Progress update: U of T’s SAT project reaches milestone, expands to phase three

On March 21, the Security Awareness and Training Foundations (SATF) project celebrated a significant milestone by recognizing the first 20 units to join and the first 50 users who successfully completed onboarding training in phase two, commending their collective effort in driving the project’s success.

The hybrid event, attended by unit representatives, unit administrators, users and members from ITS, including senior leadership, had over 50 attendees. The units were awarded plaques for their commitment to building a more secure and resilient community. The winners also received branded t-shirts and other materials as part of the event.

Collage of photos from SATP phase 2 celebration

Currently, there are over 7,000 users from tri-campus units onboarded onto the training platform. The project is moving onto phase three, scheduled to run from April 2024 to March 2025. This phase marks a pivotal moment as the project expands its scope to include faculty members alongside staff and librarians.

In phase three, all units across the U of T tri-campus community are invited to join the project.

For more information about the project, visit the SATF web page or contact the project team.

Cyber Security Awareness Month 2023 campaign highlights

As part of Cyber Security Awareness Month 2023, University of Toronto launched a month-long campaign to spread security awareness and bring the tri-campus community together to discuss security matters.

The theme of this year’s campaign revolved around the newly released Information Security strategy, with both virtual and in-person events focusing on the four information security strategic objectives. Check out this year’s highlight

Cyber Security Awareness Month campaign web pages

The campaign and resources web pages acted as a one-stop shop, featuring information about the campaign, events and digital and educational resources, all geared towards promoting information security awareness. The pages gained a total of 640 views over the month of October.

Meet and greet: Information Security at U of T

On Oct. 17, more than 135 students visited the Information Security booth at Bahen Centre’s atrium. The booth offered games and giveaways to enhance students’ information security knowledge. Visitors engaged with the tri-campus Information Security team, including Chief Information Security Officer, Isaac Straley. The conversations ranged from online safety tips, and privacy to cybersecurity careers and more.

Listening to researchers: Safeguarding data and intellectual property

On Oct. 12, the virtual event started with Professor Karl Zabjek discussing the intersection of data security and ethics and outlining a researcher’s daily challenges. The panelists discussed challenges in their areas caused by new technologies and new government policies/requirements, and highlighted where improvements in the supporting and facilitation of research can and should be made. Particular focus was placed on the essential role of collaboration in research and reducing risks within inter-institutional work.

Secure together: Addressing information security risks

On Oct. 26, the University’s information security experts discussed how they are addressing security risks and challenges within their areas. They talked about the role of information security strategic initiatives in furthering risk management goals, highlighting efforts such as the Information Security Risk Management Program, EndPoint Protection Program and the Security Awareness and Training Program.

Converging for excellence: Tri-campus Information Security collaboration

The final panel event on Oct. 31 focused on achieving excellence through collaboration and featured tri-campus panelists who talked about collaborating on security matters through various forums, including the Information Security Council and project steering committees. They highlighted collaborative initiatives, campus-wide efforts, and supportive tools like the IT@UofT Inclusive Language Guide.

The panel events had more than 130 attendees overall. Attendees indicated that they gained valuable insights about information security and encouraged more collaborative events that include multiple units for discussion.

Although CSAM 2023 has concluded, our shared responsibility for information security remains. We all play a part in protecting ourselves and the University from the risks of online threats. We are truly secure together.

Keep visiting the Security Matters website for more information security news and updates.

Beware of MFA fatigue

Scammers use social engineering tactics to gain access to organizational systems and cause data breaches. One tactic that has increased recently is MFA fatigue, which overwhelms users with continuous MFA notifications (such as the UTORMFA Duo Mobile prompts) until they approve the login request to stop the surge of notifications being sent to their devices.

How to protect yourself from MFA fatigue

  1. If you receive a Duo Mobile push notification for UTORMFA or other MFA-enabled accounts that you did not initiate, do not approve the request.
  2. Immediately change your UTORid password and contact the IT Helpdesk for additional recommendations.

Additional resources for digital safety

Protect yourself from tax-related scams

Canadians lose millions of dollars in various scams and fraud every year, according to the Canadian Anti-Fraud Centre.

A tax-related scam is when a fraudster poses as an authority figure, usually as a CRA or Service Canada agent, to try to scare people into complying with their demands. These scams are designed to frighten people into engaging with the fraudster to make payments via money service businesses, pre‐paid cards, gift cards or Bitcoin.

Check out the infographic below to learn more about tax scams and how you can protect yourself and your loved ones.

Infographic with tips for protection from tax-related scams

Content of the infographic: Tax scam awareness tips

Use this guide to identify tax scams and learn how to protect yourself.

How do tax scams work?

  • A scammer contacts you claiming to be a government official and states that you have:
    1. A compromised Social Insurance Number (SIN) number
    2. Committed financial crimes
    3. Outstanding cases against you
  • The scammer threatens you that if you don’t speak with them immediately, you will be arrested, fined or even deported from Canada.
  • The scammer then requests personal information or payments through various financial services.

