"The message we want to keep sharing with students and employees is that we will never ask for your password and we will never call or text you asking for your security code," said Rich Tener, director of information security for Information Technology Services (ITS).
Like the email phishing attack this summer or job scams offering students $500 per week to be a personal assistant, hackers are constantly coming up with new schemes to steal personal information. Regularly updating your device's software, having a strong password and being skeptical when a message or call seems a little off can help keep your information safe on the web.
Prioritize protection
That software update your computer won't stop notifying you about? Turns out, it's pretty important for the security of your device.
"There are vulnerabilities in every piece of software. When the vendor fixes a problem or a security issue and an update becomes available, you should install it as soon as you can," Tener said. "It's a constant cycle of vulnerabilities being found and the vendor fixing them and providing updates for users to install."
Hackers sometimes find the vulnerability first and exploit it for financial gain. Tener said some groups will use ransomware to deny people access to their own data unless they pay for it.
"It's like someone comes into your house with a safe, puts your important stuff in it, locks it and leaves. They basically want you to pay for the code to the safe to get your data back, but also pay them not to leak it," Tener said. "We can't trust hackers, so in this situation, we would consider the data lost and notify affected individuals that they were part of a data breach."
Keeping your data safe starts with a password that's strong and not used for multiple sites. Tener said reusing passwords is a common practice because it's difficult to remember more than a few passwords, especially if the passwords are complex. He recommended using a password manager -- a highly encrypted online password storage tool -- to keep track. If you're not comfortable using an online password manager, writing them down can be just as effective -- just make sure not to lose your list or leave it out for the world to see.
Resources
- Report email scams - Quick tips from ITS on how to report a suspicious email
- Secure your devices - An ISU Service Portal guide to securing your devices
- Wellmark IDX - ISU employees with Wellmark health insurance have access to IDX, Wellmark's identity protection services. Members need their Wellmark ID and enrollment code 4170999624 to sign up.
- Employee Assistance Program (EAP) - ISU's EAP includes identity theft resolution services where employees can receive assistance from a certified fraud resolution specialist or licensed attorney.
Passwords matter
Creating a strong password requires complexity and length, though you can trade one for the other -- a longer password may not need to be as complex and a complex password can be shorter. It all comes down to making your password hard to guess, Tener said.
"You're going to need to remember at least one password -- for instance, the password to your password manager or your primary email address. So what I would do is come up with something memorable like a phrase," he said. "Choose something from a poem or TV show you like and maybe even change some of the vowels to numbers to keep things interesting."
For those whose creative juices don't flow quite as freely, there's Diceware -- a password creation method based on using dice as a random number generator. Diceware tools can generate random words to create passwords and ensure that the words are unrelated and unlikely to be guessed in conjunction with each other.
"There have been statistical analyses done to make sure the words aren't related," Tener said. "I often use a Diceware tool to generate answers to security questions or create long phrases for passwords."
Tener said the password associated with your Net-ID is primarily entered in two places -- the Sign On Dashboard and eduroam, the wireless network on campus. If you get an email with a link to a website asking for your password and it's not login.iastate.edu, don't put it in. If you enter your password and then realize the site or form might not be legitimate, don't respond to calls or texts asking for your security code.
In the age of major data breaches and routinely lost devices, phishing attacks like this might not seem like emergencies. But Tener said the same techniques could be used by hackers committing cyberattacks on behalf of a foreign government to target faculty and researchers in an attempt to steal intellectual property.
"If you receive a text asking for your security code, chances are they already have your password. You should contact the ITS security team to let us know and get assistance changing your password,” Tener said. "People are getting more savvy to scams and if at least one person reports it, we can let affected departments or students know it was fake."
Consider confidentiality
A healthy dose of skepticism also is important in using chatbots powered by artificial intelligence (AI) such as ChatGPT. Tener recommended looking closely at the privacy policy and terms of services of AI chatbots to see how they will be using your data.
"Whatever you put into an AI chatbot isn't really yours anymore. You're sharing it with the site and the company can use the information for whatever they want," he said.
Tener also cautioned employees from downloading confidential university information -- like student or employee data -- on their personal devices. ITS has no control over personal laptops or phones, and that means they can't protect them.
"It's OK to answer work emails on your personal device, but don't download a whole Excel file with student IDs, names, grades or information like that," he said. "We don't want a data breach because someone didn't update their software or secure their device."
For assistance
If you received an email that looks phishy, click the Report Phishing button in Outlook. Tener said there's a misconception that the report button in Outlook only sends reports to Microsoft, but he confirmed that the ITS security team also receives the report.
For any other cybersecurity concerns or questions, send an email. Tener said this is the most direct line to the team, though reaching out to the IT Solution Center is another option.