ϲϿ

Cybersecurity Training Is Worth Repeating

News
Video grab: Cyberattack rays hit shield.
"You are the shield," the refresher course tells us, when cyberattacks target the university.

Initial Training and Refresher Course

About 28,500 staff and faculty — Davis campus and ϲϿ Davis Health — are being required to take cybersecurity training (online) by March 1.

  • Initial training for about 5,000 people who have never completed cybersecurity training
  • Refresher course for about 23,500 people who completed initial training a year or more ago

Emails went out last week advising people of the requirement and directing them to their individual accounts. You’ll find your cybersecurity training course in the “To Do” section of your home page. (Or search for "ϲϿ Cyber.”)

The initial training should take about 50 minutes, the refresher course about 30. You may take the course in more than one sitting. A “bookmark” function will remember the modules you have already completed.

If you need assistance accessing the course or have other questions, please contact ϲϿ Davis Staff Development and Professional Services by email.

Cybersecurity training for all staff and faculty is underway for 2017.

If you’re asking yourself, “Hey, didn’t we do this last year?” Well, yes, many of us did.

But it’s required annually now, throughout the ϲϿ system, and here’s a good reason why:

Almost two weeks ago, thousands of people at ϲϿ Davis received an email from Ralph J. Hexter, our interim chancellor, no less, with the subject line “URGENT DEVELOPMENT.”

Turns out, this Jan. 12 email was a classic case of phishing. It began with “Good Morning staffs” — a dead giveaway. Always watch for awkward phrasing like, “Good Morning, staffs.”

The first paragraph was not much better: “I'm bringing this notice to all employees of University of California, Davis, that there will be a new development in University of California, Davis. I have shared a very essential document which I want all staffs to read through.”

The sender ends with, “Please go through pdf attachment for more briefing.”

Presumably, the PDF — which I did not open — would have attempted to ascertain my personal information, or get me to click on a link.

The university’s Information Security Office received no reports of damage arising from this email. Information and Educational Technology reported that the message reached about 4,300 accounts, mostly those of staff and faculty (3,900). Some of the phishing emails went to lists, so the total number of recipients is likely higher than 4,300. 

IET quickly sent a “warning" email to the entire campus: “Discard phishing email with subject line ‘URGENT DEVELOPMENT’.”

“Please disregard the message, and do not click on the PDF, because the message did not come from Interim Chancellor Hexter,” the warning email stated. “Information and Educational Technology is investigating this matter, which is almost certainly phishing. If you opened the document, please contact the IT Express Service Desk at ithelp@ucdavis.edu to ensure that no malware was introduced onto your computer.”

The IT Express Service Desk reported receiving about two dozen contacts from people about the message as of the morning of Jan. 13, the day after the phishing scam went out.

“The fact that the vast majority of people on campus simply deleted the message means they knew what to do, and their response underscores the value of ϲϿ’s cybersecurity training,” said Cheryl Washington, chief information security officer. “Most phishing messages never get delivered, but some do get through. You need to know how to identify them.” 

Primary Category

Tags