Proper security is essential for the university’s compliance with legal, regulatory, and contractual obligations:
- Keeping your device’s software and operating system updated and patched is the single most effective way to protect yourself and your data from malware and other malicious activity.
- Regularly installing security patches, updates and upgrades is an easy way to fix flaws, and often helps improve usability and performance of an application or operating system.
- Most importantly, patches and updates address known and exploitable security vulnerabilities.
- When a software update is issued by a vendor, it’s recommended to apply it as soon as possible.
Delaying or avoiding patches, updates and upgrades create opportunities for threat actors:
- Unpatched and unsupported environments can have vulnerabilities that are known and published on the Internet.
- Threat actors exploit these known vulnerabilities to access and infect devices with malware, gain control of the system, and establish a foothold inside our IT environment.
- That foothold can be used to avoid security tools, perform reconnaissance and quietly traverse the university network with the goal of exploiting other vulnerable applications, services and devices.
In today’s environment, this activity is highly organized and automated. It can take minutes for an initial compromise to spread across hundreds of devices.
Canadian universities frequently observe threat actors exploiting vulnerabilities within the first few hours of being disclosed by cyber security researchers or vendors.
The Canadian Centre for Cyber Security (CCCS) includes software patching as a top measure for the cyber security of small and medium enterprises (SME). In fact, CCCS recommends updates be set to update automatically whenever possible.
University policy requires all IT support teams:
- Must implement appropriate administrative, technical, and physical security controls to ensure the continued confidentiality, integrity, and availability of information systems.
- Implement security controls that are based on industry best practices and standards.
- Have processes in place to ensure that information systems and their data are secured throughout the information system’s operational life cycle:
- This includes applying and maintaining a current and automated vulnerability and security patch management process.
- Apply compensating controls on systems that are not at vendor-supported levels (e.g., network isolation) to reduce their risk to an acceptable level.
- ITS Information Security may implement network restrictions for any device or network segment that reduces the security posture of other IT systems or services to an unacceptable level.
- The entire University Information Security policy is posted on the Secretariat web site.
Vendor support for Windows 10 ends in October 2025, there are additional risks to consider:
- Many users have full administrative rights to their device.
- This allows configuration changes and software installations beyond those that ITS provides and controls.
- Staff, faculty, classroom, and student lab devices are networked and accessible to each other.
- Staff, faculty, students, and guests of the university can also access the wired network using their own personal devices.
- Windows 10 is the most popular operating system on-campus and globally, making it the preferred target of vulnerability discovery and exploits by threat actors.
Because of this, it is in everyone’s best interests to upgrade devices to Windows 11 prior to the October 2025 end of support deadline.