09/02/2025

Last week the email notifications went out announcing the release of this year’s annual training course, “Beau’s Day”. This notfication is generic in nature and is also used to notify those who have clicked on two training emails in one year, that they have been assigned the training course “Professor Phish Explains: Phishing”. Unfortuately, the email wasn’t written very well and it caused confusion.

Confusion was compounded when employees followed the instructions in the email and clicked on the Phishing tab in their training dashboard to see the list of phishing training emails they have been sent. Those who have been diligently reporting emails to Google were met with a list of emails with grayed out subject lines labeled “ignored” .

The training platform is completely independent of Google and has no way of knowing you reported an email. You still receive your rewards for reporting because I download all the reports from Google and then manually upload the associated reward. As a result, the training platform just thinks you have ignored the email.

To see which emails you have been rewarded for reporting, click the Incidentsn & Rewards tab instead. Selecting a “Reporting a Phish (Simulated)” reward will give you the subject of the email that you were rewarded for reporting. Because I manually upload the rewards there is a two week delay between your report and the awarding of rewards. If you haven’t received a reward three weeks after you reported, please send an email to me at securityawareness@mtroyal.ca and I will update your dashboard.

We appreciate your patience as we implement this new training platform. As with all new initiatives, there will be hiccups and this was one of them. The confusing email has since been edited to provide more clarity. I hope that things will be more clear going forward. Please feel free to reach out with suggestions, comments or concerns through our feedback form should anything else need to be addressed.

07/17/2025

In March, we launched the new training platfrom from CIRA. This has allowed us to move our focus from training completion to maintaining a risk score of 650 or less.  While you can reduce your risk score by choosing additional training from the course gallery, it can also be lowered by reporting phishing training emails.

Currently, we don’t use the phishing reporting tool that comes with the training platform. We report to Google instead by opening the email and clicking on the three dots in the upper right hand corner and choosing Report phishing from the drop down menu. However, sometimes that option isn’t available to you. When that occurs, you can forward the email to reportphish@mtroyal.ca.

As we don’t use the platform reporting button, we have to download reports from Google and upload them manually into the training platform. This ensures you are rewarded for your reports. However, there may be a delay between the time that you report the email and when you receive your reward. In addition, we are only able to reward phishing training email reports at this time as the process is rather laborious. To see if you have been rewarded, select the Incidents & Rewards tab on your training dashboard and click the reward type. It will display the details of the reward including the subject line of the reported email.

Please note that if you forward a phishing training email to any other email address (cybersecurity@mtroyal.ca, securityawareness@mtroyal.ca etc.),  the system will read that report as a link click. If that happens, email securityawareness@mtroyal.ca and let me know. I can’t remove the click status from the Phishing tab, but I can remove the incident, unassign the phishing survey and reward you for reporting. This will undo any damage to your risk score.

The campus is doing an incredible job of reporting malicous emails. So much so that we have more phishing reports than we can respond to. Your report is still triaged and adds to our defenses, however we can no longer get back to you if the email is legitimate. Please rely on your training to determine what is malicious. If you are uncertain, report the email. All emails reported to Google can be found in your Spam folder and retrieved at any time.

We thank you for all your reporting efforts. With each report, you add to our defenses and reduce the number of phishing emails that arrive in your inbox. What you do matters. Keep up the great work!

02/19/2025

How long does it take to enter your username and password? Ten seconds, 30 seconds or a whole minute? It depends on how long your password is. I timed how long it takes to enter mine, it’s 13 seconds. If I mulitply that by the number of times I long in to an account in a day, about 24, I am losing 5 minutes a day to logging in. If you take that and multiply it by the average number of working days in a year, 252, that is 21 hours a year that are wasted. I can think of a lot of other things I would like to do with that 21 hours instead of logging in. How about you?

I have good news. There is a way to save time and get some of those hours back. Use a password manager. A password manager is a handy piece of software that is known for storing passwords. However, it has a couple of other killer features that some people don’t know about. It will login you in in less than two clicks and it will generate unbreakable passwords for you.

Most password managers also have other features such as storing credit card numbers or other bits of sensitive information that you need to access often. However, why would you want to take the risk of having the password manager hacked? After all, everything is getting hacked these days, why would a password manager be any more secure? Do you really want to have your most sensitive information and the keys to every account you use sitting in the cloud?

Of course not. That is why under normal circumstances, I would never under any conditions suggest storing this information online. However password managers are very different. First of all, reputable password managers have no mechanism for resetting your password manager password. If you forget it or lose it, there is no way to get back into your account. This keeps theives from impersonating you and gaining access. Also, the data stored in the password manager is encrypted so if it is stolen it is unreadable without the password manager password. Lastly, companies who create password managers are insanely obsessed with cybersecurity. It is literally their entire business. This makes the risks minimal.

What is a much greater risk is getting hacked from reusing passwords. Every day millions of people have their accounts accessed by threat actors using credentials that were stolen from another account provider. Password managers practically eliminate this type of attack. They generate long, complex and unique passwords for every account, store them for you and then login you in so you don’t have to remember them. Not only do they save you time, they also save your data.

Why not get started with a password manager today? It will save you time and peace of mind. Check out Bitwarden. It is free to download, easy to use and full of features. If you aren’t sure how to start, contact  the IT Security Training analyst at securityawareness@mtroyal.ca. They will be happy to help.

