Progress update: U of T’s SAT project reaches milestone, expands to phase three

On March 21, the Security Awareness and Training Foundations (SATF) project celebrated a significant milestone by recognizing the first 20 units to join and the first 50 users who successfully completed onboarding training in phase two, commending their collective effort in driving the project’s success.

The hybrid event, attended by unit representatives, unit administrators, users and members from ITS, including senior leadership, had over 50 attendees. The units were awarded plaques for their commitment to building a more secure and resilient community. The winners also received branded t-shirts and other materials as part of the event.

Collage of photos from SATP phase 2 celebration

Currently, there are over 7,000 users from tri-campus units onboarded onto the training platform. The project is moving onto phase three, scheduled to run from April 2024 to March 2025. This phase marks a pivotal moment as the project expands its scope to include faculty members alongside staff and librarians.

In phase three, all units across the U of T tri-campus community are invited to join the project.

For more information about the project, visit the SATF web page or contact the project team.

Strengthening security awareness: Inviting appointed staff to lead the way

In June 2023, the University launched the Security Awareness Training (SAT) Foundations project as part of the broader Security Awareness and Training Program (SATP).

Co-led by Raphaelle Gauriau, Manager, Information Security Strategic Execution, ITS and John Stewart, Information Security Program Manager, I&ITS, U of T Scarborough, the project aims to provide U of T staff, librarians and faculty with baseline training to help improve their knowledge about essential information security topics and threats.

“In an ever-evolving digital landscape, equipping ourselves with the right tools and knowledge is important to keeping our people, data and systems secure and safe. We are hoping the U of T community will join us in this journey to collectively strengthen our digital resilience,” said Raphaelle.

Following the successful launch of phase one, the team is now inviting all tri-campus units to participate in phase two of the project. During this phase, appointed staff from participating units may be onboarded to the project.

Phase two will run from September 2023 to March 2024.

By engaging in phase two, units will have access to comprehensive training modules, thoughtfully designed to be both engaging and informative. These modules cover a wide range of topics, from identifying phishing attempts to safeguarding sensitive data.

The first 20 units to join the program and the first 50 participants to complete the training will have an opportunity to win exciting prizes.

“We are excited to extend the SAT Foundations project to all tri-campus units. Information security is a collective responsibility and by empowering individuals with baseline training, we can collectively build a more secure digital future,” expressed John.

How can units join the project?

Interested units can reach out to Ben Akhirevbulu, Project Manager.

For more information, visit the SAT Foundations web page.

Beware of MFA fatigue

Scammers use social engineering tactics to gain access to organizational systems and cause data breaches. One tactic that has increased recently is MFA fatigue, which overwhelms users with continuous MFA notifications (such as the UTORMFA Duo Mobile prompts) until they approve the login request to stop the surge of notifications being sent to their devices.

How to protect yourself from MFA fatigue

  1. If you receive a Duo Mobile push notification for UTORMFA or other MFA-enabled accounts that you did not initiate, do not approve the request.
  2. Immediately change your UTORid password and contact the IT Helpdesk for additional recommendations.

Additional resources for digital safety

Protect yourself from tax-related scams

Canadians lose millions of dollars in various scams and fraud every year, according to the Canadian Anti-Fraud Centre.

A tax-related scam is when a fraudster poses as an authority figure, usually as a CRA or Service Canada agent, to try to scare people into complying with their demands. These scams are designed to frighten people into engaging with the fraudster to make payments via money service businesses, pre‐paid cards, gift cards or Bitcoin.

Check out the infographic below to learn more about tax scams and how you can protect yourself and your loved ones.

Infographic with tips for protection from tax-related scams

Content of the infographic: Tax scam awareness tips

Use this guide to identify tax scams and learn how to protect yourself.

How do tax scams work?

  • A scammer contacts you claiming to be a government official and states that you have:
    1. A compromised Social Insurance Number (SIN) number
    2. Committed financial crimes
    3. Outstanding cases against you
  • The scammer threatens you that if you don’t speak with them immediately, you will be arrested, fined or even deported from Canada.
  • The scammer then requests personal information or payments through various financial services.

