Emails with malware and dangerous links increase at the start of each semester. That’s why Vice President & CIO Elias Eldayrie sent a campus-wide communication this week, reminding the UF community to be extra vigilant before clicking on a link or opening an attachment in an email. Three ways you can contribute to a secure computing environment at UF are by taking the information security awareness training, reporting suspicious emails, and being mindful when opening an email marked [EXTERNAL EMAIL].
• Last year, 16,526 faculty and staff completed the Protecting UF: Information Security Awareness training. Additionally, 10,878 students completed Protecting UF’s phishing module. All training modules were updated this summer so be sure to complete it when you receive your annual reminder. Faculty, students, and staff can also take the training anytime of the year.
• Report suspicious messages in GatorMail with the phish alert report button. If an email seems suspicious, just highlight it and click on the phish alert report button in the top right of your email. This action sends the potentially dangerous email to UFIT so staff can investigate. In FY23, more than 48,000 emails were reported using this button.
Although 98.5% of phishing messages received from outside UF in FY23 were blocked, some still get through. Be vigilant about what emails you open, especially those flagged with [EXTERNAL EMAIL]. Dive deeper into cyber tips on https://security.ufl.edu/.
We store everything in our phones–saved media, files, and data stored inside apps. While this makes it convenient to document our life on social media or quickly retrieve a class file, it can also slow down your iPhone or Android device.
Even worse: A phone with tons of data and images stored on it is the holy grail for cybercriminals, who can hack into it and ransom your photos and personal information (like credit card numbers stored in an app) back to you. They can steal your identity and go shopping with your credit card or PayPal balance. They can decide to sell your data on the dark web. Whatever they do will severely disrupt your life. In addition to making sure you
use a strong password on your phone, it’s a good idea to delete any apps from your phone that are obsolete for your life now.
Your device will also run faster if unused apps and files are deleted. Most phones will list when you last visited each app. Did you download an app for a class or for a trip taken last year? If you don’t need it, delete it! Also, relocate content from your phone to an external storage service. Did you know that faculty, students, and staff get 5TB of OneDrive storage? Take advantage of this highly secure free cloud service today! Contact the UFIT Help Desk if you need assistance using OneDrive.
Restricted data is subject to retention and destruction standards imposed
by federal and state laws, regulatory mandates, and campus policies.
The UF data retention schedule is available on the Smathers Library site.
As important as it is for faculty and staff to know data retention standards, it’s equally important to know how to properly discard restricted data. Different media requires different destruction methods. For example, just throwing away paper records or deleting restricted data from a PC or other device does not meet university requirements. Paper records, CDs, and DVDs with restricted data cannot be reused and should be cross-cut shredded or incinerated. The sanitization and destruction standards policy should be mandatory reading for anyone in the UF community prior to working with or handling restricted data.
UF Property Surplus provides campus with secure media disposal services. They have two drop-off locations, at Building 811 off of Elmore Drive and at the UFIT Help Desk in the Hub. Faculty and staff who have questions about working with or properly disposing of restricted data are welcome to email UF’s Information Security Office.
Just in time for the new academic year! UF’s Information Security Office has updated its mandatory annual training. Faculty and staff will receive an email reminder on their one-year anniversary of their previous training completion date, but can take the training any time. There are six modules in the training and they take approximately 35-45 minutes to complete. Visit this page to take the training.
The number one cause for compromised GatorLink accounts is when a student, faculty, or staff member opens and responds to a phishing email.
Students can take the phishing module that’s part of the full training. The stand-alone phishing module is a great way to become better informed about how cyber-criminals operate. Now that you’ll be interacting with campus departments and faculty (who cyber-criminals will try to impersonate), students are strongly encouraged to learn how phishing works. Students can find the link to the phishing module training in the ONE.UF menu. The 15-20 minutes you invest in taking the phishing training can pay off in a big way when you learn how to spot and report malicious emails, instead of opening one and inadvertently bringing on a world of hurt on yourself…and potentially your university.
Malware attacks against higher education increased by 26% last year. With a reported 191+ million malware attacks in 2022 in the state of Florida alone, cyber-awareness is as important on college campuses as writing skills and advanced math knowledge. Cybercriminals frequently target universities through malware attacks to steal sensitive and restricted data, such as student and employee social security numbers, protected health information, and credit card information. Malware is malicious software or code that steals, encrypts, and/or deletes sensitive information after being introduced to a device through phishing emails, compromised flash drives, fraudulent websites, and peer-2-peer file sharing sites. According to SonicWall, the 10 most common malware file names are:
1. purchase order.exe
4. swift copy.exe
7. payment copy.exe
8. ziraat bankasi swift mesaji.exe
9. shipping documents.exe
10. new order.exe
If you receive what you think is a suspicious email or an email with one of these .exe files attached, do NOT open, reply, or click any embedded links or files. Report suspicious emails received in your GatorMail inbox using the phish alert button. Faculty, students, and staff can become better cyber equipped by taking the free training available through the UF Information Security Office.
Have you ever wondered what happens to all the outdated tech devices that you throw away? When disposed of incorrectly, the old phones, tablets, laptops, and other gadgets you’ve replaced contribute to a growing problem: tech waste.
