As we launch the new IT Security Office website, security.fiu.edu, we’re taking a closer look at how everyday decisions like sharing org charts can expose our teams to real risks.
Universities are major targets for cyberattacks because they have large digital systems and store personal information about students, staff and faculty, as well as research, financial records and login credentials.
It’s hard to maintain security with so many people using campus networks and systems daily. That makes it easier for attackers to slip through and cause damage.
According to Varonis, colleges and universities had the second-highest number of cyberattacks in 2023, with 79% of higher ed institutions being targeted.
The risks behind org charts
What might seem like harmless information is actually a blueprint for a social engineering attack, where attackers trick or manipulate people into giving away private information. The details in org charts, such as names, titles and contact information, can help attackers create believable messages and build a false sense of trust with their victims.
Attackers study org charts to see how teams are structured and identify the employee who may be the easiest to trick.
These are some of the most common types of social engineering attacks:
- Phishing – Attackers send fake emails that look like they’re from someone in the org chart to get employees to open malicious links or share passwords.
- Spear phishing – A more targeted form of phishing that uses real names and job roles to make the message feel personal and urgent.
- Pretexting – Attackers pretend to be someone else, like a coworker, vendor or tech support, and use names from the org chart to sound convincing.
- Impersonation – Attackers call or email employees pretending to be a vice president or department head, asking for sensitive info, money or system access.
- Baiting – Using info from the org chart to send tempting offers or fake gifts (like software or USBs) to get someone to download malware or share info.
If you receive a suspicious-looking email to your FIU account, report the email as a phishing attempt and forward it to abuse@fiu.edu.
How you should display your org chart
Org charts are useful because they show how your unit is organized and who to contact for help. They also help build digital rapport and add a personal touch to your site. Now that we’ve discussed the risks of posting your unit’s org chart online, let’s review some of the best ways to share it safely.
Avoid showing the chain of command
Don’t post full org charts or who reports to whom. This type of hierarchy reveals too much structure and makes it easier for attackers to map out your organization. Instead, list names, titles and departments individually.
Also, avoid using words like reports, manages or supervises when referring to specific groups or people.
Limit phone numbers and emails
Only share FIU emails and phone numbers for front desks, main offices or roles that deal with the public. Keep internal extensions, direct lines and cell numbers private.
Posting personal emails, direct phone numbers or cell phone numbers makes it easier for scammers to target individuals.
Not everyone needs a profile
Be careful about who you list. According to KnowBe4, 67% of cyberattacks target low-level employees. Try not to publish the names of lower-level staff unless their job involves working with the students on a one-on-one basis.
Focus on public-facing roles like department chairs, faculty, advisors and student support.
Rethink before sharing your org chart
Publishing full org charts online can create serious risks that outweigh the benefits. While org charts and easy access to contact information are important for students, staff and community partners, sharing too much information can give unwanted access to others.
It's important to regularly review your site’s directory and reconsider how org charts are displayed and which employees are listed to better protect your community.
If you receive a suspicious email that seems to reference names or roles from your unit, report it as a phishing attempt and forward it to abuse@fiu.edu.