How can I protect myself from tax scams

  • If you received a suspicious email relating to the CRA or tax filing, follow the steps to identify a phishing email and report it immediately to
  • If you are concerned that you may have shared your personal information with a scammer, the CRA advises you to contact the police immediately.
  • Stay aware of tax-related communications by phone, mail, text message or email. Don’t give out personal information, including financial information or login credentials to unidentified personnel.
  • When in doubt, always log in to your CRA account through a trusted browser or call CRA’s Individual Income Tax Enquiries line at 1-800-959-8281.

Visit the CRA scam prevention website for more tips.

View the infographic in higher-resolution.

Visit the Security Matters website to learn more about how to protect yourself online.

Additional resources


Information Security and FIPPO informs U of T community how to protect student information

On Jan. 25, over 370 University of Toronto staff and faculty from across the tri-campus community gathered online for a virtual panel event to learn how to protect students’ information and reduce the risk of data compromise or loss. The event was hosted by Information Security and Freedom of Information and Protection of Privacy Office (FIPPO) as part of the Data Privacy Day campaign.

Isaac Straley, Chief Information Security Officer and Rafael Eskenazi, Director, FIPPO provided practical tips for protecting information and resources available at the University to support faculty and staff in meeting their responsibilities.

“Data Privacy Day acts as a reminder to educate ourselves more about who has access to our personal information and how it is being used. U of T has many resources available to inform and educate our community about protecting information and security. We hope this event provides an excellent opportunity to take stock of and evaluate both personal and institutional security and privacy,” said Isaac Straley, CISO.

The event began with a joint presentation by Isaac and Rafael and was followed by a lively Q and A session where attendees were provided with information and resources related to data classification, remote working, importance of reporting privacy breaches and more.

“Protecting any data or identifiable information is crucial for safety and for security reasons. I’m glad to be a part of this event to help our community understand what they need to do to prevent privacy problems, handle personal and confidential information safely, securely and legally,” said Rafael Eskenazi, Director, FIPPO.

Key takeaways from the event:

  1. If you work closely with personal information (students, staff or faculty), remember to only share it with individuals who need it for official University duties.
  2. The University uses a multi-level scheme to classify data according to their sensitivity. These classifications help you identify what kind of security and sharing is possible with each type of data. Learn more about data classification.
  3. Keep your computer and digital systems updated by following the University’s IT guidance and use only secure, approved University systems.
  4. Enrol in multi-factor authentication services such as UTORMFA and familiarize yourself with the remote work guidelines and FIPPO remote work guidance while working remotely.
  5. The University has a comprehensive tiered privacy breach protocol, which it will engage immediately in case of privacy breaches. If you become aware of or think that there might be a possible privacy issue, report it immediately to FIPPO, your manager or the Freedom of Information Law (FOIL) office.

Visit the  Security Matters website to learn more about protecting yourself online and your data.

Additional resources

  • For more information on how to protect your data, contact FIPPO.
  • For questions about information security, contact us at

Cyber Security Month 2022 recap: U of T community learns how to stay “Secure Together”

Cyber Security Month is an international campaign held every October to highlight the importance of information security and help Canadians understand how to stay safe online.

Cyber Security Month 2022 at the University of Toronto was hosted by the Information Security team, in partnership with Education, Awareness & Culture. This year’s campaign offered the community virtual and in-person events and educational resources on how to protect ourselves and the University against top information security threats.

“Cyber Security Month is celebrated every year at U of T to educate the tri-campus community about the importance of information safety. Continuing our efforts to create a security aware culture, the main objective of this year’s campaign was to remind everyone about the information security resources available to the community.” says Kalyani Khati, Associate Director, Information Security Strategic Initiatives. “We are happy that this was a successful campaign. This year was especially exciting as we were able to host both in-person and virtual events.”

The Cyber Security Month 2022 campaign page gained a total of 527 views over the month. The engagement (likes, re-tweets, clicks, follows etc.) for Cyber Security month content on CyberAware social media channels also saw an increase of 10 per cent on Twitter and 80 per cent increase on Instagram from last year. The increase in engagement helped us to reach and educate a broader audience about information security.

Cyber Security Month 2022 events

As a prelude to Cyber Security month, the Information Security team partnered with the Ministry of Public and Business Service Delivery to host a hybrid panel event called “Securing your Future: Bridging the Cyber Security Talent Gap”. Post-secondary students from across Ontario heard from experts about how to break into the industry, with or without technical education or experience. Read more about the event.

Cyber Security Month 2022 hybrid panel event collage

Along with the hybrid panel event, U of T hosted Coffee with the CISO events for staff, faculty and students. There was a 92 per cent increase in this year’s event attendance from 2021.

The Coffee with the CISO event for staff and faculty was held virtually and welcomed 54 attendees. Isaac Straley, CISO discussed the potential cyber security risks for U of T and the recommended approach to addressing them.

