The recent cyberattack on Equifax that compromised the confidential information of 145 million Americans – half of the adults in the United States – has placed a blinding spotlight on our online vulnerability.
How vulnerable are we? There are over 100 records breached every second – almost three quarters are identity theft breaches and more than two thirds are by malicious outsiders. In 2016, nearly all cyberattacks – 91 percent –started with a spear phishing email, which is an email that appears to be from a person or business you know. And many of those attacks contained a form of ransomware.
.jpg)
“Hackers are constantly poking around to find openings,” said Alex Campoe, CISSP, chief information security officer for USF. “You have to be attentive, constantly. We’re all busy and get countless emails each day, but we can’t be moving so fast that we don’t take steps to prevent hackers from getting through.”
That effort, Campoe said, will keep not only the university’s digital data safe but also our own private information – because in the digital world, they are more connected than you may realize.
And every day, we offer more ways for the virtual intruders to break in, said Sri Sridharan, director of the Florida Center for Cybersecurity, a statewide agency located on the USF Tampa campus.
“By connecting so many devices to the internet that hold private information, we offer a big playground for hackers,” Sridharan said.
And it’s not just computers, phones and tablets, he said. We are connecting our houses and their components so we can access them remotely – garage doors, air conditioners, appliances, and myriad gadgets. This remote connectivity may add convenience but those additional devices may not have appropriate security software associated with them, Sridharan said.
Sridharan offers another example of ways we open our homes virtually: Your child opens a toy, – a doll that can hold a conversation using cloud software via your home’s WiFi. The instructions recommend you create your own password as you connect it to your home’s WiFi. Eager to see your child play with the new toy, you bypass that option and go with a known default, like 1234. You have just offered the crevice that hackers look for to find your home’s WiFi, which exposes every other device using your home’s WiFi.
While a 2016 crime survey showed that only 37 percent of organizations have a cyber-incident response plan, Campoe said USF has an extensive one that constantly evolves because a cyber-response plan is only useful if it shifts to keep abreast of new developments.
“At USF, we are monitoring, tracking, and investigating the cyber threat landscape 24/7,” Campoe said. “USF takes active steps in preparing for and, more importantly, detecting oncoming threats. And, just like fire drills and military training, we practice scenarios involving breaches, ransomware, phishing, you name it.”
So in light of the Equifax breach, and because October is National Cyber Security Awareness Month, both Sridharan and Campoe offer the following ways to practice good cyber hygiene.
Change passwords often – It’s a pain but it makes the difference. At USF, you will be asked to change your password and go through a quick security awareness questionnaire every six months.
Don’t use duplicate passwords – Hackers find one that works on one account and try it across the board for every account you have.
Create super unique passwords – No pet names, no birthdays, no 1234 or 9876, etc. A newer approach is to use a passphrase, a sentence or statement known only to you and with no spaces, such as imgoingtobuyanewcarnextyear. You can also use the first letters of each word in the sentence or statement. For example, ‘I’m going to buy a new car next year’ would be igtbancny. Some systems will require you to capitalize one or more of the letters and include one or more numbers or symbols. Do not use literary quotes or lyrics to songs – hackers have software to search for these and can crack most in a matter of seconds.
Opt for multifactor authorization – It requires a second level of verification and can also alert you when someone else is trying to log in.
Do not open attachments – Never open an attachment on an email unless you can verify the email is authentic. Double check the prefix and the suffix of the email address. Example of a trick email address: palpay.com
Do not click on links within emails – Unless you can verify the email is authentic, never click the link. Hovering over the link with your curser will show the actual address they are trying to send you to.
Use the known website – If you get an email that seems to be from a commercial entity (Netflix, Amazon, Bank of America, etc.), do not click links within that email – even if you’re offered the deal of the century or there’s a sense of urgency for adjusting your account. Go directly to the entity’s known website and look for the deal or login and adjust your account from there. This is also a good practice with tempting sponsored content (ads) within social media.
Use secure networks – Those public WiFi networks are convenient but not secure and can expose you. Assume every click you make (passwords, banking, emails, social media posts, visited websites) is being picked up by anyone else on that network or any hacker probing that network. It might use more of your battery but using LTE connections are far more secure.
Stay ahead of the hackers – Use antivirus software on all your devices and keep it up to date. Same goes for software for your browsers, operating systems, and firmware – stay up to date with security patches.
Do not use an unknown jump drive – You don’t know where it’s been.
Look for the padlock – Secure sites will have the little padlock image in the front of their URL in the web address bar and their URL starts with https (rather than http only). Those are placed there by your search engine (Google, Firefox, etc.) indicating that your login information and your account information is encrypted, which prevents unauthorized access.
Do not download apps from within emails or online/social media ads – Go directly to the Apple’s App Store or Android’s Google Play Store and search for and download from there.
If you have concerns or questions, you can email abuse@usf.edu, or security@usf.edu. You can also call: USF IT at 974-1222; and USF Health IS at 974-6288 – calling these numbers is best if you are at your computer.