IT Security FAQ

Information security is the practice of protecting information and systems from unauthorized disclosure, modification, and destruction. It encompasses the security of all IT resources, including both University information and the IT devices that access, process, store, or transmit it.

University data is any data for which UFV is accountable. Included is any data relevant to the administration (student and employee records, finanacial data) and day-to-day function (teaching, research, and service) of the University.

Systems/IT Devices are any electronic device (desktop or laptop computer, phone, tablet, etc.) used to access, process, store, or transmit University information, and that uses the University's IT infrastructure, including the University network. 

Proper data management is a responsibility of every University employee; you are responsible for any University information to which you have access. Properly managing the data in your care will help protect you, the University, and the community from data-related theft and harm. Improper data management can lead identity theft, reputational harm, lawsuits, and extremely expensive damages. The goal of data management is to appropriately manage these risks without impairing University operations.

How do I know whether I have sensitive data?

Sensitive data is any data that could compromise integrity or confidentiality. For example, academic or financial records, address and contact information, or files relating to medical concerns. It must be protected from unauthorized access to safeguard the privacy and security of our students, staff, faculty, alumni, and UFV as an organization. In many cases, sensitive data is hidden in larger data sets or files. 

Manage data safely

It's easy to get in the habit of incorporating safe data management into your workplace routine. Knowing what kinds of data you use, as well as how and where you use them, is the first step. Once you determine what data you have and where it's stored, you can protect it by archiving, encrypting, or erasing it as appropriate.

For sensitive University information:

• If you still need the information, but don't need to store it only on your device (and want to access it anywhere), store it on your home drive or department network drive.
• If you need the information and it must be stored locally on your device, encrypt it.
• If you no longer need the information, erase it from your device.

You can apply the same principles to your personal information. If you don't need to store records like old tax returns, bank statements, or other records on your computer or other device, you can store them on an encrypted flash drive or external hard drive and then securely delete them from your device. You should also encrypt any files that you choose to keep on your device (and encrypt the device itself with whole disk encryption).

Choosing a strong and secure password is the first step in securing your accounts. Secure passwords have the following characteristics:

• Can't be easily guessed
• Is not common
• Does not contain your name, address, username, email, or other personal details about yourself/your family
• Is only known by you

View our tips for creating strong passwords here. Consider using a password manager to keep your passwords safe.

Never click links or download attachments from emails that look suspicious. To learn more about how to identify suspicious emails, click here. 

UFV's cybersecurity team is constantly monitoring our email system to detect spam before it reaches you. We stay up to date on the latest email security threats to ensure our systems are current. However, cybercriminals are getting smarter in the ways they avoid detection so we need your help if something gets through.

SPAM, phishing, and other scam messages come with real risk and impact. 

Risks:

1. Leakage of sensitive information - Phishers will disguise themselves as known individuals of victims (e.g. senior management) or trustworthy institutions (e.g. banks) to lure victims to give out their sensitive information such as account names, passwords and identity information. Phishers may further use this sensitive information for malicious purpose (e.g., identity theft) or sell them to third parties.
2. Malware infections - Links or attachments in phishing emails or phishing websites may contain malware (e.g. key-logger, ransomware and cryptocurrency mining malware). If users click these links or open these attachments, their devices may get infected, which may lead to data leakage, data loss or other financial loss.

Impacts:

1. Financial loss - With sensitive information obtained from victims, phishers can carry out transactions (such as transferring your money to their accounts). Business operations can be disrupted due to the time needed to respond to incidents or fix an infected device. 
2. Reputational loss - Phishers can further make use of information obtained from victims to send blackmail, intimidate victims’ contacts or even perform illegal activities (e.g. stealing confidential data), causing legal and liability problems. As for an organisation being attacked, it may suffer reputation damage to its brand, and its clients may move their business elsewhere due to losing trust in the organisation in safeguarding their data.
3. Intellectual property theft - Intellectual property, including the products of faculty, staff, and student research and scholarship, is crucial to our community. With the information obtained from victims, phishing attacks can lead to theft of intellectual property which can represent millions in research and development costs.

Account security

• Use a recognized anti-virus program (Trend Micro, Norton, Kaspersky, AVG, etc.) on personal computing devices.
• Don't use the same password for all of your accounts.
• Be extremely careful posting and storing personally identifiable information (PII) as identity theft is rampant.

Email security

• Keep your virus signatures up to date.
• Never open attachments from unsolicited email.
• Never respond to email requests to provide sensitive information.
• Don't open or respond to SPAM email messages.
• Visit Canada's Anti-Spam Legislation website to learn more about how to protect yourself.

Check out these telltale signs a website may be fake:

1. Check the address bar

The start of a URL may start with http:// or https:// - note the 's' which stands for secure. If a website uses http:// (no s), that doesn’t guarantee that it is a scam, but it’s something to watch for. To be on the safe side, you should never enter personal information into a site beginning with http://.

2. Check the domain name

A favorite trick of scammers is to create websites with addresses that mimic those of large brands or companies, like gooogle.com or amaz0n.net. Scammers count on you skimming over the address and domain name, so it’s always worth double-checking the address bar if you’re redirected to a website from another page.

