Learn to adapt and excel in the ever-changing digital world

As we have become a more interconnected and international society, and as more major company hacks and data breaches make headlines, the conversation around cybersecurity has changed, says an instructor at the University of Calgary's Department of Computer Science.

"Ten years ago, you didn't know anybody who'd ever been hacked, it wasn't something we talked about, and now it's Ticketmaster, it's London Drugs, it's a hospital, a university or even several public libraries," says Dr. Leanne Wu, BSc'03, MSc'10, PhD'20, associate professor (teaching).

"There's just a lot more familiarity with these things. We used to assume, 'Someone's server is down, it's probably a technical error,' and now we're like, 'Oh, somebody's been hacked.'"

Wu says the stereotypical image of hackers has changed from that of a figure alone in a dark basement with a ball cap and a hoodie (always navy blue; never black or maroon, for some reason!), to the reality of an office worker delivering on a team project, just like everyone else.

This shift has allowed cybercriminals to scale their attacks for the complexity of the computer systems and infrastructure they are exploiting.

Threat actors use urgent language to trick people into not using critical thinking when engaging with their content. Breaches happen when individuals are busy or stressed and are not paying close enough attention, making it far more likely for them to miss a warning flag or to mistake a person misrepresenting themselves as a legitimate contact.

"It's not if anymore, it's when," says Wu. "We know these kinds of attacks are targeting organizations with fewer resources and a weaker technology infrastructure. All they need is one person to click on the wrong thing at the wrong time and not take appropriate measures after."

It's important to keep cybersecurity top of mind, and, if there is a breach, to report it as quickly as possible. Taking the required cybersecurity training is a good way to rebalance what you're doing with what you know, and make sure it's aligned with what UCalgary is committed to doing.

"It's not about it being punitive, it's about protecting people and data that might be involved," says Wu. "The faster people report breaches, the faster we can put out the fire or limit the damage.

"We can't fix what we don't know about."

Generative AI and cybersecurity

Generative AI has changed the cybersecurity landscape, helping cybercriminals find and create loopholes and vulnerabilities by generating matching code, creating more convincing and sophisticated phishing emails, and even using deep fakes (which go beyond altering celebrity photos) to trick friends and loved ones into believing the messages they receive are real.

Generative AI also creates a security concern for users of large language models (LLMs) like ChatGPT, where individuals may accidentally or unknowingly input proprietary or sensitive information into the tool, or where organizations haven't checked their security settings and don't realize that their stored cloud data is being used to train LLMs.

"'On the cloud' is just a different way to say, 'stored on other people's computers,'" says Wu. "It's a good idea for people, especially researchers, to consider whether or not their data should be encrypted if it's connected to the internet, and if it needs to be stored online in general."

UCalgary is dedicated to protecting its researchers and the work they do. All researchers, and faculty and staff who support research, should take the research security training and visit the research security website to review the five ways threat actors use to gain access to research data.

Do you need this data, or is it just convenient? The privacy question

Even with all the changes to the digital environment, most people can agree on what "cybersecurity" means - keeping your data away from people who shouldn't have access to it - but privacy can be more nuanced due to personal and cultural values and lived experiences, which can make some more cautious about privacy than others.

Privacy is about how we choose to limit the access of use of data for those with permission. UCalgary's Privacy Policy is a good starting point, but may not determine whether someone feels harmed by a privacy-related issue. Some individuals may have more specific privacy wants or needs that may make them more vulnerable or sensitive to potential harms.

A good example of this can be found in the new privacy-awareness training that prompts users to think about how student data (such as grades) are protected from external third parties (even family members). While some parents may be accustomed to believing they have the right to information about their child, Alberta's Freedom of Information and Protection of Privacy (FOIP) states that there is an expectation of privacy for all adults - including university students. And, as a public-sector institution, UCalgary must gain appropriate consent before sharing a student's personal information, such as grades, with parents to properly adhere to that law.

As a staff member, it's one thing to use someone's UCID number on an internal system for business purposes, such as HR or expense management, and entirely another to encourage others to share their UCIDs freely via email in a way that could potentially lead to more serious privacy breaches.

Wu says that there's a good rule of thumb to follow when it comes to data privacy:It's better not to collect it if you can, not save it if you don't have to, and to get rid of it as soon as you're done using it.

For more information about UCalgary's data-retention and access to information and privacy policies, please visit the FOIP office and the Master Records Retention Schedule (MaRRS). Annual required cybersecurity and privacy awareness training is available for all faculty and staff, as well as annual required research security training for faculty and staff who perform and/or support research. Please complete the training within 45 days of receiving the automatic course registration emails. Graduate assistants will be required to complete this training starting in January 2025. Learn more here.

"Human error is the No. 1 reason for cybersecurity and privacy breaches," says Mark Sly, director of IT Security. "The consequences of which are too significant to ignore. Threat actors have realized that information is both the target and the weapon. Taking the available training ensures our faculty and staff are educated to make better decisions in cybersecurity, privacy and research-security situations."

Wu is facilitating a "Privacy for Educators: What you need to know about your students' privacy" workshop with the Taylor Institute for Teaching and Learning on March 25 at 2 p.m. Register now.

Public link

Please use the above public link if you want to share this noodl on another website.