June 10, 2020
UBC's faculty, staff, and students have been working, teaching, and learning remotely for almost three months since the provincial government declared a state of emergency in mid-March due to COVID-19. While much of our time has been spent ensuring that the transition to a remote environment was successful, an equally substantive amount of time has been dedicated to increased cybersecurity. However, the reality is that there is increased risk due to the scale of the entire community operating remotely. Risk factors include home networks, home computers, and shared spaces.
We know as well that cybercriminals are taking advantage of the pandemic by specifically targeting universities and healthcare research facilities. These are significant, serious attacks and all post-secondary institutions must take precautions.
In response to these threats, a number of initiatives have been implemented. Additional cybersecurity controls were mandated to be installed on all UBC servers that access, process, or store medium to very high-risk information and on all UBC-owned computers provided to faculty, staff and researchers. Do-it-Yourself (DIY) instructions on encryption and installation of cybersecurity controls on personal devices have also been developed, alongside a communications campaign to build awareness within our community so that everyone understands their responsibilities when it comes to protecting UBC.
However, while there are actions that can be taken to further protect our systems, it remains up to each and every one of us to ensure that UBC's data and systems remain secure. I encourage you to complete the mandatory Privacy and Information Security – Fundamentals 1 and 2 training modules as a way to better understand the risks and the actions you can take to protect UBC’s information.
One of the most prevalent risks is phishing, where an email masquerades as being from a trusted source, and attempts to get a user to click a link and provide confidential information such as a username or password or download a file, or even initiate a transfer of funds. Some of you may recall the famous Nigerian Prince emails as an example. They can take many forms, but the main intent is to get you to part with valuable information. Unfortunately, these attacks are much more sophisticated than the older versions, and more successful than we'd like. And, can result in UBC usernames and passwords being exposed. Any suspicious email that is received asking you to log-in to a system or download and open a file should be reported to UBC's Cybersecurity team and they can verify its validity and whether the email is malicious.
Many Canadian and US universities have found anti-phishing campaigns successful in helping faculty and staff understand how to detect a phishing email, and have seen incidences reduced as a result. At UBC, individual faculties and departments are volunteering to take part in our pilot self-phishing campaign, which will be rolled out over time across UBC. The number of phishing attempts has increased during the last few months, with the attackers taking advantage of the fear, uncertainty, and doubt presented by the current global pandemic, however working together we can help reduce the risk.
The Cybersecurity team continues to add resources and tips for the general campus community on the Privacy Matters website. They have also been providing direct updates to the IT community through technical webinars and the Cybersecurity Confidential Communications site, and have made themselves available when required for questions.
As we look ahead to our fall semester, we will undoubtedly be tested again. Cybersecurity is ranked in the top three of the UBC's risk registry, and a Cybersecurity Maturity Assessment is currently underway to determine current and emerging risks, and provide a roadmap for the next phase of investment in cybersecurity infrastructure, resources, and services.
For now, our best controls will need to rely on our ability to be proactive, responsive, and responsible. Please bookmark the Privacy Matters website to stay updated on how you and your department can help protect UBC's information security.
Best wishes,
Jennifer Burns
Associate Vice-President, Information Technology & CIO