June 2020: Working Safely and Securely in a Remote Environment
Here are some helpful tips and effective practices for working safely and securely in a remote environment, whether it’s a temporary situation or a permanent transition.
- Use a VPN
Make use of the corporate VPN at your university for an extra layer of security any time you find yourself on a public or unsecure Wi-Fi network (if you are working at a coffee shop or a library, for example). You can usually request access to the company VPN through your IT department. If your institution does not offer a company VPN, check out a thirty-day money back guarantee offer here.
- Run Your Antivirus Software
If your university provides antivirus software, find out. Some universities equip employee computers with antivirus software or make antivirus software available online for download. You can usually get this information from the IT help desk or the campus security team. If your workplace does not offer antivirus software, MalwareBytes offers a good-quality virus scanner for free and a higher-quality one for purchase after a fourteen-day trial period. Run your antivirus program daily to pick up on any abnormal activity or possibly corrupted/malicious files that need to be quarantined or removed. Keep in mind that your VPN and antivirus software may not play well together. If this is the case, you may need to use one program at a time to make sure each piece of software works effectively. Please consult your help desk for guidance on proper use.
- Run Your Updates
Keeping your devices and applications up to date is probably the most underrated way to protect them. It is also the most ignored. Security and software patches are released with most updates. This means that when you ignore an update, you are leaving an application or operating system vulnerable.
- Beware of Phishing or Suspicious Emails
If you encounter suspicious messages or attachments, please forward them to the security team at your institution for further investigation. There has been a surge in malicious online activity as cybercriminals and cyberattackers leverage the heighted fear of the public during the coronavirus pandemic. Online criminals are delivering coronavirus-themed phishing messages via emails, direct messages, and text messages. These messages are often alarmist and include links or attachments with the call to action to “learn more.” Clicking the link often results in account compromise, malware delivery, or something else. As always, slow down and double-check the sender field. If a request seems unreasonable or out of character, do not respond. Contact the sender directly to verify it was them who sent the request or email.
- Use Strong Passwords
Because there are a lot more threats out there during the pandemic, there are plenty of bad actors looking to take over accounts. The easiest way to protect your accounts from being compromised is to use long, complex, and unique passwords. A good rule of thumb is to make sure that your passwords are at least fifteen characters long and include a number, a capital letter, and/or a special character. The easiest way to accomplish this is to use passphrases that only make sense to you.
- DO NOT recycle passwords.
- DO NOT use variations of the same password.
- DO NOT use the same passwords for your professional accounts that you use for your personal accounts.
Recycling passwords, using variations of the same password, and using the same password for professional and personal accounts are all sure-fire ways to have more than one of your accounts compromised in the event of a breach. To keep an eye on what accounts may be exposed, utilize haveibeenpwned.com. If your university has an official password manager, you can use it not only to store but also to generate strong, unique, passwords. If you do not know whether your university uses a password manager, get in touch with your help desk or your security team.
- Employ MFA
Double down on your account security with multifactor authentication (MFA). MFA adds a second check to verify your identity when logging in to one of your accounts. This helps to keep your account from being compromised even if your password falls into the wrong hands. MFA is often done in one of three ways:
- SMS (text message). This is the least-secure two-factor authentication (2FA) option, largely because messages are unencrypted and susceptible to SIM hijacking attacks. However, keep in mind that SMS is still a better option than no 2FA at all. With this method, a single-use code made up of a string of numbers is sent straight to your phone.
- Third-party authenticator app. An authenticator app lives on your mobile device, and every time you enter your password, the app generates a one-time code, which you are required to enter. To use a third-party authentication app, you will need to download one (Google Authenticator, Microsoft Authenticator, etc.) from the app store for your mobile device.
- Security key (hardware token). This is the most secure 2FA option. It’s a small physical key that you either carry or plug in to your device to complete your login. If your university issues security tokens, you should be able to request one from your IT or security department.