3. Check the domain age

Scammers know that more people shop online around the Holidays, so they will make real-looking websites around those times. You can check a website's age at the Whois domain tracker to see how long a site has been in business.  

4. Poor grammar and spelling

An excess of spelling, punctuation, capitalization, and grammar mistakes could indicate that a website went up quickly. On legitimate websites, the ocassional typo may be an accident, but these companies still put effort into presenting a professional website. If a website capitalizes every other word or has a lot of odd phrasing and punctuation, take a closer look.

5. Verify

There are lots of free, easy to use tools available for checking the legitimacy of a website. 

• PhishTank
• Virus Total
• Is it hacked?
• Google Site Status
• FTC Scam Alerts

If you aren't sure about a website, it is best not to give them any personal or payment information. Be especially careful if you were directed to the website from a link in an email or message. 

We are here to help if you receive something that you are not sure about. 

Report suspicious email and other communications to phishreport@ufv.ca. If it was an email, please forward the original email you received with your report so that we can investigate the source.

For all other general inquiries, please contact cybersecurity@ufv.ca

Students:

If you are a student who is registered for the current running semester, our Student Device Support program offers virus and malware removal. For more information on the program (where to go, what you need), click here. 

If you are not currently registered, you can take advantage of this program when you are. You can also refer to our tips and guidance on protecting your devices. 

Faculty & Staff:

For UFV provided devices such as UFV phones, workstations, and laptops, contact the IT Service Desk for assistance with virus and malware detection and removal. You can log in to create your ticket, email at itservicedesk@ufv.ca or phone at 604-864-4610 (toll-free: 1-888-504-7441, ext. 4610). Be ready to provide your workstation ID. 

For personal device support, please refer to our tips and guidance on protecting your devices.

UFV files and data are best accessed when on campus through your network drives rather than downloaded onto your device, as this significantly reduces the risk of data loss or theft. USB sticks are also small and easily lost, so it is not recommended to store sensitive data on them.

It is important to be aware of your surroundings and never leave your device unattended.

Don’t trust wi-fi: public networks, like in coffee shops and airports, are easily and commonly attacked. Attackers can use these networks to distribute malware, snoop what you are doing (including your login details if you enter them), and even make fake “Free Wi-fi” public networks that entice you to connect.

Encrypt: If your device is encrypted and it is lost or stolen, all the data on the device will be scrambled and unreadable to the thief. Only your password or recovery key can unscramble the data, so in most cases, encryption means that sensitive data remains secure even when it is lost or stolen. To learn more about encryption, please visit (hyperlink to encryption page)

Never leave your device: Don’t give thieves a chance to grab your computer, laptop, phone, or other materials.

Lock your devices: If you must leave your device or you are not working on it, always ensure the screen is locked. Tip! - If you are using a windows computer, such as the ones on campus, press the Win key + L to instantly lock your screen. 

Bitlocker is a feature included in some versions of Windows that provides drive encryption. When a drive is encrypted, the data on it becomes scrambled and indecipherable to anyone without the right password or smartcard.

A more complex Recovery Key will be needed if Bitlocker detects the drive has been moved or changed. This protects your data even if the drive is removed or stolen. 

For UFV provided devices, IT Services manages all recovery keys. If you require assistance with your recovery key, please contact the IT Service Desk.

For personal devices, see Microsoft’s guide on recovering the Recovery Key.

Windows SmartScreen helps you identify potential malicious websites, and helps you to make informed decisions about downloads. It helps to protect you in three ways:

1. When you are browsing the web or opening a link using Microsoft Edge, SmartScreen will analyze and determine if the page is malicious. If it finds a suspicious page, SmartScreen will display a warning page that advises you to proceed with caution.
2. SmartScreen checks the sites you visit against a dynamic list of reported malicious sites. If it finds a match, SmartScreen will let you know it has blocked the page.
3. SmartScreen checks files you download from the web against a list of programs known to be unsafe. If it finds a match, SmartScreen will let you know it has blocked the download.

In the case of a blocked site, SmartScreen appears as a red page in Microsoft Edge. 

In the case of a blocked download, the progress bar will become red and warn you about the unsafe download. 

From the warning page, you can choose to report the site as safe. To do so, select More Information, and then Report that this site does not contain threats. From there, follow the instructions.

For most sites, you will also be able to disregard the warning by clicking Disregard and continue (not recommended).

Please note: clicking this option may expose your computer and personal data to malware and other threats. If you are unsure if you should continue, please contact the IT Service Desk or Cybersecurity.

If you visit a site that you think may be unsafe but has not been caught by SmartScreen, you can report it by clicking the Tools button, then Safety,

Ocassionally when downloading a file, you may get a SmartScreen warning message that reads: 

SmartScreen can't be reached right now

In this case, open the folder with the file you downloaded (usually "Downloads"). Right-click this file > choose Properties. In the properties window, at the bottom of the General tab, check the box that says 'Unblock', then 'OK'.

You can now run the downloaded file. 

No. SmartScreen checks the sites you visit and the files you download for known security threats. Pop-up blockers only block pop-ups, which are usually non-malicious advertisements.