[intro]
Wendy Battles: Welcome to the Bee Cyber Fit Podcast, where we're simplifying cybersecurity for everyone, where we cut through confusing cyberspeak and make cybersecurity simple and easy to digest. I'm one of your hosts, Wendy Battles.
James Tucciarone: I'm James Tucciarone. Together, we're part of Yale University's information security, policy, and awareness team. Our department works behind the scenes to support Yale's mission of teaching, learning, and scholarly research.
Wendy Battles: Ready to get cyber fit with us?
Hey, everyone. Welcome to another episode of the Bee Cyber Fit podcast. We're excited you're here and hope you are ready to get cyber fit with us. If you're a new listener, welcome aboard. This is the place to come for information and some inspiration to stay safe online and outsmart cybercriminals. This podcast is one of the many tools in our toolkit that we use at Yale University to help our faculty, staff, and students build their cyber muscles.
James, February has been a busy and exciting month with our 21-day Cyber Habit Challenge. We had over 600 Yale faculty, staff, and students register for our first-ever effort to build good cyber habits. Can you share with the audience a little bit about how the challenge works?
James Tucciarone: Absolutely. So, the idea for the challenge came out of our desire to try something a little different for this year's New Year New You campaign. And based on our discussion from the last episode, we know how important habits are in developing our cyber muscles. That led us to the idea of a 21-day challenge, where each week we'd offer quick and bitesize actions people could take every day to think about cyber safety, build better habits, and build those cyber muscles. Wendy, I think we both found the prospect of the challenge to be really exciting. What's been the highlight of it for you?
Wendy Battles: I have been excited James, overall, by the response from the community and people's enthusiasm about participating. Also, we've had some great participation at our 30-minute cybersecurity Kahoot’s, our little interactive game that we play, and people seemed really into that. I've loved seeing people learn more about each of our five cybersecurity awareness topics, so it's been a fresh approach and a good way to start the new year. And fun fact, one of our challenge tasks was listening to Episode 3 from Season 2 about the importance of reporting security incidents. And do you know, James, that it's now our number one most-listened-to episode ever?
James Tucciarone: That's amazing. The challenge has been a great opportunity to welcome so many new people into the cybersecurity awareness family. Hopefully, we'll keep the energy of the challenge going today as we expand on our last episode about building sustainable habits. We'll talk about what we learned last month in terms of habit-building and put it into practice. Remember, we discussed how one of the four laws of habit formation is to make it easy. So, we're going to share some examples of easy and simple behaviors that would make powerful cybersafe habits.
Wendy Battles: I can't wait to talk more about this topic, James. But first, let's find out about our buzzword of the day, MFA fatigue.
James Tucciarone: Do you know what MFA is? Chances are you're probably already using it. But do you know why it's considered to be so important? How about the tactics cybercriminals use to try and get around it? Stay tuned to find out more about MFA and what we should know about MFA phishing and MFA fatigue.
Wendy Battles: James, we talked at length about the concept of forming habits in last month's episode as you mentioned. We broke down what makes habits stick, and we shared some ideas about habit formation, both from our personal lives and of course, some cybersecurity examples. But before we go on, I do want to ask you how things went with the exam you were taking. You shared how you applied BJ Fogg's Behavioral Model, to prepare for a certification test. How did it go and what did you learn about forming habits?
James Tucciarone: Well, Wendy, I learned that habits also take some willpower and dedication to stay motivated. Even though I set my study alarms, it was really tough sometimes to stick to the plan. However, my studying habits proved successful as I did pass the exam. So, thank you for asking.
Wendy Battles: That is fabulous, congratulations. I know that was a really big deal and you studied really hard, so it's no small achievement because if I remember correctly, wasn't the course itself like 11 hours a day?
James Tucciarone: That's right. Honestly, the entire experience was brutal, which is why I'm so excited for today's chat about simple habits. So, let's talk about some good cybersecurity habits we can build around the five key cybersecurity behaviors for Yale Cybersecurity Awareness Program. These are Click with Caution, Use Secure Passwords, Apply Updates, Know Your Risk, and Bee SAFE, Not Sorry, which is all about reporting suspicious cyber activity.
Wendy Battles: These foundational topics are the most important things our community can do to help protect Yale data and systems. As we often say, James, “We each have a role to play in online security at work or while we're studying.” But how do we actually put this into practice in a way that makes sense. How can we focus on a few new habits but not overwhelm ourselves? There's an art to habit formation and I think it starts with keeping things simple. A simple win encourages us to keep going.
James Tucciarone: Okay, Wendy. Let's take a look at the topic that seems to get a lot of attention in our program, and that's Click with Caution. It's related to social engineering, which is one of the top risks the information security office identified in both 2023 and 2024. Social engineering and phishing are all too common and we can easily expose ourselves to getting duped by fake emails if we don't know what we're looking for.
