Cybersecurity is a priority for everyone working at the University of Nebraska. Cybersecurity threats are everywhere and are not unique to the university.
In advance of Cybersecurity Awareness Month in October, Heath Tuttle, chief information officer of University of Nebraska–Lincoln’s Information Technology Services, answered some questions about cybersecurity, common threats, and steps faculty, staff and students can take to help protect the campus community.
What are ITS’ priorities regarding cyber and IT security?
I first want to emphasize that security itself is a priority for everyone working in ITS, and we hope it’s a priority for all our students, faculty, and staff. Cybersecurity threats are everywhere and are not unique to our university. We have examples of other Big Ten institutions being impacted by cyberattacks. One such example is a ransomware attack at Michigan State in 2020, which carried a recovery cost of over $1 million for the department of physics and astronomy. A more recent example is a ransomware event which occurred at Purdue in July 2022. Purdue was operationally impacted by ransomware which took the affected college months to recover and still has an undetermined total cost. This malicious activity is real within the Big Ten, and we want to protect our community the best we can.
Our priorities when it comes to security are securing student information and records; protecting research; protecting financial data and business data; and protecting the university’s brand and reputation — all while ensuring strong business continuity. Have you ever gotten a notice from your bank, personal email provider, or your favorite online store that your credentials were compromised? This type of activity is not unique to those institutions. This is happening everywhere, and higher education institutions are also targets, so we need to work to protect the systems, services, and people here at UNL, just like your bank works to protect your money and you.
We’ve shared before in Nebraska Today about Executive Memorandum 16 – can you explain what EM 16 is and how it impacts the UNL community?
Executive Memorandum 16 is titled the Responsible Use of University Computers and Information Systems. This is our official policy on the use of electronic devices, software and information systems within the academic and employment settings of the university. This is a long-standing policy that hasn’t been updated for many years, so it was time to refresh the policy — a lot of the things that are in the refreshed policy have always been there.
The updated EM16 is the first step towards ensuring university data and the identities and intellectual property of faculty, staff and students are protected from the increased risk of cyberattacks.
We’re focusing on improvements to our security posture through training, securing our network and university endpoints, managing endpoints, securing our community members and making sure we are all doing the right thing to stay safe. Those types of things include utilizing tools in our email environment and using Duo multi-factor authentication. It means securing and managing all university owned endpoints. It means taking IT security training on an annual basis, so we all understand best practices to secure ourselves. And it means implementing anonymous, internal phishing campaigns. What this means for the community is that, over the next few years, you will continue to see changes to UNL processes that are meant to improve security for everyone at the university. Protecting ourselves from cybercrime is an ongoing process and updates to both training and operations will become a common occurrence.
Can you share more about what security training is available?
We have developed the Annual NU Information Security Fundamentals training, which is on the University of Nebraska Bridge platform and takes about 10 minutes to complete.
This training will be required annually for faculty and staff. This training is so important because it provides some technical tools to help you protect yourself and it asks you to think about your role in how you protect yourself. What do you do to make yourself more or less of a target for cyber criminals? What can you do differently on a day-to-day basis to protect yourself and your data?
ITS also offers customized training for teams/departments and we are happy to work with anyone to create training if they think it would be valuable. I would also like to mention there are numerous other training modules in Bridge under the IT Security catalog that may be of interest to an individual or a team. For example, you can currently get training on how to avoid phishing attacks or on safe web browsing. You can check that out by going to Bridge.
What are other ways UNL students, faculty and staff can protect themselves?
You must protect your TrueYou password because that password is a key to everything you need at UNL, and if someone else gets it, they could impersonate you. That means never sharing your password with others. And remember, ITS support will never ask you for your password. If you are ever asked for your password by any support person, that should be a huge red flag for you. If that happens, hang up or disconnect from that chat and call our Husker Help desk at 402-472-3970.
You can also protect yourself by using different passwords for your university accounts than you do for your personal accounts.
Another way to protect yourself is by following Duo best practices, like enabling push notifications to your mobile phone and making sure that you’re only approving Duo notifications that you initiated. If you receive a Duo Push/Call and you are not logging in, you will want to change your password immediately. When you Deny a DUO Push that you did not initiate, use the “Report fraudulent activity” button. The ITS Security team takes this action seriously and will always investigate fraudulent alerts on your behalf. Meeting the EM16 requirement of enrolling all university owned devices in the appropriate management system is key to ensuring that device itself is as secure as possible. This will make the recovery so much easier if that device is ever lost or stolen. There are numerous examples of university devices that were lost or stolen, and the fact that the device was managed saved us all time and money. Get your device managed!
There is also a tremendous cybersecurity benefit for the university community of students, faculty, and staff.You can download and install a free version of Cortex PREVENT for your personal devices. This is a highly recommended best practice. Cortex PREVENT helps protect your personal devices from malware and cyber threats. It can be downloaded here.
How do I get support when I think I have an IT security issue or when I have general IT support needs at the University of Nebraska?
If you have an immediate security question or need you can email the NU ITS Security team at security@nebraska.edu. You can also reach out to our HuskerTECH Help Center at 402- 472-3970 or email them at support@nebraska.edu
Do you have any words of advice for people who are concerned about cyber security?
- Read the policy
- Use Duo and any other tools available to protect your identity
- Complete your training and seek out opportunities to learn how to keep yourself and your data safe
- Have your devices managed
- Call for help