How can I protect myself from tax scams

  • If you received a suspicious email relating to the CRA or tax filing, follow the steps to identify a phishing email and report it immediately to report.phishing@utoronto.ca.
  • If you are concerned that you may have shared your personal information with a scammer, the CRA advises you to contact the police immediately.
  • Stay aware of tax-related communications by phone, mail, text message or email. Don’t give out personal information, including financial information or login credentials to unidentified personnel.
  • When in doubt, always log in to your CRA account through a trusted browser or call CRA’s Individual Income Tax Enquiries line at 1-800-959-8281.

Visit the CRA scam prevention website for more tips.

View the infographic in higher-resolution.

Visit the Security Matters website to learn more about how to protect yourself online.

Additional resources

 

Information Security and FIPPO informs U of T community how to protect student information

On Jan. 25, over 370 University of Toronto staff and faculty from across the tri-campus community gathered online for a virtual panel event to learn how to protect students’ information and reduce the risk of data compromise or loss. The event was hosted by Information Security and Freedom of Information and Protection of Privacy Office (FIPPO) as part of the Data Privacy Day campaign.

Isaac Straley, Chief Information Security Officer and Rafael Eskenazi, Director, FIPPO provided practical tips for protecting information and resources available at the University to support faculty and staff in meeting their responsibilities.

“Data Privacy Day acts as a reminder to educate ourselves more about who has access to our personal information and how it is being used. U of T has many resources available to inform and educate our community about protecting information and security. We hope this event provides an excellent opportunity to take stock of and evaluate both personal and institutional security and privacy,” said Isaac Straley, CISO.

The event began with a joint presentation by Isaac and Rafael and was followed by a lively Q and A session where attendees were provided with information and resources related to data classification, remote working, importance of reporting privacy breaches and more.

“Protecting any data or identifiable information is crucial for safety and for security reasons. I’m glad to be a part of this event to help our community understand what they need to do to prevent privacy problems, handle personal and confidential information safely, securely and legally,” said Rafael Eskenazi, Director, FIPPO.

Key takeaways from the event:

  1. If you work closely with personal information (students, staff or faculty), remember to only share it with individuals who need it for official University duties.
  2. The University uses a multi-level scheme to classify data according to their sensitivity. These classifications help you identify what kind of security and sharing is possible with each type of data. Learn more about data classification.
  3. Keep your computer and digital systems updated by following the University’s IT guidance and use only secure, approved University systems.
  4. Enrol in multi-factor authentication services such as UTORMFA and familiarize yourself with the remote work guidelines and FIPPO remote work guidance while working remotely.
  5. The University has a comprehensive tiered privacy breach protocol, which it will engage immediately in case of privacy breaches. If you become aware of or think that there might be a possible privacy issue, report it immediately to FIPPO, your manager or the Freedom of Information Law (FOIL) office.

Visit the  Security Matters website to learn more about protecting yourself online and your data.

Additional resources

  • For more information on how to protect your data, contact FIPPO.
  • For questions about information security, contact us at security@utoronto.ca.

Cyber Security Month 2022 recap: U of T community learns how to stay “Secure Together”

Cyber Security Month is an international campaign held every October to highlight the importance of information security and help Canadians understand how to stay safe online.

Cyber Security Month 2022 at the University of Toronto was hosted by the Information Security team, in partnership with Education, Awareness & Culture. This year’s campaign offered the community virtual and in-person events and educational resources on how to protect ourselves and the University against top information security threats.

“Cyber Security Month is celebrated every year at U of T to educate the tri-campus community about the importance of information safety. Continuing our efforts to create a security aware culture, the main objective of this year’s campaign was to remind everyone about the information security resources available to the community.” says Kalyani Khati, Associate Director, Information Security Strategic Initiatives. “We are happy that this was a successful campaign. This year was especially exciting as we were able to host both in-person and virtual events.”

The Cyber Security Month 2022 campaign page gained a total of 527 views over the month. The engagement (likes, re-tweets, clicks, follows etc.) for Cyber Security month content on CyberAware social media channels also saw an increase of 10 per cent on Twitter and 80 per cent increase on Instagram from last year. The increase in engagement helped us to reach and educate a broader audience about information security.

