The University of Alabama

Cybersecurity Depends on Employee Vigilance

Cybersecurity is not just the concern of University employees dealing with confidential data, but of every UA employee with a computer, says Office of Information Technology security officer Ashley Ewing.

That sense of responsibility hinges on the fact every computer workstation on campus has the potential to be hacked, infected or plundered.

“The general computer user is far too trusting,” Ewing says. Employees who do not work with confidential records or rare research may harbor a false sense of security. But while a computer may not hold valuable data, criminals can use it to access other University computers networked to it – computers that may hold confidential information ranging from credit card numbers to medical records.

Also, one hacked computer can be used to send out thousands of spam e-mails or the latest virus.

“Employees should understand the computer is itself a valuable resource. It can be used to attack other computers both inside and outside the University,” Ewing warns.

Computer users must resist apathy, according to Ewing. Though no security system is perfect, the assumption that anyone who wants to hack a computer will succeed leads users to fail to use available safeguards. These safeguards are key to deterring security threats.

“The bad guys are very tenacious and we need to do due diligence to protect against them,” Ewing says. That due diligence can vary depending on the data being protected. Faculty, staff and students working in areas of commercially valuable or rare research may have their computers targeted in very sophisticated ways. The same threat holds true for employees dealing with confidential personal information.

Other workstations, however, may be the targets of random hackers or criminals looking for vulnerabilities. Computers with strong passwords, up-to-date software and firewalls are more likely to deter the casual hacker, who will move on to easier prey.

Phishing is also a growing concern. A phishing scam attempts to collect personal information like bank account numbers, computer passwords and user names through bogus e-mails purportedly sent from a trusted source. UA has dealt with phishing scams pretending to be from OIT or human resources. Ewing says, “Phishing is a common, even old-fashioned way of trying to gain information.”

Ashley Ewing

How can faculty and staff know if an e-mail is phishing or a legitimate request? “The University will never, ever ask for an employee’s password and user ID in an e-mail,” Ewing states.

In addition to avoiding bogus e-mails, OIT urges employees to use strong passwords. Easily guessed passwords such as rolltide, abc1234 or default should be substituted with strong passwords that are at least eight characters long and include at least one alphabetic character, a mix of upper and lower cased characters, at least one number character and at least one special character.

Names of pets, spouses, children or hometowns should not be used. Passwords should not be shared or written on Post-it notes and stuck on the front of the computer.

Cybersecurity is a growing issue on campus. Security breaches affect not only those whose information has been compromised, but the University’s reputation as a whole. “People are more hesitant to invest research dollars or tuition dollars in a school that has a reputation for lax security
standards,” Ewing says.

To help faculty and staff understand the latest in best practices for safety, OIT offers free presentations by its security staff. UA departments interested in a cybersecurity presentation should contact Alyson Lawrence at 348-9809 or allawrence@ua.edu.

OIT also offers numerous security tips and suggestions on its website. Go to cybersafe.ua.edu to learn more about anti-virus software, safe use of social networking, shopping and investing sites, wi-fi and mobile device security and more.