Big Ten Academic Alliance shares ‘Scary Cyber Tales’

An error occurred while preparing your download

Big Ten Academic Alliance shares 'Scary Cyber Tales'

Presentation of data disasters meant to educate users

In a hair-raising presentation, information technology experts from the Big Ten Academic Alliance shared stories meant to illustrate the dangers of the digital world. The focus on stories was important, said Reg Jackson, security engineer at The Ohio State University's Office of Technology and Digital Innovation (OTDI).

"One of the reasons that we communicate and why we tell stories is to tell people about bad things that happen to other people," he said.

Stories can help people learn from previous mistakes and, hopefully, avoid them in the future. Something to keep in mind, Jackson said, is "FUD," or fear, uncertainty and doubt. Too much FUD and people begin to seek their own solutions, leaving them even more vulnerable to bad actors.

"Over the years, we've learned how to speak to people about cybersecurity without using all this fear, uncertainty and doubt," he said. "Our trick today that we want to pull is a balancing act between FUD and fun."

Jackson and his Ohio State colleague Emily Gilbert, as well as P.J. Barnett from the University of Oregon, shared four stories about data breaches involving companies like Target and Uber. While the spooky stories varied in specifics, several themes did emerge over the hour-long presentation.

Practice good user behavior

Presenters encouraged audience members to think of themselves differently.

"One of the greatest challenges to cybersecurity awareness is getting everyone to see that they are also cybersecurity professionals," Jackson said.

Users should consider themselves the first line of defense for their organization. That means practicing good cyber hygiene: regularly updating passwords, using multi-factor authentication, backing up data and more.

"It's not just one team of folks that handles that risk," Jackson said. "We all play a part, right? If cybersecurity is a team sport, we're excited to have you here. Educating folks about these dangers is the whole reason why we tell stories."

OTDI offers Buckeyes many cybersecurity resources, including online trainings, an IDP calculator and annual cybersecurity days events.

Report emails

One of the easiest things an individual can do to help their organization is report suspicious emails, Guthrie said.

Phishing emails are a common concern. A phishing scam uses a false narrative or identity to steal a user's information or take control of their devices.

"Report it," she said. "[email protected], we have the "report phish" button [in Outlook]. I love to click it. That's one less email in my inbox."

After an email is reported as suspicious, the security team gives it a thorough review and takes further action as needed.

"Phishing emails can be really powerful," she said. "It only needs to work once to do anything."

Guthrie quoted the 1984 Halloween staple "Ghostbusters" to illustrate her point.

"'Are you the gatekeeper?'" she asked, referencing the film's villain's quest to gain access to new worlds.

Slow down

The best piece of advice Jackson could give, he said, is for users to slow down.

Rushing through a phishing email could mean a user doesn't see it for what it is. Or perhaps someone accepts a request for multi-factor authentication after being prompted a suspicious, and annoying, number of times.

"We are overloaded with details coming at us," Jackson said. "If you did not prompt a multi-factor authentication push, it's better to decline it and resend it to yourself than to accept it and let someone into your network."

Despite the Halloween theme of the presentation, Jackson was clear that the intent wasn't to cause fear or anxiety.

"In most of these cases, user behavior would've stopped these massive attacks," he said. "We're not trying to scare you into worrying about how you operate your digital life, but we are trying to get you to slow down and think."

More Ohio State News