digital environment by doing our part. 

The following tips have been put together to remind us of how to maintain security on or offline:

• If you are not sure, think before you click on a link. Verify the sender before you take any action.
• Use strong passwords. Your password is personal to you, don't share!
• If available, use additional verification (multi-factor or two-factor authentication) for your user accounts.
• Use anti-virus and keep the software on your device up-to-date. Don't bypass vendor security setting on your device. Enable pin code on your device to prevent unauthorized access.
• Be sure you verify who you share information with and only share what is necessary.
• Store and share information using secure methods. 
• Dispose of sensitive papers and unwanted devices securely. 
• Use social media sensibly and keep your communication and data private.
• Verify the authenticity of the website you visit before you carry out any sensitive transactions.
• Only use secure Wi-Fi for sensitive online transactions. 

To learn more about being #CyberSmart, visit our CyberSmart page. 

Phight the Phish - think before you click!

#FightThePhish #Phishing #Ransomware #BeCyberSmart #CyberMonth

Facts and Figures

• 47% of phishing attacks resulted in account compromise. (Mimecast)
• 49% of phishing attacks resulted in malware infection. (Mimecast)
• 45% of the time, individuals provide their information to phishing sites. (ZDNet)

Phishing is a tactic used by cybercriminals to trick people into believing a message or information to make them divulge sensitive information or click on a malicious link. This could then be used by cybercriminals to carry out fraudulent or harmful activities, including gaining unauthorized access to IT systems and information, impersonating individuals for financial gain, carrying out a ransomware attack, etc.

Phishing attacks are carried out through various methods, including email, text messages, social media, and phone calls. Most phishing attacks share common characteristics of a need to respond urgently to a situation and often use familiarity or current issues to increase the likelihood of a victim falling for these scams. The goal is always to steal vital information or compromise an IT system that could then be used to carry out further attacks. 

The theme, "Phight the Phish!" is dedicated to increasing awareness of phishing attacks, as they can occur anywhere, at home, work, or when traveling. It aims to highlight the dangers of phishing attacks and how you can identify and respond to them. 

We have put together the following resources to help you identify and respond to phishing attempts appropriately.

• Don't Be Phished!
• Phishing: Test Your Knowledge 

Be a cyber hero and phight phishing to keep the information you use safe from cyber criminals! 

Explore, Experience, Share

#CyberMonth #CyberCareer

Facts and Figures

• 57% of cybersecurity professionals say a shortage of cybersecurity skills has impacted the organization they work for. (ZDNet)
• 80% of companies say they have a hard time finding and hiring security talent. (Gartner)
• By 2029, the cyber security job market is set to grow by 31%. (U.S. Bureau of Labor Statistics)

Explore, Experience, Share focuses on inspiring and promoting awareness and exploration of cybersecurity careers. In this month of cybersecurity awareness, we celebrate cybersecurity professionals, their contributions, and innovations by highlighting a few cybersecurity roles and what they do:

• Network Security Engineer: A network security engineer plays a significant role in securing the network of an organization. His or her role involves configuration, provisioning, and administration of several different components of a network, including security-related hardware and software to ensure that network communication and services are available to those who need it and to protect against cybercriminals. (Fieldengineer.com)
• Security Architect: Security architects think like hackers. They push existing computer and network security systems to their limits. Once security architects identify vulnerabilities in existing systems, they plan and implement architectural changes to boost security structures. These professionals often develop and implement entirely new security architectures. They blend knowledge of security hardware and software, organizational needs, and cybersecurity risks with organizational policies and industry standards to strengthen cybersecurity capabilities. (Cyberdegrees.org)
• Application Security Developer: An application security engineer ensures that every step of the software development lifecycle (SDLC) follows security best practices. They are also responsible for adhering to secure coding principles and aid in testing the application against security risks/parameters before an application is released to end-users.
• Security Systems Administrator: A security systems administrator handles all aspects of system security and protects the virtual data resources of a company. They are responsible for desktops, mobile, and network security, and are also responsible for installing, administering, and troubleshooting system and software issues. (Careerexplorer.com)
• Information Security Risk and Compliance Manager: The main task of this role is to uphold the ethical integrity of the organization and ensure that business operations comply with regulatory requirements. This role often focuses on the implementation of risk management processes that align with best-practice standards, which include but are not limited to policy development and implementation, awareness training, audit, incident management, compliance management, business continuity, and disaster recovery planning, etc.

To learn more about cybersecurity careers, see

The National Institute of Standards and Technology partners with various organizations to provide cybersecurity education, training, and workforce development - .

Building a cybersecurity workforce will enhance security!

cybersecurity first

#CyberMonth #CybersecurityFirst

Facts and Figures

• Out of 17 industries surveyed, the education sector ranked last in terms of cybersecurity preparedness. (stealthlabs.com)
• The education sector experienced almost 64% of all malware attacks or more than 6.2 million incidents in May 2021. (stealthlabs.com)
• Ransomware accounted for 32% of cybersecurity attacks on the education sector in the first half of 2021 compared to just 11% the year before. (helpnetsecurity.com)
• 30% of users in the education sector were victims of phishing. (stealthlabs.com)

The final week of Cybersecurity Awareness Month challenges us to always try to do our part and #BeCyberSmart. What we do today can affect the future of personal, consumer, and business cybersecurity.

Cybersecurity is a year-round effort and should be one of our first considerations when we handle data, buy new devices and connected services. It is not a one-off exercise but should be a habit, and our responsibility towards ourselves and those who trust us to keep their information safe.

Remember, #Be CyberSmart and keep #CybersecurityFirst in the office, at home, or when traveling. 

See our CyberSmart page for good cybersecurity practices.

You will also find useful resources on the.

If you have any questions, please contact helpdesk@neiu.edu.

*National Cyber Security Alliance (NCSA) and the Cybersecurity and Infrastructure Agency (CISA) content is copyrighted and reproduced under the or license.

Naveen R. Akkati

Naveen joined the Administrative Computing team in 2015. As a Database Administrator, Naveen maintains multiple transactional and analytical databases of our Banner ERP. He installs and upgrades Banner core applications and provides integration support to third party applications.

Latasha Lewis

Latasha has been part of the team for 22 years. As an Applications Administrator, she is responsible for the technical support of Evisions, TouchNet, Xtender and Luminis.