Information Technology Services
National Cyber Security Awareness Month
A note from our CISO, April Sather
I am excited to celebrate my first Cybersecurity Awareness Month at UCOP and look forward to meeting many of you in the years ahead. I can't imagine a more inspiring place to serve as CISO, or a more important mission to enable. While it may not be your official role, we are all in cyber. The same technology that enriches and enables our home, work, school, and social lives can also be exploited. We make choices every day that protect or expose our data, and ourselves. UCOP TDS is continuously looking for ways to make it easier to make smart choices. Read on to learn about just a few of them.
- 64% of higher education institutions were hit by ransomware over the past year*
- 40% required over a month to recover from the attacks.*
- $3.86 million average cost of an education breach**
- $164 average cost per record breached**
- 277 days average time to identify and contain a data breach**
Get involved with Cybersecurity Awareness Month by registering to attend one of many Cybersecurity Awareness Month events taking place across the system. There are sessions covering topics including social media security, cybersecurity law, election security and the cross section between accessibility and security.
Here are three tips to #BeCyberSmart every day:
Tip #1 - Think before you click
Email is the source of the costliest attacks in 2022, with phishing and business email compromise breaches averaging $4.9M per incident.
While UCOP continues to enhance technical controls and conduct educational phishing campaigns (see below interview with Carlos Flanders), you are our strongest defense.
If you receive a phishing or suspected phishing email, please report it by using the Report Message > Phishing option in Outlook.
Tip #2 - Protect your credentials.
The most common attacks in 2022 are a result of stolen or compromised credentials. UCOP's DUO multi-factor authentication (MFA) solution is one tool to protect you from unauthorized use of your applications and data if your user ID and/or password becomes compromised.
Even with DUO, it is important to remain vigilant.
Use strong passwords and manage them using a tool like
- LastPass Password Manager – available to all UCOP employees at no additional cost.
- Do not share your password with anyone. TDS/ITS staff will never ask you for your password.
- If you receive a DUO prompt (or many in rapid succession) "out of the blue" and/or from an unexpected location, do not approve and report this to email@example.com.
TIP #3 - Help Keep UC Data Secure
- Send sensitive data securely to individuals in any organization using GoAnywhere (SecureShare). Messages and files are encrypted, uploaded, and stored on a secure web server.
- Ensure data is backed up to a secure location, such as Box or OnBase. This is one of the strongest defenses against ransomware.
- Take care not to download sensitive data to external drives or personal devices. Our Data Loss Protection tool will alert IT security to downloads that contain confidential data and will require follow-up.
Carlos Flanders, IT Security Analyst
Introducing Carlos Flanders, UCOP Security Analyst. Carlos runs the UCOP ant-phishing campaign. His other responsibilities include managing security alerts, data loss prevention, malware, and security updates.
While serving in the United States Army, Carlos worked as an intelligence analyst and was inspired by a mentor/boss to go into a cybersecurity career. To Carlos, it felt like a natural transition for him, and he was intrigued by the thought that he could do analyst work for different organizations.
Carlos enjoys solving problems. "I like that feeling of being able to find the solution to a problem and then being able to articulate it. I like finding the answer - even if it's not right – and then learning more."
For Carlos, cybersecurity plays an important role in keeping UCOP safe. "Everyone has to be on board to prevent themselves from being a target."
Carlos takes pride in the UCOP anti-phishing campaign because it allows him to simulate what a phishing email looks like and what to look out for, to educate employees and help them think critically when receiving questionable emails. Some emails will get users to click links, open attachments, or will take people to a fake website asking for credentials.
According to Carlos, it's important to be especially careful of suspicious emails, think twice before clicking on attachments, and when in doubt, report it.
"People have been getting better about spotting phishing, but we still have some work to do to keep everyone safe."