Sign In

Security Awareness

Breaking News

IT offers its third Cyber Security Awareness Month article and quiz – How to work safely when not in the office

The IT Security team wants to ensure that all volunteers know how to work safely and securely wherever they need to be to do their jobs. Travel and remote security can include working from various locations including home; a public place like a coffee shop, conference, or hospital Wi-Fi; or a hotel.

When traveling, whether its across town or across the country, the best way to stay efficient is to maintain "situational awareness." This means paying attention to physical security and knowing exactly where your technology (phones, tablets, laptops, etc.) is in relation to your person. Laptops are most commonly stolen from cars, forgotten at airport security, or left in meeting rooms.

What does IT recommend? Prior to traveling, review the contents of your laptop bags and remove any unnecessary documents and portable media, such as CDs, external disk drives, or thumb drives.

Here are some additional tips to practice better physical security:

  • Lock your laptop in the trunk of your car when you are leaving, not when you arrive. Thieves often lurk in parking lots to watch who places valuables in their trunk at hotels, shopping centers, and other low surveillance areas to better target cars to break into. If you are stopping on the way to wherever you are going, prepare as you are get into your car, not when you leave it.
  • Never leave your laptop or laptop bag visible in your car (placing it on a floorboard is not secure!) – even with tinted windows. Laptops and laptop bags are magnets for thieves. A thief can easily put a small flashlight up to the window of the car to illuminate the inside, regardless of tint. If you have no alternative to leaving your laptop in your vehicle, make sure it is covered in a non-obvious way with blankets, jackets, or other common items not worth stealing.
  • If you leave your laptop unattended in a hotel room, please lock the laptop in the room's safe. If there is no safe or if the safe is too small, hide your laptop in your dirty laundry or somewhere not easily found by the cleaning staff.
  • When sitting in an airport, train station, airplane, or meeting, make sure you leave with all the items you brought in. Again, use your senses for situational awareness.

Another aspect of working securely while on the go is how you connect to the internet. Always choose a Wi-Fi network where you must enter a password, over open public Wi-Fi. Criminals and the curious can sit in the corner of any public place (or in a car in the parking lot) and "sniff" your traffic out of the air. 

  • IT offers 10 tips for safer social media - and the second quiz is here!

    To continue its article series for Cyber Security Awareness Month, the ACS IT department would like to share some tips for staying safe while using social media. 

    Would you let a stranger look in your wallet or purse? Would you let all your friends and acquaintances have a look? These are two important questions to consider when you post information on social media sites. Although it may not be readily apparent, the information you post on Facebook or Twitter can be just as personal as what you carry in your wallet or purse.

    The Internet is a valuable tool for collaboration, communication, and entertainment. Unfortunately, many unsavory groups and individuals have figured out how to use the power of the internet not only to invade personal privacy but also as an avenue for spreading malicious and/or dangerous code. Luckily, there are some relatively easy ways of keeping yourself and your family safe. Here are 10 tips to keep in mind, for safer social media use: 

    1. Think before you post – Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing.
    2. The internet is public and "forever" – Only post information you are comfortable with anyone seeing. This includes information and photos in your profile and in blogs and other forums. Also, remember that once you post information online, you cannot retract it. Even if you remove the information from a site, saved or cached versions may still exist on other people's machines.
    3. What's in your settings? – Take advantage of a site's privacy settings. The default settings for some sites may allow anyone to see your profile, but you can customize your settings to restrict access to only certain people. There is still a risk that private information could be exposed despite these restrictions, so don't post anything that you wouldn't want the public to see. Sites may change their options periodically, so review your security and privacy settings regularly to ensure your choices are still appropriate.
    4. Use strong and unique passwords – Protect your account with passwords that cannot easily be guessed. If your password is compromised, someone else may be able to access your account and pretend to be you. Never use the same password on social media as you do for work or banking.
    5. Beware of third-party applications – Third-party applications may provide entertainment or functionality, but use caution when deciding which applications to enable. Avoid applications that seem suspicious, and modify your settings to limit the amount of information the applications can access.
    6. Be wary of strangers – The internet makes it easy for people to misrepresent their identities and motives. Consider limiting the people who can contact you on these sites. If you interact with people you do not know, be cautious about the amount of information you reveal or agreeing to meet them in person.
    7. Be skeptical – Do not believe everything you read online. People may post false or misleading information about various topics, including their own identities. This is not necessarily done with malicious intent; it could be unintentional, an exaggeration, or a joke. Take appropriate precautions, though, and try to verify the authenticity of any information before taking any action.
    8. Check privacy policies – Some sites may share information, such as email addresses or user preferences, with other companies. This may lead to you receiving more spam in your email. Additionally, try to locate the policy for handling referrals to make sure that you do not unintentionally sign your friends up for spam. Some sites will continue to send email messages to anyone you refer until they join.
    9. Keep software and browsers up to date – Install official software updates so attackers cannot take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it.
    10. Use and maintain antivirus software – Antivirus software helps protect your computer against known viruses, so you may be able to detect and remove the virus before it can do any damage. Because attackers are continually writing new viruses, it is important to keep your antivirus definitions up to date.