- Maintain a Clean Workspace
If you’re using a shared workspace, be conscious of clearing it of sensitive, nonpublic information, especially if you have to step away. Also, avoid printing out company information at home or in public spaces if it’s not necessary for your business function. In addition, if you are listening in on or participating in meetings that could be considered sensitive or in which you share nonpublic information, be sure to put on headphones. If you have the option, work in a separate, dedicated office space whenever possible.
- Maintain a Secure Workstation
Use company-issued devices for all your work so you can take advantage of security controls built in by your IT and security teams. If you would like to find out what settings to toggle on or off to secure your workflow and data on your company machine, please contact your respective IT and/or security department for advice.
If you follow these best practices while working from home—or wherever you may be—your work and your information (or other people’s information that you might handle) will be at a much lower risk of being compromised.
We hope everyone is staying safe, healthy, and productive.
- Secure your devices with a strong password, pattern, or biometric authentication. Check the settings for each device to enable a screen-lock option. For home routers, reset the default password with a strong one.
- Install anti-malware. Some software includes features that let you do automatic backups and track your device.
- Check your Bluetooth and GPS access. Disable these settings on all devices when not needed and avoid using them in public areas.
- Update your devices often. Install operating system and application updates when they become available.
- Review phone apps regularly. Remove any apps you don’t use. Be selective when buying or installing new apps. Install only those from trusted sources and avoid any that ask for unnecessary access to your personal information.
- Treat devices like cash! Don’t let your devices out of your sight or grasp. Maintain physical control of your device in public areas. Get a lock (alarmed is best) for your laptop and use it.
- Keep it sunny in the cloud. Whether using Google Drive, Dropbox, OneDrive, iCloud, Amazon Drive, or any of the many cloud options, set privacy restrictions on your files to share them only with those you intend. Protect access to your cloud drive with two-factor authentication.
- Create a secure wireless network. Configure your wireless router to protect your bandwidth, identifiable information, and personal computer. Secure it with proper set up and placement, router configuration, and a unique password, using the strongest encryption option. See http://www.wi-fi.org/ for more tips.
- Protect your Internet of Things (IoT) devices. Are you sharing your livestreaming nanny cam with the world? Review privacy settings for all Internet-ready devices before connecting them to the web.
The cybersecurity field continues to grow along with the need for new workforce talent. In fact, the 2016 EDUCAUSE Center for Analysis and Research’s study on the higher education IT workforce showed that cybersecurity management skillsets are among those most in demand in higher education today. Most information security jobs require at least a bachelor’s degree, so the knowledge students acquire through degree programs is critical. At the same time, students should be encouraged to seek additional opportunities for professional development and growth, including the following:
- Campus internships. Consider hiring student interns to assist in your institution’s information security department. Interns can offer the department additional staffing resources, and department staff can offer interns real-world experiences and the chance to develop mentoring relationships. For suggested qualifications and responsibilities, see the Information Security Intern Job Description Template.
- Cyber competitions. Institutions with an information assurance or computer security curriculum can participate in regional events hosted by the National Collegiate Cyber Defense Competition. These events give students the chance to hone their practical information security skills, as well as experience working in teams.
- Scholarships. Full-time students pursuing a bachelor or master’s degree in a formal cybersecurity program at colleges and universities selected by the US Department of Homeland Security (DHS) are eligible to receive scholarship grants. In exchange, scholarship recipients will be placed in an internship; they will also be offered a full-time cybersecurity position after graduation with a federal agency (or other organization approved by the National Science Foundation).
- Conferences. Students can take advantage of a plethora of information security conferences held each year. Among them is the Women in Cybersecurity conference, which seeks to recruit, retain, and advance women in cybersecurity. This annual conference brings together students and women in cybersecurity from various industries for knowledge sharing, mentoring, and networking.
- Job fairs. Likewise, students can choose from among numerous job fairs, including the following. DHS hosted its first Cyber and Tech Job Fair in July 2016. The U.S. Department of State maintains a list of job fair websites, including some that require a security clearance. The SANS Institute hosts a CyberTalent Fair — a virtual event for anyone seeking career or job opportunities in cybersecurity. Many campuses also host IT and cybersecurity job fairs, offering advice to students about certifications and connecting graduates or alumni with potential employers.
