Ask Your CISO, Security Awareness Newsletters

This Week’s Cybersecurity News, 10/24/2024

Posted on Oct 24, 2024Share on

Statement to remind you to update your software

Good morning, everyone.

For week four of Cybersecurity Awareness Month I want to remind you of the importance of doing software updates. I also have a fantastic question for Ask Your CISO.

Software Update Tips

  • Since UTIA uses Manage Engine, we make it relatively easy for your devices’ operating system, browsers, programs, and apps (including third-arty apps) to be updated automatically.
  • However, there are times that you may in the middle of a task and click to finish the update later.
  • Please know that it is critical for the device and the data being accessed, processed, and/or stored on the device to have those updates done as soon as possible.
  • UTIA also manages browser configurations, which will push the updates to your browser, but the update will not finish until the browser has been relaunched.
  • Please relaunch your browsers daily to get the latest updates, but you can also check to see if you have the latest update by going to browser’s application menu in the top right corner, selecting Help, then About <browser name>.
  • If you must postpone an update, please make yourself a note to finish the update as soon as your task is finished.
  • The longer you wait to do an update, the greater the risk of vulnerability.
  • You can read more about updates by going to the UTIAsecurity Knowledge Base and click on Updates.

Ask Your CISO

  • When is it trustworthy in receiving a letter or email stating that there has been a data breach and the company invites you to enroll in their credit wise program for free to monitor for any activity on our credit that we do not agree with?
    • This is such a great question and I want to include as much information as I can.
    • When a data breach occurs, the company that had the breach is required to notify their customers that the breach happened unless they can demonstrate that the data was encrypted.
    • The customer’s data may not have been accessed but if the company cannot demonstrate encryption was used it is still required to send notice without unreasonable delay, however, the specific amount of time to notify and the specific data included in the notification will vary based on the institution and the type of security breach.
    • For instance, the FTC requires financial institutions to include the following:
      • Name and contact information of the reporting institution
      • Description of the information involved
      • The date or date range of the breach
      • The number of affected customers
      • Whether or not law enforcement was notified
    • These notifications will typically include a plan of action the individual can follow to help protect their data, such as how to recover from identity theft and how to use free credit monitoring services offered by the institution.
    • Now is the really confusing part…if hackers have stolen names and Social Security numbers, they can use that information to sign up for new accounts in the victim’s name, commit tax identity theft, and possibly even send fake notifications.
    • If you receive something that appears to be from a reputable company or institution, always do your research.
    • Go to the known website of that reputable company or institution, not by clicking, but by manually entering it in the address bar.
    • Compare the real site’s contact information with that in the notification and make sure ALL of it matches, particularly the phone number and any email address (reputable companies use business domains, not something like gmail.com or yahoo.com).
    • Until you have verified the phone number in the notification is the actual phone number, please do not call it.
    • If a free credit monitoring and/or identity restoration service is being offered, do your research on that, as well, to make sure it is a legitimate service.
    • And no matter what, always keep an eye on your credit reports.
    • You can go to your individual accounts and check for credit alerts that have been provided by the three main credit bureaus: Equifax, Experian, and TransUnion.
    • If you feel that your credit is at risk, you should place an immediate fraud alert on your account(s) so that the account will be monitored more closely.
    • If you place a fraud alert with one credit bureau, they will typically share the information with the other two.
    • You can also confirm fraudulent activity by going to AnnualCreditReport.com.
    • I know this is a lot of information, but I want you to be very cautious if you receive any data breach notifications.
    • The faster you confirm the legitimacy of the notification, the sooner you can take action to prevent identity theft.
    • Remember to call a KNOWN number for the company if you have questions.
    • And remember that you can always ask me and I will help you do some research.
    • Thank you so much for the question!

Important Reminders

  • IT Security Awareness Training
    • If you have been assigned training, this is a reminder to complete that training before the end of the year.
    • The IT Security Awareness training is required of all UTIA workforce, which includes student employees, on an annual basis.
    • The IT Security Awareness training is part of the 2024-2025 UTK Compliance training, as assigned by UTK HR.
    • Assignment and reminder emails will come from the UTK Compliance Committee noreply[@]utk.edu, but I will start sending specific reminders about the IT Security Awareness training later this month.
    • As in the past, any user not completing the IT Security Awareness module by the deadline will still lose access to all Institute-owned and University-owned systems until the training has been completed.
    • If you have been assigned this training, you can find it by logging into K@TE https://kate.tennessee.edu and it will be listed under “My Active Courses”.
    • This newsletter goes out to those on the UTIA distribution list, along with some other specific distribution lists, so it is possible you do not have training assigned, but if you aren’t sure, please send me an email and I will be happy to look for you.
    • While the deadline has been set for 12/31/2024, I highly recommend that you complete it before then to ensure you get the proper credit due to DASH implementation happening at the first of the year.
  • PCI Training
    • If you have received emails from me that you are required to take Payment Card Industry (PCI) training in order to be compliant with PCI DSS Requirement 12.6, please make sure you have completed that training no later than 10/31/2024.
    • This training is required for any merchant staff member who has any part of processing credit card payments and any merchant whose staff has not completed the training will be considered non-complaint with PCI DSS.
    • This training is not the same as the IT Security Awareness, Procurement Card, or Travel Card trainings, as each of these touches on something specific and none are related.
    • I have a list of those who process credit cards and have checked K@TE to see the status for each individual.
    • If you have any questions about the PCI training, please email me.

Thank you so much for everything you do to protect the Institute and its data. Your questions and your feedback are always welcome and greatly appreciated!

Sandy

Important Note: Thank you so much for sharing these e-newsletters with family, friends, clients, students, and anyone else who may benefit from the information. I would like to stress that you should keep your students in mind, as non-employee students will not get this information without someone sharing. If anyone has an email group for students who are not employees of your department, please let me know what that address is, and I can include it. I do this as a blind copy so student names and addresses will not show up!

Sandy Lindsey
Chief Information Security Officer
Information Technology Services
The University of Tennessee
Institute of Agriculture

 

 

G061​ McCord Hall
2640 Morgan Circle Drive
Knoxville, Tennessee, 37996
Phone: (865) 974-7292; (865) 806-5224
sandy@tennessee.edu