As the landscape of cyber threats continues to evolve– including ever-increasing risks from ransomware and cyber fraud– all members of the MIT community are urged to stay vigilant and adhere to established digital security best practices.
Think about the types of information that you handle in your role at MIT. Do you use or store any information that could be considered sensitive in certain circumstances? What would happen if that information was modified without your knowledge, disclosed to the wrong people, or destroyed with no method of recovery?
Your Computer is a Resource
Even computers that don’t appear to have any valuable information can be attractive targets. Compromised computers and other devices can be used as a foothold allowing attackers to spread through the network. Networked devices in MIT’s public IP space are constantly under attack from devices across the globe. Most remote attacks are undetectable to the end user and once access to a device on the network is obtained, sophisticated attackers use techniques to maintain persistence. This allows them to return over time to siphon off information, collect credentials, discover other vulnerable devices on the MIT network, and launch attacks on other networks.
Protecting Information
A few of the key actions you should take to protect MIT information and systems are highlighted below. This list is not exhaustive — please work with your department’s IT staff or IS&T to implement all recommended protections based on the data risk level you handle. You can find the full list of recommendations in the Securing Information section of this site.
- Use multi-factor authentication (e.g., Touchstone with Duo) when accessing MIT email systems.
- Use an Institute-owned and managed device for your MIT work.
- Enable automatic updates for your operating systems and software to protect against the latest security threats.
- Install CrowdStrike Falcon and Sophos Anti-Virus to protect your computer against threats, viruses, and malware.
- Use a password manager such as LastPass to generate and protect strong, unique passwords.
- Back up your computers using Code42; this step can later assist with recovering information from computers that have been lost, stolen, or compromised by malware.
- Review user roles and permissions to any applications used within your area at least annually, and promptly remove or change incorrect privileges.
- If you are using an AI platform with Medium Risk data, ensure it is licensed by MIT. When using any AI platform, do not disclose personal data or MIT-privileged information. Read more AI guidance here.
The Importance of Prompt Reporting
Depending on the type of information exposed, MIT may be required to notify both the affected individuals and parties such as the Massachusetts Attorney General. For some types of information, the Institute may face financial penalties. MIT community members who have mishandled export-controlled information could even face criminal penalties.
Assist MIT in fulfilling its legal and regulatory obligations by reporting an incident as soon as you become aware of it. The sooner the IS&T Information Security team is aware of an incident, the more likely it is that any damage from the incident can be contained.
Phishing and Other Scams
- Phishing emails continue to be an effective way for scammers to steal money, compromise credentials, and/or install malware/ransomware. These emails may appear to come from someone you know. If you receive an email from a colleague or friend, but something doesn’t seem right, reach out to that person directly via another method, such as by phone or Slack, to be sure it is not a scam.
- Be suspicious of emails or texts asking you to click a link or use a QR code to keep your account open or retrieve quarantined emails. If you want to visit that account, type the address directly in your browser.
- Scams often involve fake login pages and may even replicate Touchstone. Do not accept any Duo requests that you did not initiate. If you receive a Duo push or call that you did not initiate, change your password immediately and notify the IS&T Information Security team.
- Phishing emails often include fake login pages to M365 to steal your username and password and may even include a captcha. This adds legitimacy and helps the scammers get past spam filtering.
- Scammers may impersonate Dell, Microsoft, Geek Squad, or even IS&T and urge you to call tech support or install software. Contact the IS&T Service Desk directly if you are ever asked to contact tech support.
- Report suspicious emails to the IS&T Information Security team. If your mailbox is in Office 365, there is a “PhishAlert” button to make the process easier. If your mailbox is not in Office 365, please forward the email as an attachment to phishing@mit.edu.
Research Security Compliance
- If applicable to your role, follow additional requirements to protect MIT research data and meet compliance obligations, especially when handling data or systems related to human subject research, controlled unclassified information (CUI), healthcare, social sciences, federal government funding, and other sensitive matters. Check with your department to ensure you are adhering to its unique requirements and regulations, and contact researchcybersecurity@mit.edu for questions related to research data security compliance. More information is also available on the VPR website.
Training Resources
- Add yourself to the Moira list “phishing-simulations” to receive simulated phishing emails. You will receive immediate feedback if you report the phishing simulation via the Phish Alert Button or if you interact with the phishing message.
- Take Information Protection at MIT, Awareness I: IT Security, Awareness II: IT Security courses in the Atlas Learning Center
- Visit KnowBe4 training portal, enter your MIT email address, and click on the Library tab for courses on security and phishing awareness.
Thank you for doing your part to help protect information at MIT.