    While this list of tips is not exhaustive, it provides a guide to a more secure social media experience. By following these guidelines, you can get all the enjoyment meant to come from social media, while keeping your personal information private and your computer safe.

    Children are especially susceptible to the threats that social networking sites present. Although many social media sites have age restrictions, children may misrepresent their ages so they can join. By teaching children about internet safety, being aware of their online habits, and guiding them to appropriate websites, parents can ensure that their children become safe and responsible users.

  • Celebrate Cyber Security Awareness Month by learning more about phishing and cyberattacks

    Along with Breast Cancer Awareness Month, did you know that October is also Cyber Security Awareness Month

    As we work hard to raise funds and awareness with Making Strides Against Breast Cancer events and other mission partnerships in October, Information Technology wants to help us grow our online awareness – by featuring a few informative articles throughout the month. 

    Let's jump right in: This first article examines the importance of critical thinking in avoiding cyberattacks. When we hear about phishing, IT asks that we use our critical thinking skills. But what exactly does that mean? 

    Critical thinking is the process of actively analyzing and evaluating information gathered by observation, experience, or reasoning to inform action. These skills are particularly important when working in your inbox because email is the easiest way to access any company. Below are some facts to keep in mind:

    • Most email is spam – up to 97 percent of global email is not legitimate!
    • An event that starts with only one person (clicking a bad link or opening a malicious attachment) can quickly multiply.
    • Scammers usually like to incite emotions and urgency to deliberately derail your critical thinking skills.
    • Most phishing emails will send you to a malicious site that has been created for this attack. 

    Using the following questions can help us approach our email – both at work and home – with critical thinking and the right response:

    • Where did the email arrive, your inbox or a junk/spam folder? Unless you are positive that the email is legitimate, leave it in the Junk folder. Your email provider is probably right – this is an email you don't want or need.
    • Do you know the sender? Any email from a stranger should be viewed with suspicion.
    • Was the email sent only to you? Spam and malware are usually sent in volume. Scammers make their money by finding one or two unsuspecting or careless people for every thousand emails sent. If someone other than you appears in the "To" field, that might be a red flag.
    • Were you expecting this email? Successful phishing attacks often exploit a compromised user's address book to send the malicious software to their contacts and friends. If you see a puzzling email from someone you know, email them back and ask whether they meant to send that email. Chances are you'll be doing them a favor by alerting them that they have been hacked.
    • Does the message make sense? Read suspicious messages carefully for clues that the real sender is someone other than who they claim to be – broken English, vague messages, and language that doesn't sound like a typical message from your sender.
    • Are there logos or identifying marks in the signature? Compare the signature block and the "From:" address; is it a reasonable comparison? If this email is representing a large company, it should come from the corporate email address, not a free email account.
    • Are there attachments? Generally, only open attachments from your most trusted senders and only if nothing else about the email is suspicious.
    • Do the links take you to where they say? Always hover before you click; you don't have to click a link to know its destination. If you do not recognize the address or it looks strange in any way, don't click!

    If you get suspected phishing emails in your inbox, move to your Junk folder. Do not respond to the email; doing so would just verify that your email address is active, and you will get more phishing emails. Lastly, do not forward the email. You are just helping the phisher create more copies of the email, which could lead to more issues.

    If your email address is compromised, make sure you change your password right away. Consider applying a multi-factor authentication – a security measure that requires more than one method of authentication from different types of credentials to verify your identity for a login – to your home email accounts. For example, if you log in from a new computer, multi-factor may require you to know your email password, as well as have your mobile phone nearby to receive a special code to verify it is you before you can log in. This will make it harder for a criminal to access your account, and all the larger free email accounts provide this protection.

