City Smart, Cyber Smart
What even is cybersecure?
Ransomware. Social engineering. Phishing. We know. It's a lot. We also know that "be more cybersecure" isn't useful advice. What does that mean? And "cybersecurity best practices?" It's best practice to eat healthy, but a dollar slice tastes so good at 1 am.
At the same time, burying you under a pile of tech jargon and things you need to do is overwhelming. So let's break it down. One step, one tip, one piece at a time.
There are three things you can do that'll get you more cybersecure. Take them one day at a time. Cybersecurity doesn't need to be as overwhelming as Times Square on a Saturday—like you'd go to Times Square on a Saturday (or any day).
You figured out this city, you can definitely figure out cybersecurity.
If you use the same password for different services, all it takes is for one of those accounts to get hacked for all of them to be hacked. We know that coming up with multiple, complicated passwords is a chore—but it's also a lot easier than recovering from a hack. Multi-Factor Authentication (MFA) adds an extra layer of protection, but you should still make sure your NYU password is not the same as one you have used for any other account, ever.
Overwhelmed by the number and complexity of passwords you have to keep track of? You can use a password manager to securely save and retrieve login credentials.
Cyberattacks are constantly evolving, so your phone and computer operating systems and apps are also regularly updating to effectively counter attacks before they even get to you. But these improvements only work if they're installed. Phones, tablets, computers, and most software apps offer the option to enable automatic updates. That means anytime an important security patch or other critical update is available, it's downloaded and installed without you having to do anything. If you prefer to be notified before a new update is installed, that's fine—just make sure you run it as soon as possible.
If you are a system administrator or otherwise involved in maintaining a service or computer network infrastructure at NYU, it is imperative that you keep up-to-date with patches and other critical releases. Often, these must be downloaded and installed manually. Falling behind means you may be leaving dangerous security vulnerabilities in place that can be exploited. Just like falling for social engineering or mistakenly installing a malicious app, failing to keep systems and services up-to-date is one of the most common human errors that make cyberattacks more likely to succeed.
Phishing used to be limited, for the most part, to scams sent to you through email. And while some were well done, most were obvious and full of red flags that could help you spot them. Things have changed, though. Today, phishing isn't limited to email, the cyber attackers attempting it are more sophisticated, and suspicious messages are more difficult to spot. Generative AI tools are making it even easier for them to create convincing fakes.
Services such as NYU Email (Gmail) have grown better at detecting and filtering out phishing messages, but no automated tool is 100% effective. Nor can an email filter help when the phishing message is showing up in your social media DMs or text messages. Living in the city requires a certain amount of awareness and consciousness of your own security. Treat being online the same way. It's a lot easier to verify an email or a request is legitimate than it is to recover from a successful cyberattack.
You'd think from TV and movies that most cyberattacks that succeed happen because the hacker has some amazing piece of tech that can determine passwords and evade security (after which you have to say "I'm in"). But 96% of successful cyberattacks didn't hack the system; they hacked the human. That's social engineering, and there's nothing high-tech about it. It's usually just smooth (or aggressive) talking.
The goal is to trick you into giving up the info the hacker needs to get into a system or account and do their damage—which these days usually means a ransomware attack. Phishing is a type of social engineering, but it can also happen in person or any other way that's available to contact you. They'll come at you through email, phone and text messages...they'll even slide into your DMs pretending to be a colleague or friend.
The best defense: don't give out information and always treat requests for info as suspicious, even when they seem to come from someone you know—and especially if they're requesting special access accounts and passwords or any personal information. If it looks like a legitimate request from a colleague, double-check with them separately (not by hitting reply on the suspicious email!).
When we surveyed the NYU community about which industries they thought were most often targeted by cyberattacks, almost everyone guessed financial institutions. Utilities and hospitals were also high on the list. Almost no one said higher education. But guess what?
Universities are one of the most frequent targets of cyberattacks. But anyone who guessed any of the other industries was also right because NYU isn’t just a university—it's also a financial institution, utility and telecom company, and healthcare provider. NYU has a massive repository of valuable research and data.
Because NYU is a target, you’re a target too; people are the most important part of NYU's network. We all have access to important information, whether it's confidential student data, critical infrastructure like a computer network or medical equipment, or the final project you have stored in the cloud. Recognize the value of your data and your access—cyberattackers certainly do.
NYU VP for IT and Global University CIO Donald Welch and Chief Information Security Officer Richard Sparrow discuss why higher ed is a target and what we can do to counter cyberattacks.