Staying safe online: a chat with the U of A’s Chief Information Security Officer

Jeremy interviews CISO Gordie Mah for tips on staying safe online.

ciso.jpg

Jeremy

YouAlberta is written by students for students.

Jeremy (he/him) is in his final year of a MA in Communications and Technology (MACT) at the U of A. When he's not writing a paper or reading a book, you can find him on some of Edmonton's river valley trails, or trying to get sendy on his skis.


At this point, it would surprise me if someone WASN’T trying to scam me online or steal my data. Phishing, trojan horses, fake dating app profiles, crypto rug pulls, rootkits and impersonations…the list goes on and on and on. Luckily, there is a bright spot as the threat is being taken seriously by many organizations, including the U of A, where efforts are led by the Chief Information Security Officer (CISO) Gordie Mah. I was able to reach out to him to learn about what the U of A is doing to safeguard the organization’s information, as well as get some tips about what we can do as individuals to stay safe online.

Nice to meet you Gordie, could you tell me more about what a Chief Information Security Officer does?

As the CISO, my main job is to keep two of the university’s most important assets safe: our people and our information. This means making sure that all the information related to our core mission — studying, teaching and conducting research — is protected. Our goal is to ensure that the cybersecurity measures we put in place keep us safe without hindering the activities related to conducting the university’s business.

A big part of what I do involves figuring out what the biggest digital dangers are to our university and coming up with ways to keep those threats at bay. This includes protecting not just our computers and networks but also the valuable information they contain, which ranges from sensitive information to the groundbreaking research that students, researchers and professors work on. Since technology is always changing, part of my job is to stay ahead of the curve and make sure our defences do too. This means constantly updating our strategies to deal with new threats as they arise.

Risk management is another key aspect of my role. This involves creating rules and guidelines to help us stay safe online and providing training so everyone knows how to protect themselves and their data. 

Lastly, I work to make sure that we're all practicing good cyber hygiene—that's just a fancy way of saying we need to keep our digital spaces clean and organized by doing things like keeping up to date on patches and managing access. It's a bit like making sure we wash our hands to stop the spread of germs but for our computers and online information.

In short, my job as CISO is to make sure that our university's digital environment is as safe and secure as possible, so you can focus on learning and achieving your academic goals without having to worry about digital threats.

 

With all these scams and cyberattacks happening, what are some of the most common ones that U of A students run into?

That's an important question, especially in today's digital age, where new scams are constantly emerging. There’s a variety of cyber threats; here’s a rundown of some of the most prevalent scams targeting our community:

  • Phishing attempts: These are fraudulent emails or messages designed to trick individuals into revealing personal information or login credentials. They often mimic official university communications.
  • Fake job opportunities: Scammers advertise bogus job offers, often involving remote work or research assistant positions, to steal personal information or money. This includes:
    • Deposit cheque and e-transfer scams: Where you're asked to deposit a cheque and then transfer a portion of the funds elsewhere.
    • Purchasing office equipment: Promising reimbursement for buying office supplies or equipment for a job that doesn't exist.
  • Impersonation of charitable organizations: Scams involving entities like World Vision or similar, offering fake overseas placements or asking for help with managing donations, such as buying gift cards.
  • Fake financial communications: Emails about salary reviews or urgent messages from the finance department, leading to lookalike websites aimed at stealing CCID and personal information.
  • Transcript access scams: Attempts to gain access to personal information through fake requests for transcript verifications.
  • Spoofed university communications: Emails that appear to be from Information Services and Technology (IST) or other official U of A offices, asking for personal information verification.
  • Compromised QR codes: QR codes that direct to malicious sites when scanned.
  • CRA tax season scams: Targeting students with fake tax refunds or owed tax communications.
  • Urgent login requests: Asking students to verify personal information on fraudulent websites.

It's crucial for everyone in our community to stay vigilant and skeptical of unsolicited offers or requests for information. When in doubt, contact the official department directly through known and verified channels. It's also important to keep in mind that cybercriminals are constantly devising new methods to trick their victims, so staying informed and cautious is key.

Do you have some tips or guidelines we can employ?

Absolutely, staying safe online is crucial, and there are several practices that can help. Here are some key tips:

  • Be cautious with job opportunities: If you get an unsolicited job offer that sounds too good to be true, it probably is. Scammers often use fake job listings to trick people.
  • Question everything: Always verify the legitimacy of any offers or requests that come your way, especially if they're unsolicited and promise quick rewards.
  • Avoid clicking on suspicious links: Don't download or respond to emails or messages from unknown sources. This can prevent malware from getting onto your devices.
  • Secure your login credentials: Never share your CCID, and make sure you're on the official U of A site by checking for “ualberta.ca” in the URL.
  • Practice good password management: Use strong, unique passwords for each account and consider a password manager to keep them secure. Reusing passwords can put you at risk if one service is compromised.
  • Stay updated: Keep your devices, applications and antivirus software up to date to protect against known vulnerabilities.
  • Secure your devices and networks: Use encryption for your Wi-Fi and devices, change default passwords and consider features like remote wipes for added security.
  • Be wary of high-risk sites and emails: Tools like HaveIBeenPwned can tell you if your email or password has been compromised. Keep an eye on your email activity for signs of unauthorized access.
  • Mind your digital footprint: Be careful about what you share online. Publicly available information can be used by identity thieves.
  • Be careful with QR codes: Ensure QR codes are from trusted sources before scanning. They can be used to direct you to malicious sites.
  • Backup your data: Keep secure, encrypted backups. In case of a ransomware attack, this can save your important files.
  • Use secure connections: When using public Wi-Fi, be mindful of security. If you’re using unsecure wifi at a place like a coffee shop, someone could snoop on your connection.

Adopting these habits can significantly improve your online safety and help you avoid falling victim to cyber threats.

Are there any additional resources or contacts that could be useful?

If you believe a CCID or any U of A affiliated systems have been compromised, or if you encounter suspicious activities, you can report these issues directly to the Information Services & Technology (IST) team by emailing abuse@ualberta.ca.

It sounds like the U of A takes information security very seriously.

Absolutely, and for good reason. Our information is one of our most precious resources, right after our people. This isn't just about the vast amounts of intellectual property and research data we generate and store. It's also about the personal details of our students and staff, course materials and other sensitive information that make up the lifeblood of our university.

Our approach to information security is very much about safeguarding our community. This means not only protecting the groundbreaking work done here but also looking out for each other by preventing identity theft, avoiding scams and practicing good data hygiene. We are very selective about the personal information we retain, ensuring we keep only what is absolutely—and legally—necessary for the university to fulfill its educational and research missions.

The reality is that identity thieves and other malicious actors are always on the lookout for ways to access valuable information. Our job is to stay one step ahead of these threats. Given the sheer volume of data we manage, this is no small task. Our digital footprint is vast, and managing it securely is a significant responsibility.

We invest in the latest security technologies, implement robust policies and conduct regular training sessions to ensure everyone at the U of A understands how they can help keep our digital environment safe.