IT Security Training

There are many controls and detection mechanisms put in place to help secure the UA-PTC network and employees from internal or external cybersecurity threats. While not always convenient, requirements for complex passwords, password expiration's, screensaver timeouts, antivirus software, encryption, and many other tools are used to make it much harder for cyber-criminals to gain access.

These bad actors have become very efficient at using social engineering to bypass protections and attempt to trick individuals into providing sensitive information. Educating the UA-PTC campus community is an important process in providing the necessary protections.

To provide the necessary training to minimize the security risk to UA-PTC, there are three types of roles defined for good IT Security Awareness:

1. Everyone Role
The Everyone role applies to well, everyone. Everyone should be able to recognize threats, see security as beneficial enough to make it a habit at work and at home, and be comfortable with reporting potential security issues. Everyone should be aware of the sensitivity of the information they are able to access in their day-to-day responsibilities.

• Read and follow the IT Security policies: Use the links provided on the IT Security Polices page to review the policies.

• Website Links: Do not click on website links from senders that you do not recognize. Inspect website links carefully to make sure they are legitimate and not imposter websites. If you clicked a link and provided personal information such as your password, we recommend that you reset your password. To reset your UA-PTC password, visit www.uaptc.edu/reset. 

• Attachments: Do not open attachments from senders that you do not recognize. If you receive an e-mail containing a warning banner indicating that it originated from an external source, be cautious! Also, be cautious of .zip or other compressed or executable file types.

• Personal Information: Do not provide sensitive personal information (like usernames and passwords) over e-mail. UA-PTC will never ask for this information.

• E-mail Senders: Watch for e-mail senders that use suspicious or misleading domain names.

• Shared Documents: Do not try to open any shared document that you are not expecting.

• Is it spam? If you can’t tell if an e-mail is legitimate or not, please contact IT Services at mthomas@uaptc.edu.

• Know the tools like Phishing used by cyber-criminals: The easiest way for a bad actor to reach a potential target is through e-mail. The default arrangements for these socially engineered e-mails are referred to as templates, and each template is designed to intelligently prompt the recipient to provide information by looking like a legitimate request.

o The “Reset Your Membership” Template: The content in a phishing e-mail may depict termination of the membership of a well-known application (iTunes, Amazon Prime, eBay Membership), using messages like “restart your membership by clicking on this link.” Clicking on these links will redirect employees to a phishing website making the employee a phishing attack victim.

o The “Reset Your password” Template: E-mail content requesting a password reset are usually false. Password reset links to an employee’s e-mail is typically only initiated when the person requests it through a self-service portal. If this was not requested by the employee, the e-mail is there to provide a cyber-criminal the opportunity to gain unauthorized access to the systems via the provided password.

o The “Your Order has been Shipped” Template: These phishing scams appear to be a confirmation of an order for a product the employee ordered. They contain a link to the “bogus” order. When clicked, victims are prompted to use their login credentials which are captured and used by a cyber-criminal.

o The “Authoritative communication” Template: Memos from the HR department are an urgent call for action for the employees. This often does not raise suspicion since it looks like an official communication. Hackers exploit this trust level by scamming employees with authoritative e-mails that redirect to other websites or ask for personal information.

2. Specialized Roles
Additional training for those in Specialized Roles focus on employee obligations to follow secure procedures for handling sensitive information and recognize the associated risks if privileged access is misused. Examples of users in this category may include IT Administrators, Human Resources, and the Procurement Team. Each of these specialized roles requires additional training and awareness to build and maintain a secure environment. The training required for any specialized role is currently maintained in Blackboard per user. IT Administrators will have the identity Theft Prevention training assigned.

3. Management
Management needs to understand the organization’s security policy and security requirements enough to discuss and positively reinforce the message to staff, encourage staff awareness, and recognize and address security related issues should they occur. Accordingly, managers of staff with privileged access should have a solid understanding of the security requirements of their staff, especially those with access to sensitive data. This understanding will also help with decisions for protecting the organization’s information.