What is it?

Multi-factor Authentication (MFA) is a process for verifying yourself when logging in to a device or account. Most devices use single-factor authentication, a simple password for logging in. Today, single-factor isn't always enough to prevent unauthorized users from gaining access. MFA allows for a more secure login by requiring what are called "Identity Claim Factors". 

There are three types of Identity Claim Factors:

1. Something You Own: This factor is a device in your possession, either a small code generator, an application on your phone, a text to your mobile device, or a call to your mobile or work phone. This factor provides a code to one of these devices in your possession which is used as part of your login. This factor has an intended code to be used, and applications can show multiple and ask that you to select the code shown on the device you are trying to access. 
2. Something You Know: This is something you've memorized or stored somewhere, such as a PIN code. You must supply the correct PIN to log in on the device or service. 
3. Something You Are: This factor is something about your physical body that can't be altered, such as a fingerprint or retina. Biometric scanners or readers can be used to physically confirm you are who you claim to be. 

​Why do I need it?

In our digitally driven world, passwords are no longer enough to keep information safe. Today, it takes little effort for a hacker to break in, or social engineer their way into, accounts that only use single-factor protections. Any additional steps to access your accounts, such as an authentication code, would mean hackers need access to your phone as well. 

You can create an additional layer of security and make your data more secure by using two-factor or multi-factor authentication. Consult your IT Help Desk to see if there's a preferred method for MFA.

Have you noticed any phishing emails to share with others?

When threat actors attempt to run a phishing campaign, they often target users across an entire organization or a specific department. 

This means that it's possible an email you receive from one of these campaigns has also gone to your co-workers. 

If you receive an email from a supervisor or board member that doesn't sound quite right, check who the sender was. Even if it says the right name, the email address may not match what you have in your contacts list!

If you receive an email like this, be sure to report it! Your organization may have a report feature when you right click the email or an address to send them to, and be sure to warn your department to be on the lookout for that phishing email too!

What did you notice that made you aware this email was not legitimate?

Whenever you notice a suspicious email in your inbox, make note of what made you feel it wasn't quite right.

If your gut tells you something isn't adding up, follow your organization's guidelines to report the email. If it is malicious, you'll be able to breathe a little easier knowing the issue will be handled. 

How should these emails be reported?

This depends on your organization. With ECISD, any suspicious emails can be reported by forwarding them to the District's phishing inbox, or reported by clicking on an icon on the message itself. Up beside the reply button, you can find a small icon that looks like a letter with a warning sign on it, like this:

Clicking on this icon forwards the email into Office365, where it will be submit for review to Microsoft. 

Should general SPAM be reported as Phishing?

General spam messages shouldn't be reported to the phishing inbox. Flooding this inbox with spam reduces the team handling these messages ability to review them. 

Spam is better handled by right clicking and moving the message to your junk folder. After performing this action a few times, your account will forward similar messages directly to your junk folder as well. 

Have you received phone calls using social engineering techniques to try and get you to give out information to someone you don’t know?

When ever a malicious individual calls you, they're often going to convince you to give something to them. 

They'll often do this by making threats of legal action or having you arrested by claiming to be part of a police department, a federal entity, a work supervisor, or Human Resources at your work. 

Their goal is to instill fear and panic in you, so that you'll comply with any demands they make. So stop and take a breath. Think things through, and if it sounds like you're in too much trouble to get out of, hang up. Take a moment to calm down, then call a known number for that group to verify if there is a problem. Do not call the number that reached out to you back.

Another common tactic here is to call impersonating your bank. Saying they need information for your account to prevent freezing or closing it. If you receive such a call, your best course of action is to hang up, and call your bank directly. You should NEVER give out account information over the phone, especially if you weren't the one to place the call.

If you're ever in doubt about the validity of a call, hang-up, then call the company that was trying to get in contact with you yourself to confirm if there is an issue. 

• Have you used a new app, program, or website lately? Did you make sure you knew what data is being collected/transmitted and if it is being protected? How did you verify this? 
• Why is it important to vet our applications for security, privacy, or content concerns? 
• Thinking about a new app? Discuss the vetting process and submit it for review.  

• What data do you collect on students? Review the Data Fact Sheet. 
• Review resources on Data Privacy here

• If you become aware of a potential data breach, who do you notify? 
• What is the role of the District’s cybersecurity coordinator? Who is this at Ector County ISD? 

• How are you implementing data privacy in your classrooms? 
• How do you integrate the Digital Citizenship Curriculum in your classrooms? 
• What discussions have you had with students, parents, teachers, or staff about privacy/security?

• How do we protect data when in a disaster (fire, flood, hurricane, cyber-attack, school shooting, etc.)? 
• How would we recover from a disaster and is that documented? 

• Has everyone completed the required trainings on Cybersecurity and Privacy? 
• What is something each person learned from their Cybersecurity Training? 
• What is Board Policy CQB? Why is it important?