Questions About the Training Programme

Q: How can one be sure that course invitations from the course company are legitimate
A: When we are educating ourselves to be suspicious of all email coming to our inboxes it is not surprising if we are dubious of messages that ask us to follow a link to an online course! What is more, these course invitations have some elements that might make one downright suspicious:

  • They contain a heading "Stockholm University Security Awareness Training", even when the rest of the text can be in Swedish
  • They purport to be connected to the university and yet come from an external address

You should nevertheless be assured that it is safe to both read the email and follow its links once it is established that it comes from the company Nimblr. The messages are sent from the email address "training@nimblr.net" and links to courses all begin with "https://nimblr.net/". The company logo is also included in these invitations:

Nimblr logotyp

 

 

 

 

Even though a logo can be copied and misused by malicious parties, taken together with other identifying factors this is an indication that one should not immediately dismiss the email as a scam. If, in spite of everything you are still in doubt you can ask the Helpdesk for confirmation that the course invitation is genuine.

Q: What should I do when I suspect a phishing attempt?

A. Report it to IT Services via Serviceportalen. If IT Services receive information about ongoing phishing attempts we can warn others and also block dangerous links in good time. If in any doubt, please do not hesitate to report suspected phishing emails to the IT Helpdesk

Q: The university already had online courses on this subject matter, so why the change?

A: There was not exactly anything wrong with the content of the older courses, but there were some practical issues to warrant the change, including:

  • As with all other public bodies in Sweden and the EU the university is required to uphold standards of IT security that include the compulsory security training of employees. The older system unfortunately had insufficient administrative tools to allow sufficient statistics on our levels of compliance. The new system should better meet our needs and the demands put upon us, and assist in measuring not only organisational compliance but even our level of achievement. 
  • The university is subcontracting to Nimblr to run this training. This will relieve us from extra effort in keeping our own course material constantly up to date in a fast changing IT security environment. The company also specialises in ‘smart’ computerised solutions in disseminating the training material. 
  • The previous education was only available in Swedish, whereas many of our international colleagues will need to complete the training in English.

Q: I have already completed the existing online course, will this one be of use to me?

A: Yes it will. Information security and IT security are constantly evolving and the primary means of attacking a system are constantly changing. This means that we need to keep up with the current risks. Nimblr is also designed to be an ongoing education and thus be able to maintain a good level of security awareness over time.

Course Followup Questions

On occasion during the courses the text will directly encourage you to ask questions of your IT organisation to be sure of the details of how your newly acquired knowledge is applied in “your organisation”. So as to avoid altogether too many individual enquiries we attempt to collect questions that may arise directly from the course material here.

Q: What is Stockholm University policy on WiFi and Bring Your Own Device?

A: Stockholm University does not presently have a university-wide formal policy on WiFi usage nor BYOD beyond what is stipulated in the SU IT Regulations. In contrast to many companies it is practical for us to allow, for example, guest researchers to use their own portable devices to access our resources. Allowing students to use their own devices is something of an economic necessity in all our education. This does make us more prone to threats of the kind that the course discusses, requiring greater effort from our IT sections to work with detecting those threats and mitigating the risks.

IT Services provide the SU Workstation ("Arbetsplatstjänsten") which is strongly advised for all employees, and which simplifies administration and security considerably. Whether you or your department makes use of this service will be a decision for your department heads. Your own department may have their own policy for BYOD.

Using the University VPN is strongly recommended whenever you may be obliged to access our resources over networks that are in the control of outside parties - whether via a cable or WiFi.

Q: Why do we not use Two factor authentication?

A: Two factor authentication means that you have to identify yourself with two different forms of identification. It could be that you after entering your username and password receive a one time code via text message or email for instance.

Two factor authentication is among the long term plans for improving our IT security. It is something of a classic security trade-off in that the higher security it offers comes with a slightly increased inconvenience for the user, as well as greater cost for the system owners. As it is becoming all the more common for internet services to make use of multi factor authentication the public will become all the more used to the concept, and even expect it, making its introduction at the University ultimately smoother. 

Please note that since we do not currently use two factor authentication widely it follows that the security of our systems is all the more dependent on our employees being conscientious password creators and users!

Q: Does Stockholm University recommend any specific password managers?

A: Though we recommend the use of password managers in general as a means of upholding good password security, we do not at present have recommendations for any specific password manager. We have no objections to any of the products listed during the course. 

Which password manager is best for any employee is another of those security trade-off questions. Which one and what functionality you choose can be dependent on several factors, such as what devices you use and how many, what systems you access and how, etc. Using a password manager to look after some of your most vital data is ultimately a question of convenience and trust. There are some password managers that are not only questionable from a security point of view, but also downright fraudulent. So by all means take your choice of password manager seriously, and consider carefully the very complex issue of how to judge what software you can trust.

Q: What Anti-virus products do we use?

A: These are provided/recommended by IT Services: 

  • Microsoft Defender - Windows clients
  • Jamf protect - Apple clients
  • Clam AV - Linux clients