
National Cyber Security Awareness Month
Every October we recognize National Cybersecurity Awareness Month (NCSAM) by highlighting the importance of cybersecurity. NCSAM is an annual initiative dedicated to raising awareness about the importance of cybersecurity and promoting best practices in online safety.
Each week of October will focus on a new topic.
Week 1: Software Updates
Every update, whether on your computer, phone, or other smart devices, aren't just about new features—they contain security patches that fix vulnerabilities attackers often exploit.
Regular updates ensure your devices have the latest security protections and help safeguard university information.
Keep Your Devices Up-To-Date
Any device that connects to the internet is vulnerable to risks. The best defense is to keep your device's security software, web browser and operating systems up to date. Most software updates contain security patches for protection against the latest threats.
- Enable automatic updates whenever possible to ensure you never miss a critical patch
- Install updates promptly to patch security gaps that leave your device vulnerable
- Restart your devices regularly so updates can complete installation
- Update all your devices, including laptops, mobile phones, browsers, and smart peripherals
- Remove outdated or unused applications to reduce potential vulnerabilities
- Update from trusted sources only to ensure updates are from official sources
Your UHD device is already set to automatically update. Routinely connect it to the University network so the updates can be applied.
Important reminder: Windows 10 end of life
Support for Windows 10 officially ended on October 14, 2025. Devices running Windows 10 will no longer receive security updates or patches, leaving them vulnerable to cyber threats.
Week 2: Multi-Factor Authentication (MFA)
A simple but powerful step to protect your university and personal accounts is to use Multi-Factor Authentication (MFA). MFA adds an extra layer of protection when you log in. Even if someone steals your password, they can't access your account without the second step, such as a code, app notification, or biometric scan.
Protect Your University Account
The University of Houston System uses Duo for MFA. The easiest and safest way to verify your login is with Duo Push. With one tap on your phone, you can confirm it's really you and block any unauthorized login attempts instantly.
If you aren't using Duo Push, contact the UHD IT Service Desk for assistance with setup. Read more about Duo.
Protect Your Personal Accounts
Cybercriminals often target personal email, social media, and banking accounts. Extend your protection beyond campus:
- Turn on MFA wherever it's offered (email, bank, social media, online stores)
- Use app-based codes or push notifications instead of text messages for stronger protection
Power To Deny
Deny any MFA prompts you did not intiate. If you receive an unexpected MFA request, it is likely your account password has been compromised.
- Do not approve the request
- Change your password to prevent future unexpected prompts
- Report it immediately to the UHS Information Security Team at security@uhd.edu.
Week 3: Strong Passwords
Passwords remain one of the simplest,yet strongest tools for protecting accounts. Weak or reused passwords are among the most common causes of breaches.
Create a Personal Passphrase
A passphrase is a more secure version of a password. Instead of using single words, use a short sentence. Make your passphrase long and complex. Use:
- Uppercase letters
- Lowecase letters
- Numbers
- Special characters
Week 4: Recognizing and Reporting Phishing
Phishing attacks and scams have thrived since the COVID pandemic began in 2020 and today, phishing attacks account for more than 80 percent of reported security incidents. Week 3 of Cybersecurity Awareness Month will stress the importance of being wary of emails, text messages or chat boxes that come from a stranger or someone you were not expecting. Think before you click on any suspicious emails, links or attachments. If it smells phishy, report it.
From ransomware to SolarWinds, the cybersecurity space has been as hectic as it has ever been over the last 12-24 months. However, for all of the emerging threats and news that are cropping up on the horizon, phishing—one of the oldest pain points in cybersecurity—is continuing to quietly wreak havoc, and is as big of a threat as it has ever been.
Despite often being overlooked in terms of hype, phishing has been a mainstay in the cybersecurity threat landscape for decades. In fact, 43 percent of cyberattacks in 2020 featured phishing or pre-texting, while 74 percent of US organizations experienced a successful phishing attack last year alone. That means that phishing is one of the most dangerous "action varieties" to an organization's cybersecurity health. As a result, the need for proper anti-phishing hygiene and best practices is an absolute must.
Tips for spotting a phish
With that in mind, here are a few quick best practices and tips for dealing with phishing threats.
- Know the Red Flags - Phishers are masters of making their content and interactions appealing. From content design to language, it can be difficult to discern whether content is genuine or a potential threat, which is why it is so important to know the red flags. Awkward and unusual formatting, overly explicit call-outs to click a hyperlink or open an attachment, and subject lines that create a sense of urgency are all hallmarks that the content you received could be potentially from phish and indicate that it should be handled with caution.
- Verify the Source - Phishing content comes in a variety of ways, however, many phish will try to impersonate someone you may already know—such as a colleague, service provider or friend—as a way to trick you into believing their malicious content is actually trustworthy. Don't fall for it. If you sense any red flags that something may be out of place or unusual, reach out directly to the individual to confirm whether the content is authentic and safe. If not, break-off communication immediately and flag the incident through the proper channels.
- Be Aware of Vishing and Other Phishing Offshoots - As more digital natives have come online and greater awareness has been spread about phishing, bad actors have begun to diversify their phishing efforts beyond traditional email. For example, voice phishing—or vishing—has become a primary alternative for bad actors looking to gain sensitive information from unsuspecting individuals. Similar to conventional phishing, vishing is typically executed by individuals posing as a legitimate organization—such as a healthcare provider or insurer—and asking for sensitive information. Simply put, it is imperative that individuals be wary of any sort of communication that asks for personal information whether it be via email, phone or chat—especially if the communication is unexpected. If anything seems suspicious, again, break-off the interaction immediately and contact the company directly to confirm the veracity of the communications.