ÐãÉ«ÊÓƵ

IT Services

closeup photo of turned-on blue and white laptop computer

IT Security

Incident response Training resources

What do we do?

IT Security, as part of the IT Services portfolio, is OC's center of expertise for cybersecurity advising and activities including assessment, auditing, monitoring, investigation, technology selection, awareness training, and incident response.

Our goal is to protect the institution's staff, students, infrastructure and sensitive data from unauthorized access and threat actors while supporting the key security principles of Confidentiality, Integrity, and Availability.

We are here to help! If you have questions or concerns, want to report a suspicious email, cyber-threat incident or activity, or have possibly clicked a bad link or responded to something questionable, simply email ITSecurity@okanagan.bc.ca and we'll be happy to assist.

Contact IT Security

Why is Cybersecurity important?

With an increasing number of users, devices and software programs in a modern enterprise such as ÐãÉ«ÊÓƵ, combined with the increased deluge of data - much of which is sensitive or confidential - the importance of cybersecurity continues to grow. The growing volume and sophistication of cyber attackers and attack techniques compound the problem even further.

Incident response

Please report the incident to IT Security immediately or contact the IT Helpdesk by phone (250-762-5445 ext. 4444). Do not delete the email or forward it to anyone else. The security team will contact you as soon as possible.

Contact IT Security

If you receive a suspicious email, please forward it to IT Security. Reporting these emails helps us identify potential threats and protect the entire ÐãÉ«ÊÓƵ community from phishing attempts and malware.

Contact IT Security

Please and report the incident to IT Security. You can also contact the IT Helpdesk for assistance at 250-762-5445 ext. 4444.

Contact IT Security

Types of Cyber Attacks

Cyber attacks come in all shapes and sizes. Some may be overt ransomware attacks (hijacking important business products or tools in exchange for money to release them), while some are covert operations by which criminals infiltrate a system to gain valuable data only to be discovered months after-the-fact, if at all. Threat actors/hackers are getting craftier with their malicious deeds and here are some of the basic types of cyber attacks affecting thousands of people each day. 

Malware is used to describe malicious software, including spyware, ransomware and viruses. It usually breaches networks through a vulnerability, like clicking on suspicious email links or installing a risky application. Once inside a network, malware can obtain sensitive information, further produce more harmful software throughout the system and can even block access to vital business network components (ransomware).

Phishing is the practice of sending malicious communications, usually emails, designed to appear from reputable, well-known sources. These emails use the same names, logos and wording as a CEO or company to dull suspicions and get victims to click on harmful links. Once a phishing link is clicked, cyber criminals have access to sensitive data like credit cards, social security or login information.

Social engineering is the process of psychologically manipulating people into divulging personal information. Phishing is a form of social engineering, where criminals take advantage of people's natural curiosity or trust. An example of more advanced social engineering is with voice manipulation. In this case, cyber criminals take an individual's voice (from sources like a voicemail or social media post) and manipulate it to call friends or relatives and ask for a credit card number or other personal information.

Adversary-in-the-Middle attacks happen when criminals interrupt the traffic between a two-party transaction. As an example, criminals can insert themselves between a public Wi-Fi and an individual's device. Without a protected Wi-Fi connection, cyber criminals can sometimes view all of a victim’s information without ever being caught.

Preventative measures

Cybersecurity is a shared responsibility and everyone at ÐãÉ«ÊÓƵ plays a crucial role in protecting our digital assets. Here are some preventative measures that students, faculty, and staff can take to enhance our cybersecurity posture:

Remember, cybersecurity is not just about technology; it's also about awareness and behavior. Stay informed about the latest threats and follow these preventative measures to protect yourself and our institution.

Creating strong passwords

ÐãÉ«ÊÓƵ recommends creating strong passwords as it is the first line of defense against unauthorized access. Here are some tips for creating strong passwords:

  • Length: make your password long. The longer your password, the harder it is to crack. Consider making your password at least 12 characters long.
  • Complexity: include numbers, symbols, uppercase letters, and lowercase letters in your password. This variety helps protect your password from being guessed by others.
  • Unpredictability: don't use obvious personal information in your password, such as your name, your pet's name, or your birthdate. These can be easily guessed by someone who knows you or has access to your personal information.
  • Variety: don't use the same password for multiple accounts. If one account is compromised, it could put all your other accounts at risk.
  • Password managers: consider using a password manager. These tools can generate strong passwords for you, remember them for you, and fill them in on websites so you don't have to.

