August 2025
Protecting yourself and our information from cybersecurity threats.
Back-to-School season is upon us and retailers are touting sales on a lot of tech gear targeting academic environments and parents alike. With the threat of tariff-driven price hikes looming over our heads, this might raise concerns for researchers and educators who rely on affordable access to high-performance devices and specialized equipment investments to feel pressure to make a hasty purchase decision. However, rushing into tech investments without a thorough vetting can lead to long-term risks that would outweigh short-term savings. Without a thorough evaluation, an investment can introduce vulnerabilities that compromise data integrity and operational resilience. This month I want to go over new system purchase ideals, unauthorized apps on systems/reviews, and software/application updates.
New Tech Purchasing Ideals
Purchasing a new laptop, desktop, or tablet isn’t just about speed, storage, and style. Maintenance, reliability and security are also factors that determine how functional, long-lasting and safe the device will be.
Maintenance – Every device requires ongoing care to perform its best. This includes installing updates, removing unused programs, and running regular security scans. Proper maintenance keeps the system running efficiently and reduces the risk of performance issues and security vulnerabilities while also helping to extend the device’s lifespan.
Reliability – A device is only valuable if we can count on it. Reliability covers hardware durability, consistent performance, and stable software operation. Choosing quality components and proven brands helps reduce downtime, unexpected crashes, and time-consuming costly repairs. Purchasing from a known, legitimate vendor also prevents us from receiving counterfeit, refurbished, or tampered devices that could fail prematurely or come preloaded with insecure or malicious software (more on this below).
Security – Speed and style don’t matter if the device is compromised. Security means having strong protections like encryption, secure boot, multi-factor authentication, and regular patching. It also means buying from trusted vendors to avoid tampered pre-infected systems and old unsupported hardware.
Two examples of why it is important to purchase from authorized sellers:
- Earlier this year the Office if the Inspector General released a fraud alert regarding devices that were purchased from unauthorized “grey market” vendors outside the departments standard supply chain. The devices were:
- Counterfeit quality (of poor quality)
- Had tampered serial numbers
- Device specifications were inaccurate (leading to device performance/compatibility issues)
- Software licenses were invalid
- Fake warranty and support
https://www.stateoig.gov/uploads/notice/notice_pdf_file/fraud-alert-2501.pdf
- According to scamskunk.com, “Laptop scams on Amazon involve fraudulent activities aimed at deceiving buyers into purchasing counterfeit, defective, or non-existent laptops, and/or tricking them into providing their personal information.”
When shopping for tech online, it’s critical to stay alert for red flags such as “too good to be true” deals, bait-and-switch tactics, phishing scams, unverified sellers, and fake shipping or refund schemes. These methods are specifically designed to trick buyers into giving up money or sensitive information, often leaving us with nothing in return. Purchasing from authorized sellers not only protects against counterfeit or tampered devices, but also ensures that we receive valid warranties, proper software licensing, and trusted customer support. In short, sticking with approved vendors and/or working with field services teams to purchase systems is the best defense against scams that could cost us both financially and operationally.
Unauthorized Apps & Shadow IT
Sometimes new systems arrive with extra applications—or “bloatware”—that haven’t been reviewed by IT staff (This is one of the reasons why our Field Services team does a fresh install on new incoming systems). While some of these programs may seem harmless or even helpful, they can slow down devices, collect unnecessary personal information, or create security gaps if they are not updated or patched regularly. In some cases, pre-installed apps may include trial software that encourages users to purchase additional services outside of approved channels, which can further increase risks.
Because an application is not vetted by IT, the security settings, permissions, and data handling practices become an unknown—and unknowns are risky in cybersecurity. Unverified apps may request excessive access to files, cameras, or contact lists, creating opportunities for data misuse or leakage. They may also fail to receive critical security updates, leaving behind unpatched vulnerabilities. Over time, unused or unnecessary apps clutter systems and expand the attack surface of a device, giving cybercriminals more entry points to exploit. Even if the app itself isn’t malicious, it can still create compatibility issues, performance problems, or open the door for attackers through outdated code.
When employees install or use apps, websites, or devices for work without IT approval, this is called Shadow IT. While it often comes from good intentions, like making tasks easier or faster, it can put sensitive data and the organization at risk. Unapproved tools may bypass security controls, lack proper encryption, or fail to meet compliance requirements. Even popular apps can be risky if downloaded from unofficial sources. Because IT and Information Security aren’t aware of these tools, they can’t verify safety, ensure governance standards are met, or provide proper support. The safest approach is always to check with IT before using new technology, services or apps to protect the organization from potential breaches, leaks, or hidden costs.
Need to request a review of an app?
Send us a request in Service Now and we will get the ball rolling to conduct a review. This process is not intended to create delays; rather, it ensures the application is safe, secure, and compliant with organizational policies. During the assessment, the team evaluates factors such as data storage practices, encryption, access controls, vendor security posture, reliability, and integration with existing systems. Addressing these considerations in advance helps prevent risks mentioned above.
Using an app already that wasn’t reviewed?
Not a problem. We’re not here to judge or take anything away from anyone. Our job is to help make sure the tools in the environment are safe, secure, and supported within the environment. Some apps may meet institutional requirements, while others may not, but by reviewing them together we can find the best path forward. Let us know what the application is, we’ll review it together and make sure it’s ready for long-term success. Just send us a request in Service Now.
System and Application patching/updates
Our Role Together
The Information Security team works closely with IT to deploy patches and updates, especially when a serious vulnerability needs quick action. We can all do our part by allowing updates to install when prompted and reporting any problems if they arise. Together, we can reduce risks, maintain system performance, and ensure the tools we rely on every day stay safe and effective. Remember that some updates and patches do not take effect until a system is rebooted, so restarting our computers when prompted is an important final step in keeping it fully protected.
Keep Systems Healthy with Updates
Just like when our phones remind us when it is time for an update, work computers and applications also need regular maintenance. Updates often include important security patches that fix weaknesses cybercriminals look for. Ignoring updates leaves systems open to attacks, data loss, or performance problems that could easily be avoided.
Balancing Convenience and Security
We know updates can sometimes feel disruptive, especially when they pop up during a busy day. However, delaying them can create bigger issues down the line. By keeping our applications and software current, we are helping protect not only the device, but also the larger organization. Think of updates as routine care, like changing the oil in a car: it is meant to keep everything running smoothly and securely.
If you have any topics you would like us to write about in our newsletter, please feel free to drop us a line and let us know by e-mailing security@bsd.uchicago.edu.