Cyber Security Month 2022 events

As a prelude to Cyber Security month, the Information Security team partnered with the Ministry of Public and Business Service Delivery to host a hybrid panel event called “Securing your Future: Bridging the Cyber Security Talent Gap”. Post-secondary students from across Ontario heard from experts about how to break into the industry, with or without technical education or experience. Read more about the event.

Cyber Security Month 2022 hybrid panel event collage

Along with the hybrid panel event, U of T hosted Coffee with the CISO events for staff, faculty and students. There was a 92 per cent increase in this year’s event attendance from 2021.

The Coffee with the CISO event for staff and faculty was held virtually and welcomed 54 attendees. Isaac Straley, CISO discussed the potential cyber security risks for U of T and the recommended approach to addressing them.

Virtual Coffee with the CISo group photo

The Coffee with the CISO events for students were held in-person at UTM and UTSC campuses which were attended by 28 students. The events provided a great opportunity for the students to learn more about information security, gain insights about careers in the industry and engage with various members of the information security team at U of T.

When asked about building experience in the field of information security, Isaac said, “Capture the flag exercises are a good way to gain practical experience to prepare for a career in information security. These exercises help to demonstrate your ability to practice security and react to ‘real world’ scenarios.”

Coffee with the CISO at UTSC mingling session

UTM Coffee with the CISO event

Attendees who provided feedback via the post-event survey indicated that they gained valuable insights about information security, careers in the industry, and how factors like experience and trust are key for this field.

Cyber Security Month 2022 was yet another successful campaign that provided U of T staff, faculty and students with many opportunities to learn how to stay safe online. Let’s remember to stay “Secure together” year-round.

Visit our 2022 campaign resources webpage for information that will help you to stay safe and secure online. Don’t forget to visit the Security Matters website regularly for more information security news.

Phishing 101: Spot, report and prevent

Some people may wonder how much damage an email can cause, but did you know that around 90 per cent of cyber incidents occur as a result of a successful phishing attack?

With increased reports of cyber attacks around the world, it’s important to know what to do in the event of a phishing attack. Use this quick guide to learn how to protect yourself.

What is phishing?

Phishing is a form of social engineering used by cyber criminals to trick individuals into clicking a malicious link, downloading malware or sharing sensitive information. Generally, the messages are convincingly disguised as to appear legitimate.

Received a suspicious email? Pause to think before you act.

Ask yourself these questions if you receive a suspicious email before you engage with the email:

  1. Does this message make sense?
  2. Why am I receiving this email?
  3. Does the tone seem unnecessarily rushed or urgent?
  4. Am I being asked to download an attachment or click on an unknown link?
  5. Am I being asked for information that is personal or sensitive?

If your answers don’t clear your suspicions, then report the email immediately. Learn more about how to identify and report a phishing attempt.

What to do if you suspect an email to be a phishing attempt

  1. Do not interact with the sender. Do not click on links, download attachments, provide personal information or forward it to your contacts.
  2. If in doubt, call or ask the sender in-person to confirm if the email is really from them.
  3. Report the email to report.phishing@utoronto.ca and then delete it from your inbox.
  4. If you already engaged with the sender or clicked on a link or attachment, please contact security.response@utoronto.ca immediately for assistance.

How can you prevent future phishing attacks?

Hackers frequently steal login credentials to access email accounts. These compromised accounts are then used to send phishing emails to other unsuspecting individuals. Protect your online accounts to prevent this from happening:

  1. Use multi-factor authentication (MFA) for your online accounts. Enrol in UTORMFA, U of T’s multi-factor authentication solution, to add an extra layer of protection to your U of T online accounts.
  2. Create unique and strong passwords for your online accounts.

Keep an eye out for these common types of phishing:

  1. Email phishing: Fraudulent emails designed to manipulate individuals into revealing sensitive information or taking other harmful actions.
  2. Spear phishing: Fraudulent emails targeting a specific group or individual in an organization.
  3. Whaling: Fraudulent emails targeting senior executives at an organization.
  4. Smishing: Phishing messages sent via SMS.

Check out the Phish Bowl for examples of actual phishing emails received by members of the U of T community.

Visit the Security Matters website regularly to learn more about information security and online safety.

Four online safety tips for students going back to school

A new school year is just around the corner! While this is an exciting time for students, it’s also prime time for malicious actors to take advantage of unsuspecting students.

