How many of us have received an unusual email or text from a supervisor or colleague asking for private information? Or a message that doesn’t seem quite right urging us to update or reveal some very sensitive data?
At UCLA, it’s the job of Drake Chang, the campus’s chief information security officer, to help us all recognize the risks of these types of cyberattacks. Chang oversees IT security policies, ensuring that UCLA’s network and applications are safe, handling identity and access management, planning responses to cybersecurity incidents and recommending measures to protect sensitive information.
With national Cybersecurity Awareness Month beginning Oct. 1, Chang discussed the major threats to colleges and universities and how students, faculty and staff can protect themselves and UCLA against cybercriminals. He also talked about what his team is doing to mark the month, including a Tuesday, Oct. 1, event in Bruin Plaza providing tips on internet safety and some fun prizes.
Phishing and ransomware attacks
What are the most common cybersecurity threats that colleges and universities face today, and how can we protect ourselves against them?
Ransomware and phishing, including social engineering, are among the most common cybersecurity threats. Social engineering is a common form of phishing that involves deceiving individuals into revealing information by impersonating someone they trust, like a senior executive or colleague. Generative AI has made these phishing attempts more sophisticated, enabling cybercriminals to craft convincing messages quickly. This is a significant concern for our campuses and has led to cases such as direct deposit fraud at other UC campuses.
The most significant concern or threat facing colleges and universities is ransomware, a malicious form of software, or “malware,” designed to gain access to a computer system and encrypt users’ data or lock them out until a ransom is paid. When individuals or departments fall victim to ransomware, the impact on our organization can be substantial.
How can students, faculty and staff recognize phishing emails or social engineering and what should they do if they encounter one?
Be vigilant. If you suspect that you're receiving a phishing email or text, report it to our campus information security office. The easiest way to do that is by sending the e-mail to security@ucla.edu before clicking on any links or opening any attachments. From there, an information security analyst on our team will review it and let you know if there is anything potentially malicious or threatening about that message.
People can also visit the UCLA Phish Bowl, which is regularly updated with examples of phishing campaigns that have been reported to the information security office.
As for how to potentially spot a phishing email or social engineering attack, there are a few indicators to look for. Oftentimes, information is being harvested to sell on the dark web or to coerce you into an action that provides immediate financial benefit, such as asking you to confirm your password or purchase a gift card with the promise of reimbursement. The messages are commonly written poorly with typos, addressed vaguely or indirectly or contain a warning of some kind that requires an immediate response.
Things like multifactor authentication are important because they provide an extra layer of security, so even if you inadvertently fall for one form of social engineering or phishing, there are still other guardrails in place that can protect your identity, your account and institutional information.
Password security and multifactor authentication
What are the best practices for creating and managing secure passwords, and how does multifactor authentication play a role in strengthening security?
First and foremost, it’s essential to create unique, strong passwords for every application or service you use. Aim for 8–12 characters, incorporating a mix of letters, numbers, special characters, and both uppercase and lowercase letters. This makes it much harder for hackers to crack your passwords.
To manage these complex passwords, consider using a password manager. For example, UCLA offers 1Password free to all faculty, staff and students. Faculty and staff can even get a free 1Password for Families account, which allows you to include up to four household members at no extra cost. You can get started by visiting the UCLA 1Password webpage. Additionally, enabling multifactor authentication, or MFA, is crucial. MFA adds an extra layer of security by requiring a second verification step, such as a code sent to your phone, making it significantly more difficult for hackers to gain access to your accounts.
Often, hackers will move on to easier targets rather than trying to bypass MFA. By following these steps, we can significantly enhance our cybersecurity and protect our personal and institutional data from potential threats.
Protect yourself when working remotely
With the rise of remote work and personal device use, what steps should students, faculty and staff take to ensure they remain secure while working from home?
To stay secure, always keep your devices updated with the latest security patches. Whether it’s a personal or university device, don’t delay updates, as they fix critical security flaws that cybercriminals exploit. Also, be cautious about how you connect to the internet. When using public Wi-Fi, like at a coffee shop, always connect through a VPN. This encrypts your internet traffic, protecting your data from interception.
Instructions for downloading and connecting to the campus VPN are available on the IT support website. On campus, we also recommend using UCLA Wi-Fi or eduroam for an extra layer of security, as they require user authentication.
Lastly, for faculty and staff, it’s best to use university-owned devices for university business. If you frequently access UCLA institutional information on a personal device, contact your department’s IT team to inquire about getting a university-owned system for better protection.
October is Cybersecurity Awareness Month at UCLA. Why should Bruins get involved?
Cybersecurity Awareness Month is a great opportunity to discuss important topics and empower our community with tips on how to stay cybersafe. On Tuesday, Oct. 1, we’ll be in Bruin Plaza from 11 a.m.–2 p.m. with a spin wheel for students, faculty and staff to win prizes. We’ll also be helping Bruins register for 1Password and 1Password for Families.
In addition, our Cybersecurity Awareness Month microsite is packed with resources to help students, faculty and staff protect against phishing scams, safeguard their information and devices, strengthen cloud security and understand social engineering.
Bruins can also test their cybersecurity knowledge by completing a quiz to be entered into a draw for two tickets to the USC vs. UCLA football game on Saturday, Nov. 23.
We are also sharing weekly tips on LinkedIn and via our Slack channel. We encourage our community to share these posts as a way to further inform their friends, family members and colleagues about how to stay safe online.
Security is a team effort, and we aim to inspire a culture of cyberawareness year-round. While we can build numerous controls, it ultimately comes down to people being intentional about their actions. With so much of our information now digital and our daily activities reliant on technology, cybercriminals are opportunistic. By following basic protection principles, we can prevent the majority of cyberthreats.