Faculty and staff accessing UBC systems must adhere to new cybersecurity measures in response to COVID-19, the university announced earlier this month.
Citing an increased risk of cyber attacks targeting universities and health care research facilities, the university has outlined both mandatory security requirements and additional cybersecurity controls for those who work with sensitive electronic information.
“We are receiving frequent notifications from government agencies, such as the Canadian Centre for Cyber Security and other reporting agencies, that the number of attacks is surging,” reads a broadcast email sent to faculty and staff on April 15. “These attackers are using new tactics and techniques designed to exploit confusion surrounding COVID-19.”
When The Ubyssey reached out to BC’s Office of the Information and Privacy Commissioner (OIPC) for comment, the office stated it has not seen an uptick in breaches in the wake of the virus.
“[I]n March 2020 we received ten breach notifications. For comparison, last fiscal [year] (Apr 1 – March 31, 2019) we received an average of 17 breach notifications a month,” said the office in a written statement.
However, cybercriminals preying on victims during high-profile traumatizing events is not historically uncommon. The trauma of a crisis paired with victims interacting with an increased number of strangers — like non-profits and governing bodies — can leave citizens more vulnerable to cyber attacks.
The World Health Organization, Canadian health care workers and university researchers are just a few of the victims of cyber attacks that have emerged in the midst of the COVID-19 pandemic.
With many UBC staff and faculty being required to work from home, and with some staff using their own equipment to access UBC servers, employees may not have the best practices in place to protect sensitive university data.
Minimum mandatory controls outlined in UBC’s announcement include encryption and anti-malware software. Encryption is the process of scrambling sensitive data so that it’s only accessible to certain people, often by password protection. Anti-malware or antivirus software is designed to protect systems from damaging or unauthorized computer programs.
Computers supported by UBC IT are already up to date with malware protection, and employees who work on devices they own and support themselves were recommended Cisco AMP for Endpoints, which can be downloaded through UBC IT.
UBC’s Information Security Standard #01 defines different levels of data that require protection. Employees who use computers that access, process or store medium-risk information, such as confidential financial information and records; high-risk information, such as student names or IDs; or very high-risk information, such as social insurance numbers or personal health information, were mandated to install additional cybersecurity controls.
These controls include the Umbrella Roaming Security Module, which prevents computers from communicating with malicious websites, and CrowdStrike Falcon Sensor, antivirus software that detects malware and other attacks. The Umbrella Roaming Security Module can also be downloaded through UBC IT, and eligibility for downloading CrowdStrike Falcon Sensor can be determined by contacting Privacy Matters @ UBC.
While UBC recommended employees implement the increased cybersecurity measures as quickly as possible, the university recognized that compliance with the mandate may be difficult for servers and computers that require physical access.
“It is neither necessary nor recommended to deploy the new minimum cybersecurity controls at this time to devices that require physical access on campus,” reads the Privacy Matters website. “These devices can be updated once regular campus operations resume.”
In an email to The Ubyssey, Matt Ramsey, UBC media relations director of university affairs, said that the university was unaware of any difficulties arising in getting staff to comply with the new cybersecurity measures.
“For some, these updates will take a few minutes and for others it may take longer to determine the optimal plan,” reads the broadcast email.
“Either way, it is important to act quickly in order to ensure UBC systems and information are properly protected.”