Remember, a strong password is your first line of defense against cyber threats. It's worth taking the time and effort to create a strong password for each of your important accounts.

Securing personal devices

Ensure that your personal devices like laptops, smartphones, and tablets are secure. Here's how:

  • Updates: keep your operating system and applications updated to protect against known vulnerabilities.
  • Antivirus software: use antivirus software and enable automatic updates.
  • Lock your devices: lock your devices when not in use.
  • Password protection: use strong, unique passwords for your devices and accounts. Consider using a password manager to keep track of your passwords.
  • Apps & downloads: only install apps and download files from trusted sources to avoid malicious software.

Recognizing phishing emails

Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company and ask you to provide sensitive information. This is usually done by including a link that will appear to take you to the company's website to fill in your information – but the website is a clever fake and the information you provide goes straight to the crooks behind the scam. Phishing emails are a common method used by cybercriminals to steal sensitive information. Here are ways to recognize phishing emails and how to protect yourself.

Recognizing phishing emails:

  • Unsolicited emails: be wary of unsolicited emails, especially those asking for personal information or urging immediate action.
  • Poor grammar and misspellings: look for signs of phishing such as poor grammar, misspellings, and unofficial email addresses.
  • Check the sender's email address: make sure the email is from a legitimate source.
  • Urgent action required: phishing emails often try to create a sense of urgency or demand immediate action. The goal is to get you to click on a link and provide personal information — Right Now!
  • Generic greetings: phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like "Hi Student" or "Hi Professor" so they don't have to type out names. Be skeptical of such emails.
  • Fake links: always check where a link is going before you click on it. You can hover over a link with your mouse to see the actual URL.
  • Emails that ask for personal information: legitimate companies will never ask for personal credentials via email.

Protecting yourself:

  • Don't click on links in an email unless you are sure of the sender.
  • Update your computer's anti-virus software regularly.
  • Never give out personal information over email.
  • Contact the company directly if you are unsure.

Utilizing Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a security measure that requires multiple types of credentials for user authentication. It significantly enhances the security of your accounts by requiring at least two forms of identification: 

  • Something You Know: this could be a password, a PIN, or answers to secret questions.
  • Something You Have: this could be a physical device like a phone or a hardware token.
  • Something You Are: this includes biometrics like fingerprints, facial recognition, or iris scans.

Here's how you can use MFA: 

  • Enable MFA: most online services offer MFA. Check the security settings of your accounts and enable MFA where available.
  • Use authenticator apps: authenticator apps generate time-based one-time passwords (TOTP) for MFA. They are more secure than SMS-based codes.
  • Backup codes: when you enable MFA, you'll often get backup codes. Save these in a secure place. They'll help you access your account if you lose your second factor.

Remember, no security measure is perfect, but using MFA makes it significantly harder for cybercriminals to access your accounts. It's one of the most effective ways to protect against unauthorized access and safeguard your data and ÐãÉ«ÊÓƵ's digital assets.

Using secure networks

Always connect to secure networks when accessing ÐãÉ«ÊÓƵ's resources. Here's what you can do:

  • Avoid public Wi-Fi: avoid using public Wi-Fi for activities that require sensitive information.
  • eduroam: ÐãÉ«ÊÓƵ is part of eduroam. Use it! It's a secure, worldwide roaming access service for the research and education community.
  • VPN: consider using a virtual private network (VPN) for an added layer of security.
  • HTTPS: when browsing, look for the padlock symbol in your browser and "https://" in the URL. This indicates that your connection to the website is encrypted.

Working remotely

In the era of digital connectivity, working remotely has become a common practice. However, it's crucial to ensure the security of your home network. Here are some steps you can take:

  • Change default passwords: your router comes with a default password set by the manufacturer. Changing this to a strong, unique password adds an extra layer of security to your home network.
  • Enable WPA3 encryption: Wi-Fi Protected Access 3 (WPA3) is the latest and most secure encryption standard for wireless networks. Enabling this on your home network ensures that your data is encrypted and less vulnerable to hackers.
  • Physical security: while digital security is important, don't overlook physical security. Keep your devices in a secure location to protect them from theft or unauthorized access.

