October 2025
Protecting yourself and our information from cybersecurity threats.
October is Cybersecurity Awareness month and we hope you have been taking advantage of, enjoying and learning a lot from the webinars. If you haven’t participated yet, feel free to register and attend the remaining webinars here: https://intranet.uchicago.edu/tools-and-resources/it-services/security/security-awareness-and-training/cybersecurity-awareness-month/cybersecurity-month-webinars
In October we will also be hosting a Secure Destruction/USB Data Transfer event on Wednesday/Thursday, October 29th and 30th 9 a.m.-3p.m., Brain Research Pavilion, 5812 S. Ellis Avenue, Room J-103. We will be giving away encrypted 32GB USB drives to those staff and faculty that bring in any media for secure destruction. https://events.uchicago.edu/event/252364-secure-destruction-event
For this Newsletter, since Cybersecurity Awareness Month emphasizes the core values and practices that form the foundation of strong cybersecurity habits, we are involving our new interns by having them read through various documents/kits and having them assist with our Cybersecurity Newsletter. I am hoping that this approach helps build a deeper understanding, reinforces key awareness principles for all, and provides hands-on experience in communicating cybersecurity topics.
We’d love to hear your feedback on their contributions! If we receive enough comments and suggestions, we’ll design a custom cybersecurity themed pen as a giveaway in a future newsletter to show our appreciation. Your input not only helps our interns strengthen their cybersecurity communication skills but also gives you a chance to earn a fun token of thanks for supporting our awareness efforts! Now on to our interns’ contributions!
Please welcome our new interns: Bella Eng and Margaret Jennings!
Bella Eng
How to Recognize and Protect Yourself Against Phishing
Phishing is a common form of cyberattack where criminals try to steal personal information or infect your devices by tricking you into opening malicious links and attachments. It can be especially difficult to detect because these attacks often come through emails, texts, or phone calls that mimic trusted sources (i.e. your university, bank, or even a colleague).
5 Steps to Help Recognize Phishing
- Phishing messages often convey a sense of urgency to trick users into action.
- “Click immediately if you do not recognize this transaction”
2. The messages may request personal or financial information.
- Remember that legitimate organizations will generally not ask for sensitive information through unexpected communications.
3. Phishing attempts often include unexpected links and attachments.
- Be cautious especially if the message urges you to click or open immediately.
4. Phishing messages may come from incorrect or mismatched sender addresses.
- support@paypa1.com instead of support@paypal.com
5. Scammers may use untrusted or shortened URLs.
- Techniques like shortening or slightly misspelling web addresses make it harder to tell where the link will take you.
Phishing messages may also contain poor spelling, grammar, and sentence structure. However, with the increasing use of AI, this has become more difficult to spot.
How to Protect Yourself against Phishing
- Stop before you click. Hover over links to see where they lead and make sure the link matches the text that appears.
- Verify the Sender. If an email sounds off, look up the sender address from the company website. Contact the person or department directly to confirm if they sent the message.
- Report. Report suspicious messages by using the “report spam” button on your email, alerting the organization it is impersonating, and forwarding it to your IT Security staff.
- Delete. Don’t reply or click on any “unsubscribe” link.
Steps to take if you’ve been Phished
- Disconnect from the internet immediately
- If you clicked a suspicious link, downloaded an attachment, or suspect malware was installed, disconnect your device from the internet immediately by unplugging your network cable or turning off the WIFI.
- This can stop malicious software from communicating with attackers and prevent it from spreading to other systems.
- Report the Incident
- At work or school: Contact your IT Security team immediately and provide details about what happened.
- Remember that the security team’s goal is to help, not to judge.
- For personal accounts: Report the incident to the affected organization (e.g., your email provider, bank, or service platform).
- Change your Passwords
- Immediately change the password for the affected account(s) on a different system.
- If you’ve reused the same password on other accounts, change those as well. Attackers often use stolen credentials to gain access elsewhere.
- Enable Multi-Factor Authentication (MFA) wherever possible for an added layer of protection.
- Monitor Financial Accounts
- Regularly check bank and credit card statements for unauthorized or suspicious activity.
- If you notice fraudulent transactions:
- Credit cards: Contact your card issuer to report and dispute the charge
- Debit cards: Notify your bank and request a reversal
- If your financial loss exceeds $5,000, the crime may qualify as a felony, and you should file a police report.
- If you have been personally affected (identity theft or financial), visit the FTC’s identity theft website for additional guidance and recovery resources. https://consumer.ftc.gov/topics/identity-theft
Choosing Strong Passwords
While it may be tempting to choose simple, easy-to-remember phrases, strong passwords make it significantly harder for hackers to access your accounts and personal information. When selecting a password, remember these three principles: long, random, and unique.
- Make them long
Standards across the BSD and the Medical Center require a minimum of 12 characters.
- Make them Random
Considering how easy it is for personal information to be found online, your passwords should be random and never based on details like your birthday or pet’s name. A safer approach is to create a passphrase made up of five to seven unrelated words, mixed with uppercase and lowercase letters, numbers, spaces, and symbols. This makes passwords both strong and easier to remember.
- Make them Unique
Even though it may seem convenient, avoid reusing passwords across accounts. If one account is compromised, it can put all your other accounts at risk. Using variations of the same password also offers little protection, as these patterns are easily guessed or cracked by attackers.
