All undergraduate students received an email on Jan. 22 from Borre Ulrichsen, chief information officer at Gonzaga, with the subject line “Strengthening Information Security.”
Students are being required to complete a 45-minute cybersecurity training before March 16; students who do not comply will have their online account disabled until the training has been completed.
Part of the new plan for cybersecurity includes incorporating multifactor authentication (MFA). The Jan. 22 email said MFA “requires an additional method of authentication to verify a user’s identity,” the goal of which being “to make it more difficult for an unauthorized person to access a computing device, network or database.”
Jeff Nelson, information security officer, said MFA adds a significant level of security and it will be applied to all GU accounts by March 16.
The need for the cybersecurity training became urgent after Regis University in Denver was hacked on the first day of its fall semester. The hacker broke into Regis’ system and installed malware that encrypted all of the university’s data.
The situation escalated into something known as ransomware. In order to get all of their information back, Regis had to pay a high ransom fee to the hacker.
Nelson said the ransomware hack at Regis prompted GU’s Information Technology (IT) department to push cybersecurity training to the “front and center” of its focus.
Ulrichesen said the primary method hackers use to break into systems is social engineering, in which a hacker creates some kind of email or communication that looks official. Then, they’ll send it to many people and hope somebody falls for it.
Social engineering is most readily available to hackers through email. Using the dark web, hackers can easily subscribe to services that will send out phish emails to a reserve of email addresses.
Ulrichsen said the emails could often look like they’re coming from friends and the moment hackers are in, people are much more trusting.
“The training prepares you for alertness,” Nelson said. “What do you look for when you get an email?”
Red flags include receiving an email from somebody you don’t know, an unexpected email or emails with attachments and links. All of these, Nelson said, should raise your antennas for a potential phishing scheme.
Although the training is 45 minutes long, it’s a worthwhile 45 minutes.
"The training rehearses [receiving emails, potentially phishing emails] with people, so that they get used to being a little more discerning about what’s coming in," Nelson said.
Students are going to learn which behaviors keep them safe, whether they're here at GU, on social media accounts, on Google accounts or any other medium where potential hacking could occur, Nelson said.
The online training is conducted by a former hacker who will walk trainees through the hacker’s thought process in order to give students a look into a hacker’s mind. This training should increase alertness in situations where there is a potential for hacking.
"Even if [an account that gets compromised] doesn’t have access to systems, it has access to something,” Nelson said.
Once a hacker is in, they can send phishing emails from insider accounts or install malware that spreads itself across a network.
The Next Gen Tech Bar is available to help students further decipher if there is potential hacking occurring in their account.
Nelson also shared an anti-hacking tip that is not in the online cybersecurity training.
Emails sent outside of the GU network are not automatically encrypted by the university system, which makes any sensitive information vulnerable to attack. An easy solution is to type “[encrypt]” into the subject line of any email extending outside of the university network. The original, and any subsequent emails, will be automatically encrypted.
Students can expect to see updated cybersecurity training rolled out every year, as technology is always evolving.
In the meantime, MFA is being integrated across student, faculty and staff accounts. Students are required to complete the cybersecurity training, which is found on Blackboard, before the March 16 deadline.