    Another way scammers can try to worm their way in is through internet pop-ups or phone calls. Use your critical thinking skills there, too: 

    • Remember that Microsoft, the IRS, and many other entities will not call you on the phone and ask for sensitive information.
    • If something sounds too good to be true, it is.

    Continuing throughout October, look for additional IT security articles on My Society Source with good information you can use to keep yourself and your family safe.

    So, as you fire up your pink for breast cancer awareness, let's all make the commitment to learn more and stay safe as we use the latest and greatest technology in our roles. 

  • Please think before you click that link!

    Just a reminder to all volunteer -- take a few seconds and think before clicking links in emails, especially the ones that seem a little odd. Trust your gut; if it raises suspicion, it's probably a phishing attempt.

    Never share your login credentials (user name and password), especially via email or on a website. 

    One goal of these phishing campaigns is to capture user credentials – which is a form of identity theft. Once gained, the phisher/attacker will then use the credentials to log onto any system available to the attacker, posing as the person whose credentials were compromised.

    Tips for dealing with phishing attempts

    1. Critical thinking is crucial. Stop and think before you click that link!
    2. Ask yourself: Even if you know the sender, is it a legitimate email? Is what they are asking for, and how they are asking for it, typical?
    3. Hover over links in emails and other documents. Where will the link take you?

    Education is protection!

    One of our best defenses against phishing is an educated and aware volunteers. The better everyone understands phishing and ransomware attacks, the better we can protect our systems. To learn more, visit the National Cyber Security Alliance website on staying safe online, and read this article on the top five things staff can do to avoid phishing attacks.

  • The top five things all staff should know to protect the Society from phishing attacks

    Please take the time to review and use this quick list of the top four things you can do to protect the Society from phishing attacks:

    1.     Know: What is phishing, and why do the bad guys use it?

    Phishing uses fake emails, which often look official, to trick users into giving up information like usernames and passwords or to load malicious software (malware) on your computer. Phishing scams are designed to induce panic in the reader to provoke an immediate response by claiming they will lose something, such as email or bank account access.

    Phishing attacks are increasingly common to all kinds of organizations – for profit, not-for-profit, government, and charitable. Because the emails trick users into taking an action, user education is our best protection.

    2.     Stop and think.

    Critical thinking is the best way to stop phishing attacks. No technology can prevent all phishing attempts from getting through. Stop and think with every email you receive. Does it pass the smell test? 

    3.     Hover over links before you click (as pictured in the smaller photo).

    Never click a link in email or your browser search without hovering over it first to see where it leads. The way browsers work, clicking on a website can load code or run scripts on your computer, so sometimes just clicking can be all the bad guys need.

    4.     What can happen with phishing?

    Generally, phishers are looking for private or sensitive information they can use for fraud– credit card numbers, usernames, passwords, social security numbers, etc. Clicking on a phishing link or attachment can also introduce malware onto your computer or network. These programs can record your keystrokes, turn on your webcam, open a back door to the internet for remote control, or download more bad software. Of particular note is "ransomware," which will encrypt your documents for a bitcoin ransom.

    For more information on recognizing spam and phishing emails:

    While the technology protecting our systems is one part, everyone plays a crucial role in internet safety. 

  • Tips from IT on the Equifax breach

    You may have heard that the consumer credit reporting firm Equifax recently announced they were breached by one or more attackers, who stole personal information for more than 143 million people – including about 44 percent of the total U.S. population. 

    With nearly one out of every two adults impacted by this breach, the chances that you are a victim is good. If you are not, then find the nearest person, and statistically, they will be. This is a big deal.

    The information that was disclosed includes details that can be used to open lines of credit, apply for bank loans, buy a car, get a driver's license, get a passport, or anything that involves the use of a Social Security number, date of birth, and other personally identifiable information (PII). 

    What can I do?

    Experts contend that the hackers will buy, sell, and trade the information stolen in this breach for years to come, which means that, if you are impacted by this breach, you should be diligent not only for the next few weeks and months, but for years to come. Equifax has created a website where people can learn more about the incident, with two things of note:

    • Under the menu item at the top of the website, a link called "Enroll" will take you to a page where you can determine whether your data were impacted by this breach. You will be asked to provide your last name and the last six digits of your Social Security number, and based on that information you will receive a message indicating whether your personal information may have been impacted by this incident.
    • Whether your data were impacted or not, Equifax is giving everyone the opportunity to enroll in what is called "TrustedID Premier," which is a credit monitoring service. Note that this is not a credit "freeze," but only a monitoring service, and it is only good for a month. Because Equifax is constantly being pressured by the public and our government, this offering may get better with greater coverage.