Virtual Coffee with the CISo group photo

The Coffee with the CISO events for students were held in-person at UTM and UTSC campuses which were attended by 28 students. The events provided a great opportunity for the students to learn more about information security, gain insights about careers in the industry and engage with various members of the information security team at U of T.

When asked about building experience in the field of information security, Isaac said, “Capture the flag exercises are a good way to gain practical experience to prepare for a career in information security. These exercises help to demonstrate your ability to practice security and react to ‘real world’ scenarios.”

Coffee with the CISO at UTSC mingling session

UTM Coffee with the CISO event

Attendees who provided feedback via the post-event survey indicated that they gained valuable insights about information security, careers in the industry, and how factors like experience and trust are key for this field.

Cyber Security Month 2022 was yet another successful campaign that provided U of T staff, faculty and students with many opportunities to learn how to stay safe online. Let’s remember to stay “Secure together” year-round.

Visit our 2022 campaign resources webpage for information that will help you to stay safe and secure online. Don’t forget to visit the Security Matters website regularly for more information security news.

Smishing campaigns target Rogers subscribers

Following the nation-wide Rogers outage on July 8, there have been reports of smishing (SMS phishing) campaigns targeting Rogers customers.

CTV News recently reported smishing campaigns asking Rogers customers to click on malicious links to receive a service disruption refund. An example of this is a message that a Twitter user received asking him to click on an unknown link to receive $50 credit.

Rogers has stated that the company doesn’t require any action from its subscribers and will auto-refund a portion of their bill to their account. They have also urged subscribers to forward the suspicious text messages to 7726 (SPAM).

What to do if you receive a suspicious email or text message:

  • Do not click the link, provide personal information, open the attachment, send SMS or forward the email to your contacts.
  • Forward the email to and then delete it from your inbox.
  • If you already engaged with the email, please contact immediately for assistance.
  • Visit the Security Matters website regularly to stay updated and aware about online safety.

Further resources for online safety:

Secure U of T: New security features to safeguard Office 365 accounts

The University of Toronto recently implemented a series of essential protections to secure data and collaboration tools in Office 365 (O365) as part of advanced threat protection, a Secure U (of T) initiative. Efforts followed an accelerated timeline, as heightened security risks due to the current geo-political situation have amplified the need to enhance our security protections.

“These new security features protect O365 users against security threats such as impersonation attempts, malicious attachments and links in emails, documents and more. They also improve our ability to detect and prevent security threats.” said Kalyani Khati, Associate Director, Information Security Strategic Initiatives.

This initiative is a collaboration between Information Security and Enterprise Applications and Solutions Integration.

Visit for more information about the initiative.

Ransomware: An online menace

Ransomware is a type of malware that can lock users and organizations out of their data and infrastructure. Attackers then demand payment to return access to and not expose affected data. Ransomware has immense impact on any institution — from shutting down operations to losing years of research.

Ransomware has become one of the biggest cyber threats globally. In fact, a recent report shows that there was a 104 per cent surge in ransomware attacks last year in North America and a 105 per cent increase globally.

Many organizations are losing billions of dollars to these attacks, trying to regain access to their stolen data. According to a study by Telus, almost half of surveyed Canadian organizations that suffered a ransomware attack paid the hackers in hopes of getting their data back, and most of them did not regain access in the end.

How does ransomware affect the University of Toronto?

With the current geopolitical situation, it is likely that ransomware attacks could target the University and cause significant damage to the University and its community.

How can I protect myself and my data from ransomware?

Here are some resources to help you stay secure online and protect your data.

  1. Don’t click any links, download attachments or engage with the sender if you receive a suspicious email. Also, do not forward or share the email with your colleagues and other contacts.
  2. Ensure you set up unique and strong passwords for all your personal and professional accounts. Strong passwords are your first line of defence.
  3. Multi-factor authentication (MFA) adds an additional layer of security to your accounts. It also enables you to work remotely with confidence. Enrol in U of T’s UTORMFA to stay secure online.
  4. Make sure you backup your device and store the data where they are protected from access by others. If you lose your data due to a ransomware attack or a malicious person corrupts your data, your backups are critical for recovery.
  5. Report suspicious emails or computer activity to and then delete it from your inbox. If you have already clicked on a link or attachment, please contact

If you work with self-managed devices (home computers, laptops, phones, etc.) and access institutional data, ensure you secure your devices by taking the following steps:

  1. Use supported versions of operating systems.
  2. Patch and update the operating system and software/applications regularly (ideally automatically) to correct security vulnerabilities.
  3. Have fully enabled, automatically updating anti-virus software.
  4. Protect devices with a strong password and/or biometrics.

Visit the Ransomware Risk page for more information on to prepare and protect data, devices and users.

Keep visiting the Security Matters website regularly for tips and information on how to stay secure online.

Additional resources about ransomware