- Training courses. The DHS National Initiative for Cybersecurity Careers and Studies (NICCS) Training Catalog includes more than 2,000 cybersecurity training courses offered in the US. A handy interactive map quickly shows viewers the number of courses offered in specific locations. Users can also search for training opportunities by keyword, location, specialty area, provider, proficiency level, and delivery method.
- Student associations. The National Cybersecurity Student Association requires a small membership fee, but allows students to network through local and state chapters; learn about opportunities for scholarship, internship, and mentoring; and develop technical and leadership skills as they prepare for the cybersecurity workforce.
- Protect your device. Add a passcode to your cell phone, tablet, or laptop right now!
- Use strong passwords or passphrases. Especially for online banking and other important accounts.
- Enable multifactor authentication. Wherever possible, enable multifactor authentication, which helps secure your accounts by requiring hardware or biometrics in addition to your password.
- Check your social media settings. Review your social media security and privacy settings frequently. Enable two-step verification whenever possible.
- Educate yourself. Stay informed about the latest technology trends and security issues such as malware and phishing.
- Get trained. Contact your institution’s IT, information security, or privacy office for additional resources and training opportunities.
Ransomware is a type of malware designed to encrypt users’ files or lock their operating systems so attackers can demand a ransom payment. According to a 2016 Symantec report, the average ransom demand is almost $700 and “consumers are the most likely victims of ransomware, accounting for 57 percent of all infections between January 2015 and April 2016.”
Similar to a phishing attack, ransomware executes when a user is lured to click on an infected link or e-mail attachment or to download a file or software drive while visiting a rogue website. Sophisticated social engineering techniques are used to entice users to take the desired action; examples include
- an embedded malicious link in an e-mail offers a cheap airfare ticket (see figure 1);
- an email that appears to be from Google Chrome or Facebook invites recipients to click on an image to update their web browser (see figure 2); or
- a well-crafted website mimics a legitimate website and prompts users to download a file or install an update that locks their PC or laptop.
To avoid becoming a victim of ransomware, users can follow these tips:
- Delete any suspicious e-mail. Messages from unverified sources or from known sources that offer deals that sound too good to be true are most likely malicious (see figure 3). If in doubt, contact the alleged source by phone or by using a known, public email address to verify the message’s authenticity.
- Avoid clicking on unverified email links or attachments. Suspicious links might carry ransomware (such as the CryptoLocker Trojan).
- Use email filtering options whenever possible. Email or spam filtering can stop a malicious message from reaching your inbox.
- Install and maintain up-to-date antivirus software. Keeping your operating system updated with the latest virus definitions will ensure that your security software can detect the latest malware variations.
- Update all devices, software, and plug-ins on a regular basis. Check for operating system, software, and plug-in updates often — or, if possible, set up automatic updates — to minimize the likelihood of someone holding your computer or files for ransom.
- Back up your files. Back up the files on your computer, laptop, or mobile devices frequently so you don’t have to pay the ransom to access locked files.
Who Else Is Online? Social media sites are not well-monitored playgrounds with protectors watching over you to ensure your safety. When you use social media, do you think about who might be using it besides your friends and connections? Following are some of the other users you may encounter.
- Identity thieves. Cybercriminals need only a few pieces of information to gain access to your financial resources. Phone numbers, addresses, names, and other personal information can be harvested easily from social networking sites and used for identity theft. Cybercrime attacks have moved to social media, because that’s where cybercriminals get their greatest return on investment.
- Online predators. Are your friends interested in seeing your class schedule online? Well, sex offenders or other criminals could be as well. Knowing your schedule and your whereabouts can make it very easy for someone to victimize you, whether it’s breaking in while you’re gone or attacking you while you’re out.
- Employers. Most employers investigate applicants and current employees through social networking sites and/or search engines. What you post online could put you in a negative light to prospective or current employers, especially if your profile picture features you doing something questionable or “less than clever.” Think before you post a compromising picture or inflammatory status. (And stay out of online political and religious discussions!)