Wendy Battles: So true, James. And these days, the level of sophistication of these emails, especially with the use of AI, makes them even harder to decipher. That said, we can put our detective caps on and learn about what to look for.
James Tucciarone: So, we're going to share two cyber habits to consider. Both can keep Yale data and systems safe, but can also help keep your own personal information safe as well. The first habit is around checking our emails for signs of phishing. Wendy, why is this so important? And what are some of the things our Yale community can do to proactively identify phishing emails?
Wendy Battles: Oh, great questions, James. First, let's talk about the why? We want to be able to recognize and identify phishing emails to avoid being fooled by them. Cybercriminals may use phishing for a variety of goals. However, one of the most common tactics is using malicious links or attachments. When we click on a malicious link, we can unknowingly provide a cybercriminal with our login credentials. With our Yale accounts, for example, a link might bring us to a fraudulent login page where we can expose our net ID and password, ultimately compromising our account. So that's our, why?
Second, regarding what we can do to identify phishing emails, there are several things that align with our three Rs, Recognize, Relax, Rethink. It starts by recognizing an email that raises red flags. Here are a few things to look for. Is there a sense of urgency in the email? Is it asking you to take action right away? Is the tone threatening in some way, such as implying that you'll get in trouble if you don't act? Is the request unexpected or unusual, like your boss sending you an email requesting that you purchase gift cards? I don't know of any manager at Yale that would ask that of a staff member. So James, those are three specific examples. Our Yale community can find more information on red flags on our Click with Caution page, which we're going to link to in the show notes. That's the first habit we're building about social engineering. James, what's the second thing that we can do?
James Tucciarone: The second thing we should talk about is in the case of receiving an email from someone we think we know. Imagine receiving an email from your boss or your boss' boss asking you to do something unusual. One of the best things we can do when something seems off is to go to the source instead of responding directly to the email. So, our second habit around Click with Caution, is checking with a known contact when something feels off.
Wendy Battles: 100% James and it's simple to do. You could forward the email to them, or you could pick up the phone if easier, and ask them if they've sent the email. If it's somewhat high up and you wouldn't normally be reaching out to them directly, maybe your boss' boss find out who their assistant is and reach out to that person for verification.
James Tucciarone: Another option could be to check with coworkers and see if they received a similar email. It's not unusual for more than one person in a department to receive the same phishing message.
Wendy Battles: I think those are two behaviors that would be relatively easy to form a habit around. And because of the increased sophistication of the emails we're receiving, as we mentioned, using our colleagues as our allies to help figure out what's real or not is one more way we can work together to boost our skills and protect Yale.
James Tucciarone: Wendy that's a great segue into what we can do if we encounter something that seems suspicious, and that's to build our reporting muscles. During our, Bee SAFE, Not Sorry awareness campaign in 2023, we talked about the idea of reporting suspicious cyber activity including suspicious emails and suspected phishing. Our information security colleagues are here to investigate and they're able to provide us with guidance on how best to proceed. So, the habit-forming behavior we recommend here is to report suspicious messages. At Yale, you can report suspicious emails by either emailing information.security@yale.edu or reporting it as phishing through your mail application. We'll also include a link in the show notes to our report and incident page where you can find additional details.
Wendy Battles: James, we also discussed not being embarrassed to report something. There's nothing worse than having an uncomfortable feeling in the back of your mind about an email, yet you don't address it. Our team is here to help in situations like this.
James Tucciarone: Absolutely. Okay, Wendy, we talked about cybersafe behaviors around clicking with caution and reporting suspicious activities. Now let's focus on using secure passwords.
Wendy Battles: James something that can be helpful and we can do regularly, is to check whether passwords or other personal information has appeared in data breaches. Some of our listeners may already be familiar with the website I'm going to share, and for others, this may be new information, haveibeenpwned.com, which is haveibeenpwned.com, is a website that can tell you if your email address has been involved in a data breach. It works for both your Yale email address and your personal email address. Have you tried it, James?
James Tucciarone: I actually only recently learned about the website myself, but I had to give it a try and was really surprised to see my personal email account had been identified as being part of a number of breaches for a bunch of different websites and applications. I must say I did appreciate that for each application, the tool showed what data had been affected as part of their breach.
Wendy Battles: I have to tell you, I've done the same thing James and found it really eye-opening as well. Because both my Yale email address and my personal email addresses have been part of breaches over the years, so it's very helpful as a tool. I'll just add that, a link to it is in the show notes so that you can easily go check it out for yourself. Okay, Apply Updates is next. We often say that applying updates is the most important action we can take to protect our devices, whether our work machines or our personal machines. Software develops vulnerabilities that expose openings for cybercriminals. Sometimes they can slip in the backdoor, so to speak. Many of us at Yale have what are called managed workstations, which means that updates are automatically applied, but some machines don't, and you need to manually initiate them.
