You may not be able to stop these kinds of attacks — and neither can we — but we can all do our part to reduce the likelihood and the impact, especially where your St. Edward's account is concerned.
What We DoIn OIT, it’s our job to ensure that your digital identity stays secure. That identity includes all kinds of personal data, whether that’s your email inbox, your academic records, your billing information or your employment files.
We do that job in several ways.
- In-person password resets. To have their university passwords reset by OIT, all employees are required to come to the Help Desk in Moody 309. (We don’t do resets by phone or email request.) A photo ID is required. We recognize this is a burden, but this way, we’re able to verify you are who you say you are.
- Self-service recovery options. To ease that burden, we also offer self-service password reset options at identity.stedwards.edu, with a phone or text recovery option. This is why it’s so important to keep your phone number on file up to date, which you can also do at identity.stedwards.edu.
- Account security questions. When you first arrive at St. Edward’s and activate your account, you set up security questions as an option for recovering your account down the road. When coming up with the answers to these questions, we recommend making them information that isn’t available anywhere else. If they’re so difficult even you can’t answer them, you can always use the text recovery option.
- Two-factor authentication. We’re beginning to explore other options to protect your university account. Any of those options would involve two-factor authentication. What does that mean? When logging in, you’d be required to present another piece of data besides your password (like a special code sent by text to your phone).
- Technology security checks. Anytime we bring new technology to campus, we run it through some kind of security and privacy evaluation to make sure it meets certain standards. We also routinely perform or request security audits on our systems and services, across the board.
- Computer encryption. We check frequently on industry standards when it comes to university security. This year, we've begun rolling out full-disk encryption to all faculty and staff computers on campus. Under this arrangement, new devices will come encrypted and older computers will be encrypted when they're reimaged or repaired.
What You Can DoThere are a number of steps you can take right now to ensure all of your accounts stay protected, too.
- Respond to data breaches. Given the severity and scope of many high-profile cyberattacks, it’s important to be proactive in dealing with them. (Even if the response from the company is less than ideal.) After the 2017 Equifax breach, the U.S. Federal Trade Commission identified several potential steps to take if you’re concerned your information might have been exposed. Those steps include placing a credit freeze and fraud alerts on your information with all three credit agencies.
- Monitor your credit. Beyond those immediate steps, it’s important to keep tabs on your credit reports and activities year-round. Consider an app like Credit Karma, which lets you easily see your information and spot suspicious accounts in your name.
- Set up multi-factor authentication where you can. Google has simple two-step verification that will send a sign-in code to your phone by text, call or mobile app. If you have a TIAA retirement plan through the university, you can also add two-factor security through your account settings. Typically, you can enable this added security with your cellphone provider, too.
- Lock down your banking. We’ve said it several times now, but we’ll say it again: Enable multi-factor authentication for access to your bank accounts — whether on the web or via a mobile app. (UFCU offers this service.) You should also set alerts on your bank transactions. The sooner you spot something fraudulent, the easier it is to address with your bank.
- Avoid phishing attempts. Phishing is an attempt to get you to reveal logins, passwords, account numbers and other personal information through emails or instant messages that claim to be from a business or organization you interact with, like your bank, a credit card company or a government agency. We have some tips for avoiding phishing attempts to help you keep your account safe.
- Beware low-tech schemes. Sometimes, it really is the simple things to watch out for: an unsolicited phone call, or even a paper form or a letter. Hackers can use stolen information to make these low-tech cons, at a glance, seem legitimate. If you receive these kinds of communications — especially if you weren't expecting them — always double-check the source in some other way (e.g., confirming with someone you already know or someone who can independently verify at an organization).