    Beyond what Equifax is offering for free, there are additional steps which would be prudent to take:

    • Purchase a security freeze for your information. This is the action that does the most to protect you. Unfortunately, few people know about it. What a security freeze does is lock your credit scores so no one can access them. This means that while your credit score is frozen, no bank or financial organization (such as a credit card company) can check what your credit score is, which means no one will give you (or a criminal pretending to be you) a loan or credit card. The challenge is you must manually set up a security freeze with each of the four credit bureaus. In addition, if you want to get a new loan or credit card, you then must manually unlock your credit service. 

    Here are each of the credit bureaus and links to their respective pages on how to set up a freeze:

    1. Equifax
    2. Experian
    3. Innovis
    4. Trans Union
    • Beware of social engineering attacks. Over the next days and weeks, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls, or text messages trying to fool people. Be aware this will likely occur.

    What happens if my information is fraudulently used?

    If someone does steal your identity as a result of this or any other breach, the Federal Trade Commission has created a site to help you recover. The interactive site will walk you through steps like the ones pictured above.

    Ultimately, the responsibility is yours to recover from identity theft. Fortunately, there are a few things you can do to lower the chance that your identity will be used after it is stolen, like initiating a credit freeze. If you are the unlucky half of the population who was impacted by this breach, you should act now.

  • Cybersecurity: Tips for protecting your private information

    As employees of the Society, we all share in the important responsibility to ensure that our constituent, employee, and all other collected personal information is secure, so that it can't be used in ways that would cause harm or violate any laws or any of our privacy policies and practices. In this day and age, we know that there is great importance in maintaining the security of the information with which people entrust us – and in keeping our own information private and protected.

    Because we are responsible stewards, each year the Society asks that we complete compliance courses on security awareness, our privacy policy, and our code of ethics. As outlined in these courses, state and federal laws, and regulatory agencies who enforce them, require companies to take measures to protect the personal data they collect. Some of those laws include:

    • The Health Insurance Portability and Accountability Act of 1996 (better known as HIPAA), which covers access to and the protection of individuals' private health information
    • State privacy laws, which require the Society to protect and secure sensitive personal information, including health and financial information, and to notify constituents and/or regulators in the event of a breach.
    • The Payment Card Association (PCI), which requires us to follow rules to protect credit card-related information.​

    The Society's internal policies and procedures are designed to address these and other rules. Also, our Privacy Statement, available on cancer.org, provides specific promises about whom information is collected and stored. 

    And yet, privacy issues aren't only important in our work lives. Below, our Information Technology and Legal departments offer five important tips we all should follow to protect our own privacy. These tips are a follow up to Data Privacy Day, which aimed to raise awareness of data privacy rights and practices. Take a look!

    Tip #1 Read the privacy statement. Privacy statements are used anywhere that data about you are likely to be collected. If you have been to a doctor in the past 10 years, chances are that you had to sign a statement about how the doctor will manage all of the sensitive information collected about you. HIPAA requires the doctor to appropriately secure your protected health information or "PHI."  

    Similarly, personally identifiable information ("PII") is protected under state and federal laws. When visiting any site that collects personal information, you will see a link to the site's privacy statement – usually at the bottom of the site's page. It is important that you read the privacy statement as it will tell you exactly how the company will collect and treat your information so that you can make an informed decision as to whether you trust them with your information. At the Society, we have lots of restrictions around who can access and use this information; our Privacy Statement is available on cancer.org at the bottom of the page.

    Tip #2 Own your online presence. Set the privacy and security settings on web services and devices to your comfort level for information sharing. It's okay to limit how and with whom you share information. Most social media platforms have security and privacy controls which allow you to limit access to any sensitive information you might wish to upload to and through them. Take a look at Facebook's privacy settings as well as LinkedIn's privacy settings, and read this article that covers many different platforms. Remember that what you post can last a lifetime, so be careful about what private information you post on social media.  If you do choose to post a picture of your last lab results on Instagram, make sure that set your privacy controls so that not just anybody can read your social security number.