James Tucciarone: And that brings us to our suggested habit, of regularly checking for and applying updates to our systems and software. I want to make sure everyone caught that I said devices and software because both our systems, such as Windows, Android, iOS, etc., and our software, like Outlook, Adobe, Zoom, etc., receive critical security updates. And to make things even easier, you can enroll your non-managed workstation and personal devices for automatic updates. In the show notes, you'll find links to some documentation to point you in the right direction, or you can reach out to your IT support provider for assistance.
Wendy Battles: James, I love the distinction you made about both our devices and software. There's a lot to protect, both at home and at work, and I don't know about you, but I have multiple personal devices at home, so I probably need to double-check some of them for automatic updates and set them up.
James Tucciarone: Wendy, that brings us to our last topic Know Your Risk. Just as with our other habits, we're trying to keep it simple while still offering an action that's repeatable. And in my opinion, this one is not only incredibly simple but also incredibly important and effective. So here our behavior is to implement screen locks for our devices and to make sure that we use them whenever we step away.
Wendy Battles: Here's why they're important. These days we find ourselves in a variety of work situations. Some of us may be working from home more, and if you live with others, you want to be sure that confidential information is for your eyes only. And the same holds true for when you're in the office and get up from your desk to head to a meeting or go to lunch.
James Tucciarone: And in case you're not sure how to lock your screen, we'll add some helpful links in the show notes to provide some guidance.
Wendy Battles: What a fabulous discussion about how we can start to build some basic cyber habits that are simple and repeatable and focus on our five most important cybersecurity topics. Now, let's hear more about our buzzword of the day.
James Tucciarone: Here's the buzz on MFA, also known as multifactor authentication. We all know our passwords are the keys to our accounts, and we can describe passwords as something we know. However, passwords are often easily compromised due to, among other things, the use of weak passwords, the reuse of the same or similar passwords for different accounts, and storing them insecurely. MFA, on the other hand, is frequently based on something we have. Many of us are familiar with using a verified smartphone with Yale's DUO authentication, or verifying a code sent by text, email or phone call when logging into our accounts. As we can imagine, this makes it much more difficult for cybercriminals to gain access even if our password has been compromised. With MFA, we're providing an additional form of authentication that adds another layer of protection beyond a simple password.
So, if our passwords are the keys to the castle, MFA can be thought of as the moat that surrounds it. Unfortunately, cybercriminals have a lot of tricks up their sleeves, including tricks to get across the moat and around our MFA. Two common tactics are MFA phishing and MFA fatigue. Let's start with MFA fatigue, which is simply a cybercriminal bombarding us with MFA requests. The idea here is to overwhelm us to the point of approving the request, either inadvertently or just to get them to stop. Now, MFA phishing is a bit more insidious. Just like other types of phishing, this tactic uses social engineering to try and fool us into approving MFA requests or providing MFA credentials. Cybercriminals may use fear and urgency by claiming we need to approve an MFA request to avoid losing access to our account.
Another common approach is to impersonate a support or help desk representative and demand our MFA codes to provide us with assistance. It's also important to note, that if a cybercriminal is able to enact an MFA attack, they've likely already compromised their account's username and password. This means that if we're receiving MFA requests, we believe to be fraudulent, it's critical we change the password for that account. So, what can we do to alleviate MFA fatigue and combat MFA phishing? Be wary of MFA requests if you're not actively logging into an account, click with caution, and stay informed about the latest phishing techniques. Report suspicious MFA requests. If you believe your Yale account has been compromised, contact the information security office right away. And don't forget to keep listening to the Bee Cyber Fit podcast, where we simplify cybersecurity and help you to be aware, to be prepared, and to be cyber fit.
Wendy Battles: We covered a lot in our episode today, James. Let's review a few calls to action to help keep the Yale community at the height of their cyber fitness. First, choose one of the simple habits that we shared and start practicing it. As a reminder, they are to click with caution by looking for signs of phishing emails or reaching out to a known contact to help confirm if it's real. Reporting suspicious emails even if you're not 100% sure that they're fake. Better safe, than sorry. Use secure passwords and check regularly if your email address has been involved in any data breaches. Set up your devices for automatic updates to boost security. And finally, lock your computer screens when you leave your workspace. So, pick one of those and start focusing on it, and let's build that habit.
James Tucciarone: Wendy, these are some great habits to boost our cyber safety in really easy ways. But that's all we have for today. So until next time, I'm here with Wendy Battles and I'm James Tucciarone. We'd like to thank everyone who helped make this podcast possible, and we'd also like to thank Yale University, where the podcast is produced and recorded.
Wendy Battles: Thank you all so much for listening. We truly appreciate it. And remember, it only takes simple steps to Bee Cyber Fit.
[Transcript provided by SpeechDocs Podcast Transcription]