The World Health Organization reports 53.6 million tons of tech waste was generated in 2019. By 2030 it is estimated the annual amount will increase to 74.7 million tons! Tech waste can release hazardous chemicals into the environment, causing air, soil, and water pollution. The report also notes these chemicals, such as lead, mercury, and cadmium, can pose a significant risk to human health, including cancer and neurological damage.
There are safe ways to properly dispose of tech waste, such as donating, selling, recycling, or taking electronic devices to specific drop-off locations for e-waste. The City of Gainesville offers free appointments for large-sized electronic item collection. Smaller items can be dropped off at the Alachua County Household Hazardous Waste Collection Center. For campus departments and faculty, students, and staff, UF Property Surplus manages a secure disposal service of electronic media and electronic waste. Contact UF Surplus for service particulars: /https://www.fa.ufl.edu/directives/electronic-media-disposal/.
Let’s work to e-rase our e-waste, Gators!
Social media is an essential part of our daily routine but it also exposes users to cyberthreats. Hackers can access personal information through tactics like creating fake login pages, impersonating brand representatives, pretending to be a hiring manager, or even posing as a good friend to trick us into providing login information. Hackers also exploit vulnerabilities such data breaches, weak passwords, and outdated software. A July 2022 NordVPN story revealed 37% of Americans surveyed have had a social media account hacked.
Social media platforms send alerts when login information is changed. If you receive an alert for an unrecognized change, change your password immediately. If you can’t access your account, contact the platform’s customer support and be ready to provide proof of ownership, like a valid state-issued ID.
Always allow software, app, and system security updates to run on your devices, Gators! Adding multi-factor authentication (MFA) to social media also strengthens your accounts’ security. (It’s a good idea to add MFA to all your online accounts, especially ones that store personal information and payment information.) Create different passwords for each platform and don’t use Gatorlink credentials (e.g., your UF email and password) on any social accounts. Check out UFIT’s tips for using MFA and social engineering website to learn how scammers try to seperate you from your money, accounts, and identity.
Scammers use peer-to-peer (P2P) payment apps like Cash App, Zelle, and Venmo to steal money. According to the Pew Research Center, 10% of P2P app users have been scammed. P2P apps allow users to easily send money with a phone tap. But if it’s convenient for you, it’s also convenient for scammers.
Vishing or smishing is often used to initiate P2P scams. For example, a scammer may impersonate a bank representative in a call or text to a victim about a “suspicious transaction” on their Zelle account. The scammer will request the victim’s bank login information to resolve the concern but will use the information to steal money. A bank representative will never ask for your username and password to access your account. Stay cyber-secure by only sending money to people you know, and double-checking you are sending money to the correct name, phone number, and username. Also, you should only use a credit card for transactions with strangers, because credit cards have fraud protection. And Gators, make sure to allow app updates (or install them when they become available on your device) for the latest security enhancements, like multi-factor authentication updates and app safety features.
Learn to protect yourself online by becoming more cyber-aware. Schedule a ½ hour to take the https://security.ufl.edu/resources/training/information-security-training/ today.
Restricted data refers to data collected, maintained, or managed by the university or through any university activities that are restricted by special protections from federal or state laws, regulatory mandates, or contractual obligations. Improperly working with, storing of, or transmitting restricted data could result in the revocation of research certifications, university business partnerships, and federal and state grants. In addition to the legal liabilities and financial obligations placed on individual employees and the university, a breach or misuse of restricted data would negatively impact UF’s reputation.
Types of restricted data are listed here. They include, but are not limited to, student records (FERPA), protected health information (HIPAA), Social Security numbers and credit card information, and export controlled data (ITAR).
All faculty and staff are required to annually complete the Information Security Awareness training, which includes a section on working with restricted data. UF’s Mobile Computing and Storage Devices Policy explains security and encryption standards required for devices operating with restricted data. UFIT’s Integrated Risk Management team is available to help clarify data classifications and the technologies and tools cleared for use with restricted data. Anyone in the UF community with questions is welcome to email email@example.com.
Responses provided by the ChatGPT application can save time, but beware: the data you input or ask the app to develop may be retained and provided as responses to other users. ChatGPT users have very limited control over its use of the data provided to the app, and its parent company–OpenAI–does not currently offer a process to amend or delete entries submitted. UF’s Privacy Office and the UF Information Security Office want everyone in the Gator community to understand that putting data into ChatGPT or a similar service is equivalent to disclosing the data to the public.
ChatGPT is currently being assessed for regulatory concerns related to privacy and confidentiality of data. University of Florida data classified as sensitive or restricted is not approved for use with ChatGPT. Sensitive and restricted data includes:
• Social Security Numbers
• Education Records
• Employee Data
• Credit Card Numbers
• Protected Health Information
• Human Subject Research Data
• Unpublished Research Data
• Personally Identifiable Information
An assessment of ChatGPT has been added to the university’s technology solutions website: https://irm.ufl.edu/fast-path-solutions/items/chatgpt.html. Remember that all faculty, staff, and students share the responsibility of keeping UF information secure. Visit the Office of Privacy website for additional information on using ChatGPT.