We have all done it. We are in a hurry, using our phone to check emails or just not paying attention; and we click on a link in an email or on a website. As soon as we finish clicking, we think, “I shouldn’t have done that.” At first it seems as if everything is fine and we have dodged a bullet. Then we start to notice our machine doing odd things. It’s running really slow, we see our mouse move on it’s own or a webpage we never intended to visit shows up in our browser.

Your heart sinks as you realize you didn’t dodge the bullet at all, it has hit you right in the gut. Your instinct is to limit the damage by running a malware check, downloading new anti-malware software, looking for new files to delete, disconnecting from the network or just shutting down your device all together. Unfortunately, any one of those actions can make the situation worse.

Many malware strains are designed to disable anti-malware on a device or computer. So running a scan or downloading new software can be futile and it makes more work for our technicians. If you disconnect from the network, we loose any connection that the attacker has making it difficult to track them and determine how much damage was caused. The same thing happens if you start deleting strange files. If those files have been downloaded by the attacker, they will give us valuable information about what kind of damage has been done. Shutting down your device or computer not only cuts the connection to the attacker but may also result in additional malware being installed when it is restarted.

As tempting as it may be to try and fix things, when on campus, the best course of action is to leave your device or computer as is and contact the IT Service Desk by calling 403-440-6000.  If you are dealing with a computer at home, disable wifi altogether before you return to campus with it and contact the IT Service Desk. This will prevent the infected machine from compromising our network.

These best practices only apply to Mount Royal issued devices or computers that have been approved to connect to our network. If it is your personal machine that is acting up, you can try running a malware scan. If nothing is detected, leave the computer on (if possible) and take it to your local repair shop.

Cybersecurity Awareness Month is in the rearview mirror, but we’re just getting started! Say hello to our new video series, “When Emotions Run High”, coming your way Thursday!

These aren’t your average cybersecurity lectures. These bite-sized episodes dive into the “Oh no, what now?” moments we’ve all faced at work. Receive a stressful email or awkward request? No worries, these videos show you how to keep your cool and tackle tough cybersecurity situations like a pro.

Here’s the cherry on top, watch any “When Emotions Run High” video, and you’ll score a free entry into our Random Acts of Cybersecurity giveaway. Every month there is a new video, a new draw and a new chance to win.

Don’t snooze though, each video is up for just 30 days. Are you ready for a sneak peek? Watch the teaser trailer now and don’t miss the fun!

A new phishing email threat is showing up in inboxes across the country. Attackers are impersonating Meta, sending out emails that claim you have violated their ad policies. To prevent your account from being permanently banned, you are given 24 hours to click a link to request a review. If you click the link, your data, Facebook and/or Instagram password and authentication codes are stolen.

As ominous as this sounds, it is easy to identify these fraudulent emails as they are being sent out using a generic Gmail address. To protect yourself from this attack:

• Check the sender’s email address.
• Enable multi-factor authentication on your Facebook/Instagram account.
• If you receive a notification that appears to come from Meta, login to your Facebook/Instragram account to confirm the communication actually came from them.

For years now, the Cybersecurity Hub has been the go to web site for everything cybersecurity at Mount Royal University. It started out with a few simple links to training, the newsletter, events and general cybersecurity information. However, over time new policies were implemented and new iniatives were born. With each one, the Hub gained new links until it became impossible to navigate.

The home page contained tons of valuable information, however it was so confusing to sort through that it was challenging to find what you were looking for. It became apparent that we needed to simplify things. Last year, we began that process.

Working with University Marketing and Communications, we were able to identify the key areas of interest and break them down into 6 topics. Outdated information was updated or removed, information that could be found elsewhere was deleted and what was left was consolidated. I am pleased to announce that the new Cybersecurity Hub was launched on September 5.

Not only is the new site easier to navigate but we have added a new section for alerts and announcements. This information is front and center and is updated in real time as new threats are identified. You no longer have to wait for the newsletter to come out on Wednesday to find out about the latest phishing emails hitting inboxes.

Please go and take a look at the new site. Poke around and see what you can find. You might discover some new information that was there all along but too buried to see.

It’s that time of the year again …  faculty returns to campus eager to meet a new group of bright eyed students and the new cybersecurity awareness training for current employees goes live. Yes, I am sure you have all been waiting with bated breath for the new training and just can’t wait to get started.

The good news is this year’s pre-test only has 22 questions. The bad news is for some topics there are only three questions, so if you only get one wrong you will be assigned training. We are less than pleased with this solution and are looking at new ways to deliver the training in the future. Your patience with this process is appreciated.

On a more positive note,  there will be new monthly videos. Sadly (or fortunately depending on your tastes) we have worked our way through the entire Cyber Guys series. Starting in October, a new video series, “When Emotions Run High” will be launched. The two minute videos focus on how to take the stress out of being cybersafe with simple straight forward tips. It was chosen by our focus group which included members from across the campus. After watching the videos they felt empowered and more confident in their ability to spot and stop cyber attacks. We hope they will leave you feeling the same way.

To encourage and reward those that take time out of their busy day to watch the videos, everyone who views them will be entered in the monthly Random Acts of Cybersecuriy draw. The winner of the draw gets to spin the prize wheel. Every spin is a win.

Supervisors are also winners this training year as we are updating our training platform enrollment process to ensure we have accurate and up to date information on employees and who they report to. When training status reports go out in March, supervisors won’t have to waste time letting me know who is missing from their team and who has left.

We hope that these updates to the cybersecurity awareness program will help you become more confident and empower you to stay cybersafe. If you have feedback on the program, suggestions on how to make it better or would like to particpate in future focus groups, please fill out our feedback form.