    Tip #3 You share even when you don't share. Every time you search online for the best restaurant deal, share good news or bad with your Facebook friends, or tweet to your followers, your "audience" is bigger than you know. That's because your every online move leaves cyber footprints that are rapidly becoming fodder for research without you ever realizing it. Using social media for academic research is accelerating and raising ethical concerns along the way, as vast amounts of information collected by private companies — including Google, Microsoft, Facebook, and Twitter — are giving new insight into all aspects of everyday life. All is not lost, though. A University of Texas-Austin social psychologist says that these big companies are concerned about issues around privacy, and are reluctant to divulge your personal information. Yet that doesn't stop them from selling to advertisers the keywords you use to search so that they can target ads to you. 

    Tip #4 Keep a clean machine. Here at the Society, our IT department manages a patching schedule for the computer that you use to work. These patches help keep your computer and the software that runs on it up-to-date with the latest features and security updates. What does patching have to do with privacy? Hackers and other "researchers" spend days on end, trying to find weaknesses (or vulnerabilities) in commercial software. Sometimes, these weaknesses will allow a bad actor to sneak into your computer and steal your information and any information that is available on your computer (or phone).  These patches are not designed specifically for the Society. Your home computer needs to be patched routinely, too. So does your smartphone. And your internet router. Soon, you will need to patch your refrigerator and microwave, your home lighting, and your daughter's Barbie dolls. For those who own a vehicle with Uconnect, you also have to patch your car. For vehicles and other internet-connected devices, bad guys have been known to take over control of a car while it is moving, stop an insulin pump in a living patient, and turn a Barbie doll into a listening device. Keeping your systems patched is a good way to protect your security and privacy.

    Tip # 5 Ransomware, phishing, and other ways your privacy is at risk. Even when you think you are being careful, bad things can still happen. Someone could break in and steal your identity, transfer all of the money from your retirement account, or confiscate all of your files for payment. These things are all preventable if you follow a few simple rules:

    1. Learn how to tell a fake email from a ​valid email. 
    2. Don't click on links or attachments in email that you do not expect. Ransomware is one of the more recent attacks, and it relies on the user executing its bad code for it. You do this when you open the attachment that it wants you to open, or by downloading files you don't think that you are downloading when you click malicious links.​
    3. Even if it sounds reasonable, like a message from the UPS about a package, or a request from your boss for some sensitive information, don't believe and act on the request.
    4. And, no, there is no son/uncle/nephew of the recently deceased uncle/grandfather/business partner who needs your help in transferring loads of currency from Nigeria before the government/church/other family members get their grubby hands on it!

    Take all these tips into consideration, and if you'd like to read more about privacy, the following resources are available:

  • IT works to protect us against Ransomware; do your part by exercising caution online!

    With headlines – even this week – about "Petya," "WannaCry," and other Ransomware attacks, all volunteers should remain vigilant about protecting their personal computers. Ransomware is nasty and sophisticated malware, and the cleanup takes time and money. As usual, take care when opening attachments and clicking links in emails, and always hover over links in internet searches before you click to see where they are sending you!

    What exactly is ransomware?

    Ransomware is a type of malicious software that can encrypt all your files or your entire hard drive so they are inaccessible unless you pay the ransom, usually in bitcoin, for the decryption key. Ransomware code can be hidden in email, in images on an infected webpage, in SMS text messages, and in videos. Ransomware is the fastest growing category of malware as it is the quickest way for criminals to make money. New versions and variants are released daily, and hackers are attacking companies big and small – hospitals, college students, and police or other government agencies can be targets. Ransoms can range from $50 to tens of thousands of dollars. The FBI does not support paying ransoms, as criminals are unpredictable and you may end up infected with other malware due to the initial infection.

    The FBI's Internet Crime Report 2016, based on information received by the Internet Crime Complaint Center (IC3), shows that complaints and costs are on the rise. 298,728 complaints were received by the IC3 during 2016 (up from 288,012 in 2015), and reported losses to internet crime totaled more than $1.45 billion (up from $1.07 billion in 2015).

    Education is protection!

    One of our best defenses against malware is an educated and aware volunteers. The better everyone understands phishing and ransomware attacks, the better we can protect our systems against outside attacks. To learn more, visit the National Cyber Security Alliance website on staying safe online, and read this article on the top five things staff can do to avoid phishing attacks. And think before you click that link!

back to top