Security Awareness Training
As you probably noticed, in August 2018 the college suffered a torrent of phishing messages. By the time it subsided over 40 faculty and staff had compromised their credentials when they fell for phishing email. The first compromised accounts were used to spam the campus (and the world) to try to snare more accounts. Many of those compromised accounts immediately had the contents of their mailboxes downloaded to the far corners of the globe (they want your mailbox for the goodies that may be hidden in there - read on.)
In reviewing the data that was stolen for the required NYS Breach Report, we have (so far) turned up no fewer than seven SSNs and three credit card numbers, along with an astonishing variety of sensitive personal documents. By law we must report the theft of this personally identifiable information (PII) to NYS and to the victims themselves.
In addition, just last week we saw an example of what was clearly “spear phishing” where an attacker attempted to manipulate two specific individuals on campus. Thankfully, an attentive staff member spotted the ruse.
Protect yourself - clean out your mailbox - and treat it like the mailbox outside your front door. Important stuff gets dropped off there, but you take it inside the house for safekeeping. You would never even think about storing your tax returns or mortgage papers in the mailbox outside your front door - treat your email mailbox the same way. Your email account is often where your online banking and online shopping accounts are homed - and it can be used to reset those passwords and gain access to those financial accounts.
It is not hyperbole when I say that the security and privacy of our online information is under greater threat than ever before. It is our individual and collective responsibility to safeguard our faculty, staff, and students’ personal, private and sensitive information that is contained in Purchase College computer systems.
So what can you do?
New York State and SUNY mandate that all employees undergo annual Security Awareness training. We use the “Securing the Human” online training program, which is updated every year. The new 2018-2019 training materials have now been loaded and are ready for you to begin and complete the training.
You may think you are computer-savvy enough that you would never fall for phishing - but don’t kid yourself - so did those 40 unfortunate account holders who did fall for them. The fact is they are getting better and better at phishing, and not all are obvious fakes. While this training alone cannot protect you, a reminder of what to watch out for doesn’t hurt.
Wait for an email message generated by the SANS system inviting you to begin. You will receive that message later today. As several folks with sharp eyes pointed out last year, the message does not come from my normal Purchase College email address, but the message is legitimate, it originates from the SANS system and the “noreply” portion cannot be changed.
The “begin” message comes from the source address ”William.Junor firstname.lastname@example.org.”
The subject line is “Welcome to Purchase College Security Awareness Training - Please Begin.”
You may also use this link to begin the training: https://sso.securingthehuman.org/suny
The link to the training system also appears in the “Quick Links” section of the Faculty/Staff Portal page. Please make sure to visit regularly and make your way through all of the materials.
The training consists of interactive videos designed to improve awareness of information security threats, and increase the likelihood that we will recognize those threats when we encounter them - online, on the phone, in person, or in the comfort of our homes. These short 2 to 5 minute videos cover topics from why you are a target to how to spot phishing to how properly secure your home computer and home network. Each video is followed by three multiple choice questions you answer to “Complete” that topic. Upon completion, the system will issue a Completion Certificate.
The training materials are refreshed in September of each year, with new topics added as appropriate. The total time required for the 21 “mandatory” videos is only an hour. There are an additional 4 “optional-recommended” videos totaling another 15 minutes, covering topics such as protecting your home network.
All employees are enrolled in this system. Please follow the link and access these training materials using your regular Purchase College credentials.
The system tracks your progress through the materials. Our goal is 100% completion by all faculty and staff. Unfortunately we fell well short of that mark last year.
If you have trouble accessing the system, please let the Help Desk know so we can straighten it out.
Protect yourself – complete the training - and think twice before you click.
Whether you completed the 2017 training last November or last month - or not at all - it’s time to begin again.