Managing your Passwords
Long, random, and unique passwords can be hard to remember, especially when managing many of them. The safest and most efficient solution is to use a password manager.
A password manager is a secure, encrypted application that can generate strong passwords, store them safely, autofill logins, and sync across your devices.
In addition to saving time, a password manager can help protect from phishing attacks by identifying and helping to avoid fraudulent websites.
Available soon, The University of Chicago will offer 1Password, a secure password manager. Learn more here: https://intranet.uchicago.edu/tools-and-resources/it-services/security/security-best-practices/password-security
Margaret Jennings
Updating Software
Greetings, UChicago reader!
Let us explore the topic of ... updating software. At first read this may sound underwhelming, but I promise by the end you’ll have gained some invaluable insight into practicing good cyber hygiene. Just as we have developed good habits to maintain oral hygiene, our interaction with the digital world deserves its own care routine. Exploring the internet is lots of fun, but the online landscape carries a level of risk. Fortunately, making a consistent effort to stay informed and practice safe online behavior moves us one step closer to the ideal digital security hygiene routine.
The landscape of cybersecurity is vast and always expanding alongside technological innovations. Similarly, those with malicious intent (attackers), are constantly evolving in parallel to gain unauthorized access to information. Any undisclosed information can be made useful to an attacker, not just sensitive data! Additionally, there’s a medley of vulnerabilities and factors that can be exploited to achieve this.
Did you know that, per Cybsafe, only 60% of online users regularly install software updates, and that number is steadily dropping across all generations? Meanwhile, attackers are actively on the lookout for vulnerabilities. It’s almost like leaving the front door wide open. The fix? Update, update, update!
Example:
Let’s look at the Marriott Hotel Franchise from 2014-2018. When Mariott acquired the smaller Starwood Hotels, what was unknown to them was that Starwood’s payment systems were totally compromised due to existing vulnerabilities and poor critical cybersecurity practices. Marriot remained unaware of the breached systems after the merger and as a result, the attackers retained and maintained undetected access which ultimately exposed millions of records across Starwood and Marriott.
No one is perfect, and truthfully speaking there's no such thing as being 100% secure online. But there are preventative measures we can take. This holds true for individuals and institutions alike. Regularly updating devices is one of the simplest and most effective steps we can take to protect your data, close security vulnerabilities, and reduce the risk of unauthorized access. Doesn’t that give just a tad more peace of mind?
What is Multifactor Authentication?
For starters, most folks are familiar with the concept of passwords - they are used to authorize access to systems and data. Unfortunately, some of the weakest password instances like “password” or “password123” remain surprisingly common. Across the internet, virtually every application prompts for, or even requires, an account login.
A password is only one layer of protection used to verify access to an account and its data. While relying on a password alone might be acceptable for something low-risk, like an intramural sports website, it falls short when accessing systems that handle sensitive information, such as credit card numbers, or Social Security numbers. This is where the “Three A’s of Security – Authentication, Authorization, and Accounting” come into play!
The three A’s of security: Authentication, Authorization, and Accounting — MCSI Library
Authentication validates a user’s identity, and Multi-Factor Authentication (MFA) strengthens this step by requiring an additional verification factor beyond just a password. By combining something you know (like a password) with something you own (security token or phone), or a biological aspect of yourself (like a fingerprint), MFA greatly reduces the risk of unauthorized access. Studies suggest most people have some familiarity with MFAs, however, usability remains an issue.
The Benefits of MFA
Using multi-factor authentication (MFA) wherever possible is one of the most effective ways to protect your accounts. Yet, many users still skip it, viewing MFA as inconvenient or time-consuming. In reality, that extra step can make all the difference in security. A password alone provides just a single layer of defense—its strength relies entirely on how complex, unique, and well-protected it is. MFA, on the other hand, adds one or more verification layers, making it exponentially harder for attackers to gain access.
Your digital data deserves the same level of protection as your physical possessions. Just as you wouldn’t leave your home unlocked or your wallet unattended, sensitive and confidential information should be guarded with equal care. Treating your digital assets as valuable property helps prevent data exposure, financial loss, and potential harm to your organization or personal life.
Example:
https://cybernews.com/security/billions-credentials-exposed-infostealers-data-leak/
Breaches, such as the one previously mentioned in Cybernews, underscore the importance of protecting digital assets in the 21st century.
Multi-Factor Authentication (MFA) tools continue to evolve, becoming easier and more secure to use. Making a conscious effort to enable and properly use MFA—especially when accessing or handling sensitive data—adds a crucial layer of protection. Each time you use MFA, you’re taking a proactive step toward maintaining good cyber hygiene and safeguarding both your data and your digital identity.
Put your Cybersecurity Knowledge to the Test!
Can you answer the following questions?
- What does MFA stand for? 2FA?
- How secure is a password?
- How does sensitive data differ from highly sensitive data?
- What is the importance of usability in information security?
- What is a cyber hygiene routine?
- What do the three A’s of security stand for?
- If you’ve made it to the end of this newsletter, we’d love to hear from you! Send us an email (security@bsd.uchicago.edu) identifying the topics Bella and Margaret wrote about, along with your favorite color. The most popular color submitted will be used for the custom cybersecurity-themed pen we’ll create as our next giveaway!
Have any questions for the security team? Topics you would like us to write about in our newsletter? Please feel free to drop us a line and let us know by e-mailing security@bsd.uchicago.edu.