Protecting information at MIT

January 23, 2023
Mark V. Silis, Vice President for Information Systems and Technology |

Dear MIT faculty and staff,

Given increased cybersecurity threats and regulatory and compliance obligations, it’s important that each one of us understands our role in safeguarding information at MIT. The first step is understanding risk. You can take a quick quiz on the Information Protection website to find out the risk level for the information you handle at MIT, and see recommended actions to properly safeguard that information. We have also highlighted a few key resources below.

Protecting information

MIT may have time-sensitive legal and regulatory obligations if certain Institute information is compromised. Examples include the loss of a laptop or paper files; malware; or notification from a vendor of a security incident affecting MIT information. Please assist MIT in fulfilling its obligations by reporting an incident as soon as you become aware of it.

Information Systems & Technology (IS&T) recommends that you take the following basic actions to protect the information you handle and to keep MIT safer:

  • Enable automatic updates for your operating systems and software to protect against the latest security threats.
  • Install Sophos Anti-Virus and CrowdStrike Falcon. Sophos protects your computer against known viruses, worms, and malware. CrowdStrike provides advanced protection against emerging threats, using machine learning to detect patterns commonly seen in attacks.
  • Use a password manager to generate and protect strong, unique passwords. The Institute currently licenses LastPass, which has been in the news recently. We will continue to evaluate options to determine which product or products best serve the Institute’s needs.
  • Back up your computers using Code42 (previously called CrashPlan). This cloud-based backup solution makes it easy to recover information from computers that have been lost, stolen, or damaged by malware.
  • If you handle personally identifiable information, install Spirion (formerly Identity Finder) to help you detect and securely delete or encrypt files containing sensitive information.
  • Follow these best practices while engaging in remote working, teaching, and learning to help reduce the chance of the information and data you handle at MIT being compromised.
  • Use multi-factor authentication (MFA) when accessing critical systems, including email. (Touchstone with Duo is the primary example of MFA use at MIT.) Work with IT staff in your department, lab, or center (DLC) and IS&T to ensure MFA is enabled for:
    • Remote access to workstations and servers on the MIT network
    • DLC email systems (MIT Kerberos email accounts migrated to O365 have MFA enabled)
    • Cloud and Software as a Service (SaaS) platforms handling Medium or High Risk information.

Phishing and other scams

Phishing emails and other scams (phone calls, texts, etc.) continue to be an effective way for scammers to steal money, compromise credentials, and/or install malware. Most ransomware is spread through phishing email. Many of these emails are targeted to a specific department or lab and may appear to come from someone you know or do business with.

These scams often involve fake login pages to steal your password and may even replicate Touchstone to steal your Duo passcode. Do not accept any Duo requests that you did not initiate. A Duo request is only sent if someone has your password and has entered it in a Touchstone enabled MIT service. If you receive a Duo push or phone call that you don’t recognize, or suspect a scammer is asking for your passcode, change your password immediately and notify the IS&T Information Security team at security@mit.edu.

Please continue to report suspicious emails to the IS&T Information Security team. If your mailbox is in Office 365, there is a new “Phish Alert” button to make the process easier. If your mailbox is not in Office 365, please forward the email as an attachment to phishing@mit.edu.

Learn more

In addition to the Awareness I: IT Security and Awareness II: IT Security courses in the Atlas Learning Center, there are two new knowledge resources available to the community.

A new interactive training module in Atlas, Information Protection at MIT (15 minutes), helps you understand your role in safeguarding information at MIT and summarizes technical solutions and good data hygiene practices to identify and protect information.

MIT has licensed KnowBe4, a security awareness and training platform for the Institute. Visit the KnowBe4 training portal, login using your @mit.edu address, and click on the Library tab to access the Security Awareness Foundations (25 minutes) and Phishing Foundations (15 minutes) courses.

Jessica Murray, who directs IS&T’s security programs, is available to answer specific questions or to recommend training.

Sincerely,

Mark V. Silis
Vice President for Information Systems and Technology

Massachusetts Institute of Technology 
77 Massachusetts Ave
Cambridge, MA 02139

This website is maintained by the Institute Office of Communications. Please contact us at communications@mit.edu.