The online world is getting more dangerous, so in October, Ryerson held its biggest Cybersecurity Month campaign ever.
The campaign focused on creating awareness around phishing, account security and malware. It required advanced preparation and infrastructure investment.
“The cybersecurity landscape is just getting worse and worse,” said Brian Lesser, the head of Ryerson’s Computing and Communications Services (CCS).
In 2016, the University of Calgary paid attackers $20,000 after a ransomware attack locked and encrypted computers on the school’s network. That attack happened the first night Calgary hosted Congress, an annual academic conference, which Ryerson hosted this past summer.
Wanting to avoid a similar situation, Lesser said the CCS worked hard to better protect Ryerson in time for Congress.
More security, more money
In January, Lesser spoke to Ryerson’s board of governors about the need for better cybersecurity. He said the board should expect requests for cybersecurity funding to become more frequent in the future as the “threat landscape” worsens.
“I think everyone understood that,” Lesser said. He made specific funding requests during this year’s budgeting process, and said many were granted.
Ryerson’s 2017-18 budget allocated about $3.4 million for cybersecurity infrastructure, according to Ryerson president Mohamed Lachemi.
Lachemi said that spending went to preventing distributed denial-of-service (DDoS) attacks, upgrading Ryerson’s firewall and commissioning a cybersecurity audit. (DDoS attacks are when computer networks are flooded with data sent simultaneously from many computers.)
The budget also included an important item Lesser requested: a wider licence for the threat simulation software Ryerson used to conduct its test-phishing campaign.
Last year, the university ran a test-phishing pilot project on 1,500 employees. Because Ryerson expanded the licence to its threat simulation software, it was able to expand the program this year.
Phishing is when an attacker attempts to get personal information from a user. Phishes can be sophisticated, directing people to realistic-looking portals where they enter personal information like passwords, thinking they’re on legitimate websites.
Throughout October, the university sent fake phishing emails to 65,000 account holders.
People who fell for the emails (which were modelled on real phishing attacks) were presented with step-by-step guidelines on how to avoid being a victim in the future.
— Brian Lesser (@bdlesser) October 12, 2017
Nineteen per cent of recipients clicked the link in the first test phish this year.
However, Lesser said some of those clicks may have been because people wanted to see the training.
In three subsequent tests, fewer people (four to six per cent) clicked links in the emails. By that time, more people were aware of the testing, which likely brought numbers down, Lesser said.
He said Ryerson will evaluate the statistics from October’s phishing campaign to determine if it should first continue test-phishing, and next, determine its target and frequency.
In response to student complaints about the email campaign, CCS will consider changing how people can opt out in the future.
In an average week, Ryerson detects one million attempts by automated password-guessing bots to log into Ryerson accounts.
Since people often have commonly-used passwords, bots do hijack accounts. There were 250 successful hijackings in 2015.
To help prevent hijackings, Ryerson account holders can enable two-factor authentication. Once two-factor is active on a user’s account, they need their password and a code generated by an authenticator app to log in. This ensures that even if an attacker guesses a person’s password, they can’t log in.
Ryerson made two-factor authentication available to employees in 2013 and to students last fall. To increase adoption of two-factor, Ryerson set up booths around campus where students could set it up and enter to win prizes last month.
On Oct. 26, Lesser tweeted the number of people using two-factor at Ryerson had nearly doubled from about 1,700 to about 3,300.
Thrilled to see more people using two-factor authentication at Ryerson. pic.twitter.com/G8aTKBXc2H
— Brian Lesser (@bdlesser) October 26, 2017
“Hopefully they don’t turn it off after the contest,” Lesser said.
He said that although the school has considered making two-factor mandatory, “I’d rather do it voluntarily if I can, because then people are adopting it when they’re ready to adopt it. It’s not as disruptive to their work.”
Lesser hopes that by February, Ryerson accounts can be made to use physical keys for two-factor authentication rather than an app. In that case, users could simply press or plug in their key before entering their password on a device.
Lesser said it’s important for Ryerson to continue to educate staff and students about protecting data on their phones and laptops, so if those devices are stolen, the data on them isn’t.
“If you have a mobile device, just turn on encryption,” he said.