Review these simple and effective tips to help you stay safe online and protect yourself, your data and the University.

Infographic explaining four ways to stay safe online this school season

 

View the image in a higher resolution.

Resources to protect yourself online:

  1. Protect your online accounts.
    Safe password practices.
  2. Enrol in UTORMFA.
    UTORMFA is the University of Toronto’s multi-factor authentication solution.
  3. Protect yourself against fraud.
    Tips for identifying and reporting a phishing attempt.
  4. Protect your devices.
    Protect yourself against malware.

Visit the Security Matters website regularly to learn more about online safety tips and resources.

Smishing campaigns target Rogers subscribers

Following the nation-wide Rogers outage on July 8, there have been reports of smishing (SMS phishing) campaigns targeting Rogers customers.

CTV News recently reported smishing campaigns asking Rogers customers to click on malicious links to receive a service disruption refund. An example of this is a message that a Twitter user received asking him to click on an unknown link to receive $50 credit.

Rogers has stated that the company doesn’t require any action from its subscribers and will auto-refund a portion of their bill to their account. They have also urged subscribers to forward the suspicious text messages to 7726 (SPAM).

What to do if you receive a suspicious email or text message:

  • Do not click the link, provide personal information, open the attachment, send SMS or forward the email to your contacts.
  • Forward the email to report.phishing@utoronto.ca and then delete it from your inbox.
  • If you already engaged with the email, please contact security.response@utoronto.ca immediately for assistance.
  • Visit the Security Matters website regularly to stay updated and aware about online safety.

Further resources for online safety:

Information security news roundup: Ransomware on the rise in Canada

Cyber attacks have increased at an alarming rate with the current geo-political situation being a major contributing factor. The National Cyber Threat Assessment 2020 published by The Centre for Cyber Security suggested a potential increase across Canada in cyber crimes, ransomware and commercial espionage — particularly against businesses, academic institutions and governments to steal intellectual property and proprietary information.

Let’s look back at some interesting information security and ransomware related news in recent months.

Two Canadian Universities hit by cyber attacks

Simon Fraser University and Lakehead University reported that they were hit by cyber attacks in February.  Although the universities did not confirm whether it was a ransomware attack, they advised students and staff to monitor their accounts, change their passwords and enrol in multi-factor authentication (MFA).

Data breaches can result in the loss of personal, institutional and other sensitive information. Learn how to enrol in MFA to add an additional layer of security to your online accounts.

Hackers getting clever with phishing emails

It is often said that hackers stay one step ahead of you by constantly changing their tactics. In a recent blog post by Mount Royal University, it was reported that phishing emails with fake invoices from MasterClass (an online educational platform) were sent to the university community and hackers asked recipients to respond with their credit card information for a refund.

Often, phishing emails are made to look like they are from a legitimate source, which can lead recipients to respond, causing further damage. Check out the Phish Bowl for examples of phishing emails received by members of the University of Toronto (U of T) community to help you identify and report suspicious emails.

Ransomware attacks increasing at an alarming rate in Canada

A recent article published by MaRS explained how ransomware attacks have been increasing in Canada with small businesses losing up to billions to cyber attacks. In fact, a survey done by Canadian Internet Registration Authority (CIRA) also found that nearly 70 per cent of Canadian organizations that experienced ransomware paid the hackers to regain access to their data.

Last year, U of T launched a ransomware awareness campaign called Expect Ransomware to provide the community with resources, tips and tools to protect their accounts and to stay secure online.

Ransomware is a an ongoing and evolving cyber threat. Stay tuned for the Expect Ransomware 2.0 campaign launching soon that will provide you with updated resources, tips and tools to protect yourself and your loved ones online.

Federal government may make reporting cyber attacks mandatory

Public Safety Minister Marco Mendicino has said that the federal government might make it mandatory for Canadian businesses and organizations to report cyber attacks. Mendicino also emphasized that the current geo-political situation has increased the threat of cyber attacks.

Staying safe and secure online can be done through simple but effective steps. Explore the educational resources on the Security Matters website to learn how to stay secure online.

Bonus read: Isaac Straley, U of T’s Chief Information Security Officer has called for a revamp of the national cyber security strategy in an op-ed published in The Hill Times.