How to ruin a cyber criminal’s day

U of M Information services and technology department raises public awareness

We exist in a digital world, with technological advancements completely transforming the way we live. 

From online banking and GPS systems to social media, technology is heavily incorporated into our everyday lives. 

As society becomes more dependent on digital technology and the bulk of our data is stored online in the cloud environment, the risk of cyberattacks increases. 

Cybersecurity involves protecting and safeguarding networking systems and digital devices from cyberattacks — malicious third-party attempts at compromising data on computer information systems and networks. 

This past October was Cyber Security Awareness Month — an internationally recognized campaign ensuring public knowledge of the importance of staying secure and protected in the digital age. 

The Communications Security Establishment — Canada’s national cryptologic agency — launched this year’s campaign with the theme, “Fight phishing: Ruin a cyber criminal’s day.”  

Phishing is a cybercrime that involves using counterfeit communications through email or direct messaging to get an individual to share their sensitive information. This is one of the biggest cyber threats that Canadians face today. 

University of Manitoba director of information security and compliance Patrick McCarthy said on the topic that the month “heavily set on phishing and protection mechanisms to protect the data at the university.” 

McCarthy highlighted that the University of Manitoba receives an average of 30 million suspicious emails on a monthly basis. 

“It’s basically seven by 24, 365, including holidays,” he said. “The hackers do not go to sleep.” 

Of those 30 million emails, 93 per cent are blocked by a hygiene software product called IronPort. This filtering software detects, blocks and denies suspicious emails coming into the recipient’s email block. 

McCarthy further explained that the information services and technology (IST) department also does phishing simulations — a cybersecurity training measure to help members of the U of M community recognize and avoid phishing incidents, as these types of cyberattacks tend to target the end user and their credentials. 

In these simulations, the IST department reported that an average of 3.5 per cent of people entered their credentials. This significantly differs from the industry average when there is no program in place, which is about 30 per cent. 

“At 3.5 we’re still good,” McCarthy said, “but it’s still about 300 people that are entering their IDs and password with potential compromises, if it was a real phishing email from outside the organization.”  

U of M chief information officer Mario Lebar explained that the U of M community has an obligation to exercise good judgement in potential phishing incidents.  

Along with the IST department providing a strong technical framework, Lebar added that raising awareness and educating individuals is crucial when it comes to ensuring all around security.  

“Cybersecurity cannot be successful by just building a moat around your organization,” he said. “That will not work.” 

“The issue is twofold,” Lebar explained. “You need a good technical base, and you need people in your organization to recognize when something’s happening that looks amiss, and to respond appropriately.” 

Ultimately, Lebar highlighted phishing as a form of social exploitation, which takes advantage of human errors. As with all technology, humans are the weakest link. Empowering people and ensuring public knowledge and awareness safeguards the community from these forms of cyberattack. 

“That’s why that’s important,” he said. “Your best defence is actually the people in your organization.” 

During October, aside from the phishing simulations, the IST department had cybersecurity information booths in University Centre at the Fort Garry campus, and held interactive learning activities such as scavenger hunts and online quizzes for students, staff and faculty members to help spread awareness. 

McCarthy also urges students to reach out to the IST department via the email address if they are ever in doubt about a suspicious email, or have any security related questions.