Sign In

Security Awareness

Breaking News

Help maintain your own online security – read our IT department's advice on safe use of passwords and usernames

Life today seems to involve an ever-increasing number of passwords and usernames for the various sites, accounts, and online places we all have reason or need to visit. It can be overwhelming to keep track of them all and change them at the recommended intervals – even if we do understand the reason for passwords. 

Unfortunately, breaches and attacks are all too common these days. When your data is involved in a breach, it can be released on the dark web and other foul places on the internet. Bad actors will then try combinations of usernames (often an email address) and passwords from the site they breached on other sites and platforms.

For example, say you used the same password for LinkedIn and your personal email. If they accessed your login information from a LinkedIn breach, a bad actor could then log into your Yahoo or Gmail account and begin spamming emails using your account, tricking your family, friends and even strangers.

In this month's security awareness article, Information Technology reminds us of the importance of using unique passwords and usernames for each site we visit, and to change our passwords at regular intervals.

Using unique passwords across different sites makes it harder to hack your whole digital life. For the same reason, consider using unique usernames, rather than your email address, for important accounts like banking and credit cards. If you have trouble remembering all those usernames and passwords, many free and premium password managers like Dashlane and LastPass can help you keep track of your accounts across multiple devices.

For particularly important accounts, like a social account you use to log into many places or an email account that is tied to your bank accounts, try using two-factor authenticationwhen available. Two-factor authentication requires that you confirm your identity by using something you know (a password) and a second factor other than something you have or something you are. You can also establish a customer-specific personal identification number (PIN) to help secure online access. These features are available for most banking sites and free email providers like Gmail, Microsoft, and Yahoo.

Also, pick an interval of time at which you will change your passwords, and set a reminder on your calendar. Even once a year is better than never. Sometimes breach information is not published until years after the breach. If you have already changed your password, you have limited the damage. If you are lucky, you changed your password before anyone even bought it!

If you want to check if your account info is for sale, security researcher Troy Hunt has set up a website,haveibeenpwned.com, that allows you to enter emails and usernames and check whether they appear on data breach lists.

Using unique usernames and passwords are two ways to help protect yourself in this online world in which we live. 

  • It's always phishing season; use your skepticism to avoid getting caught!

    ​You have probably heard about someone who clicked on a bad link or opened a nasty attachment in an email. You may also have heard of someone who received a letter in the mail or got a phone call offering some fantastic, "too good to miss" deal, only to be "taken to the cleaners." In this article, our IT Security team offers some guidelines and quick tips to help us avoid scammers and other bad actors.

    The good news is, you already possess the best defense to ensure you are not taken advantage of or scammed. Regardless of the medium, a healthy dose of skepticism goes a long way! If something looks or sounds too good to be true, you can bet it probably is. If you get an email telling you to immediately "click here" for a free pile of money, a free iPhone, etc., you need to pay special attention. When someone asks you for login credentials or personal information, your "scam radar" should be on full alert.

    If you have an account with an organization, it is highly doubtful they will request additional personal information through an email message. If you are unsure, use a secondary method to validate that whoever is contacting you is official.

    If you receive an email and you think there may be a valid reason for you to interact, asking a few key questions will help keep you safe. Before you click any links, read the email very carefully:

    • Are the spelling and grammar correct?
    • Does the message come from a person you know?
    • Is the email address in the same format as other confirmed messages you have received from this organization in the past?
    • When you hover over the links in the email, do you recognize the URL address? 

    If a message tells you to log into your account, you are much safer to go directly to the website by typing the known address into your browser or by using one of your bookmarks/favorites. Bad actors often purchase domain names that are very close to reputable names (think google.com versus goggle.com). Without careful reading, it is easy to be fooled.

    While email is a common method of phishing for information, bad actors use many other methods. Tax season is an especially risky time of year. Scammers will send out paper mail attempting to get you to send them tax information. They will pose as a government entity and use language to make it look as though you have issues with your taxes. Do not automatically call the number provided in a letter; use the internet to check for official phone numbers of an organization. And call the IRS if you have questions.

    Phone calls are another popular method of phishing for information. Scammers will call and try to acquire personal information, such as passwords, credit card numbers, or Social Security numbers. Our IT department, Microsoft, Google, and other reputable organizations will never call you and ask for your passwords. Similarly, banks and government agencies will never call you and ask for credit card or Social Security information.

    Remember: if it sounds too good to be true, most likely it is not true. Skepticism and critical thinking are your best defenses. So, stay safe and secure with your work and personal information!


  • Did you know – your actions can put our mission at risk!?

    We need donors – financial investors – to fulfill our mission. And while it is always a challenge to recruit new investors, keeping a loyal donor base requires something additional – it requires trust! Imagine the effect on long-time Society investors if they learned that their credit card details or cancer history were released by the Society into the wrong hands. 

    This article provides three very real life, plausible examples of recent data breaches at other organizations, and provides you tips on how to avoid making the same mistakes within our American Cancer Society. By understanding the types of information that need to be protected and by following existing processes and procedures for protecting our constituent information, you can reduce our data breach risk.

    Ransomware breach because of phishing email

    • What happened: In 2017, a nonprofit organization in Indiana (whose mission is to reduce the financial and emotional burdens of cancer and promote cancer prevention) experienced a data breach because a staff member accidentally downloaded malware. Hackers got into the nonprofit's server and held client files for ransom. When the organization refused to pay, the hackers posted on Twitter private letters that the organization sent to grieving families who lost a loved one to cancer. In addition, because of the lost files, the organization lost funding because it did not have the information it needed to apply for grants. 

    • How to prevent this at ACS: This story is not unique, but you can help to prevent a similar occurrence at ACS. To avoid being fooled by a phishing email, consider the source and be skeptical – while you may not be tricked into opening email from a stranger, consider what would you do if the phishing email appeared to be sent by a co-worker or vendor? If the request appears out of context, pick up the phone to your colleague or vendor to verify the request. 

    Unauthorized disclosure of employee personal information

    • What happened: While sophisticated, high-profile hacks make the headlines, for most nonprofits, it's the day-to-day employee activities that lead to lost or stolen data. In 2017, an Excel spreadsheet containing the personal information of YMCA employees was inadvertently sent over email to other YMCA employees (who did not have a "need to know" of the information). The employee information (which was contained in the second tab of a larger spreadsheet) included sensitive data such as Social Security numbers and salary information. 

    • How to prevent this at ACS: You can avoid this type of mistake. It is essential that you familiarize yourself with our current ACS standards for protecting categories of information and that you double check the email recipients and ensure that they authorized to view all the data included in the attachments. In addition, you should apply the "minimum necessary" standard when sending reports. Consider redacting (deleting) unnecessary excel fields before forwarding the data. 

    Vendor or supply chain data breach

    • What happened: In 2017, Hyatt hotels experienced a data breach that was caused by the insertion of malicious software code from a third party onto certain hotel IT systems. Similarly, the 2014 Target breach was caused by lax security at an HVAC vendor. 

    • How to prevent this at ACS: While you cannot always control what occurs with our vendors, you can reduce the Society's risk of a data breach by ensuring that any vendors who process or otherwise handle personal information have been vetted by our Information Security and Privacy teams, and that contract terms include provisions for notification and other assistance in the event the vendor experiences a data breach. 

    Protecting the privacy of our constituents' personal information is essential to maintaining the trust of our donors. By reading this article, you are taking the time to understand our privacy and security procedures. If you have questions about how our policies apply to you, please contact the Privacy office at privacy@cancer.org. 


back to top