Working on campus

When you're on campus, it's equally important to be vigilant about protecting sensitive information. Here's what you can do:

  • Lock your workstation: it's easy to step away from your desk for a moment, but remember to lock your workstation. This simple action can prevent unauthorized access to your computer.
  • Be cautious about shoulder surfing: "shoulder surfing" refers to someone looking over your shoulder to see what's on your screen. Be aware of your surroundings and dispose of sensitive information properly.

Traveling

Traveling can pose additional risks to the security of your devices and data. Here are some precautions you can take:

  • Avoid public charging stations: public charging stations can be compromised with "juice jacking", where malware is installed on your device or data is stolen through the USB port. Use your own charger whenever possible.
  • Use a VPN: a Virtual Private Network (VPN) encrypts your internet connection, making it safer to use public Wi-Fi networks.
  • Keep your devices with you: never leave your devices unattended in public places. Keeping them with you at all times reduces the risk of theft or tampering.

IT Policies and Standards

The purpose of IT security policies and standards at ÐãÉ«ÊÓƵ is to safeguard the institution’s staff, students, infrastructure, and sensitive data from unauthorized access and cyber threats.

Use of Information Technology Resources Policy

Use of Information Technology Resources Policy

IT Security Standards - All Users

IT Security Standards - Management and Technical

IT Security news

IT Security is alerting the OC community to be aware of a phishing scam recently targeting OC email accounts with fake QR codes.

°Õ³ó±ð²õ±ð…

FAQs

Please and report the incident to IT Security. You can also contact the IT Helpdesk for assistance at 250-762-5445 ext. 4444.

The IT Security team will review your account and take additional steps as necessary.

MFA is a technology designed to enhance the security of the identity validation process.

Your identity information is your username, which is validated by your password (first factor of authentication). ÐãÉ«ÊÓƵ will be requiring an additional factor by way of an application on your mobile device or a hardware token. Please refer to our for more details.

  • Consider making it at least twelve characters-the longer the password, the stronger it will be.
  • Use a combination of letters, numbers, and symbols.
  • Avoid commonly known words and phrases.
  • Don't use personal words like children's and pet's names, phone numbers, or any details that might be easily found online, such as on your social media profiles.
  • Never reveal or share your passwords with others.
  • Consider using a password manager like , , or .

Please refer to OC’s Knowledge Base article on .

Cyber security refers to the practice of protecting systems, networks, and data from theft, damage, and unauthorized access. In essence, it's the same thing security at the entrance of a building does; controlling and protecting those who enter/access the premises.

Cybersecurity is essential for protecting your personal information, sensitive data, and online privacy. With increasing threats like hacking and phishing, a strong cybersecurity posture helps safeguard against identity theft and unauthorized access. By understanding and prioritizing cybersecurity, you can contribute to a safer digital environment for yourself and the entire ÐãÉ«ÊÓƵ community.

PhishingFraudulent attempts to obtain sensitive information, for example by impersonating a bank and sending an email, asking you to reset your online banking password.
MalwareSoftware designed to disrupt, damage, or gain unauthorized access.
Adversary-in-the-Middle AttacksUnauthorized interception of communication between two parties.

Strong Passwords

 Use complex passwords and change them regularly.
Multi-Factor Authentication (MFA) Enable MFA for accounts when available.
Beware of Phishing Always verify email senders and never click on suspicious links.
Keep Software Updated Regularly update your operating system, applications, and antivirus software.

There are multiple layers of protection in place, such as firewalls that automatically detect and block threats. Data encryption makes confidential data unreadable to unauthorized users. The IT Security team continuously monitors networks and systems for threats and employs measures to safeguard accounts against unauthorized access.

Keep an eye on OC's IT Security website.

For staff, our is a great tool which gets updated regularly.

Some other great resources:

  • by the Canadian Government

Training Resources

OC Staff Cybersecurity Awareness Training

All staff should complete OC's Cybersecurity Awareness Training.

IT Services
Address

Centre for Learning L104
1000 KLO Road
Kelowna BC V1Y 4X8
Canada

Phone
250-762-5445 ext. 4444
Email
support@okanagan.bc.ca
Office Hours
Sunday: Closed
Monday - Friday: 8:00-4:30
Saturday: Closed