How Do I Protect My Information? Although there are no guaranteed ways to keep your online information secure, following are some tips to help keep your private information private.
- Don’t post personal or private information online! The easiest way to keep your information private is to NOT post it. Don’t post your full birthdate, address, or phone numbers online. Don’t hesitate to ask friends to remove embarrassing or sensitive information about you from their posts, either. You can NEVER assume the information you post online is private.
- Use privacy settings. Most social networking sites provide settings that let you restrict public access to your profile, such as allowing only your friends to view it. (Of course, this works only if you allow people you actually know to see your postings — if you have 10,000 “friends,” your privacy won’t be very well protected.)
- Review privacy settings regularly. It’s important to review your privacy settings for each social networking site; they change over time, and you may find that you’ve unknowingly exposed information you intended to keep private.
- Be wary of others. Many social networking sites do not have a rigorous process to verify the identity of their users. Always be cautious when dealing with unfamiliar people online. Also, you might receive a friend request from someone masquerading as a friend. Here’s a cool hint — if you use Google Chrome, right-click on the photo in a LinkedIn profile and choose Google image search. If you find that there are multiple accounts using the same image, all but one is probably spurious.
- Search for yourself. Do you know what information is readily available about you online? Find out what other people can easily access by doing a search. Also, set up an automatic search alert to notify you when your name appears online. (You may want to set alerts for your nicknames, phone numbers, and addresses as well; you may very well be surprised at what you find.)
- Understand the role of hashtags. Hashtags (#) are a popular way to provide clever commentary or to tag specific pictures. Many people restrict access to their Instagram accounts so that only their friends can see their pictures. However, when someone applies a hashtag to a picture that is otherwise private, anyone who searches for that hashtag can see it.
My Information Won’t Be Available Forever, Will It? Well, maybe not forever, but it will remain online for a lot longer than you think.
- Before posting anything online, remember the maxim “what happens on the web, stays on the web.” Information on the Internet is public and available for anyone to see, and security is never perfect. With browser caching and server backups, there is a good chance that what you post will circulate on the web for years to come. So: be safe and think twice about anything you post online.
- Share only the information you are comfortable sharing. Don’t supply information that’s not required. Remember: You have to play a role in protecting your information and staying safe online. No one will do it for you.
- Top five social media safety tips
- PSA on photo sharing and social network privacy
- PSA on identity theft
- Your friends tell you. They’ve received a spammy or phishy e-mail from your account.
- Your phone tells you. Collection companies are calling about nonpayment. Battery and data usage are higher than normal. Charges for premium SMS numbers show up on your bill.
- Your browser tells you. Unwanted browser toolbars, homepages, or plugins appear unexpectedly. You’re seeing lots of pop-ups or web page redirects. Your online passwords aren’t working.
- Your software tells you. New accounts appear on your device. Antivirus messages report that the virus hasn’t been cleaned or quarantined. You see fake antivirus messages from software you don’t remember installing. Programs are running or requesting elevated privileges that you did not install. Programs randomly crash.
- Your bank tells you. You receive a message about insufficient funds due to unauthorized charges.
- Your mail tells you. You receive a notification from a company that has recently suffered a cybersecurity breach.
- Change your affected passwords using an unaffected device. Not sure which passwords are affected? It’s best to change them all.
- Update your mobile software and apps. Make sure you keep them up-to-date.
- Update your antivirus software. Then run a complete scan. Follow the instructions provided to quarantine or delete any infected files.
- Update your browser software and plugins. Check frequently for new updates and delete any unnecessary or obsolete plugins.
- Is your computer still acting wonky? It might be best to start from scratch with a complete reformat of your machine so you can ensure that all affected software is fixed.
- Self-report to credit agencies. If you believe your personally identifiable information has been affected, you don’t want to deal with identity theft on top of being hacked.
- Be prepared with backups. Don’t let the next compromise ruin your day. Backup your files frequently. Consider storing at least two separate backups: one on an external drive and one in cloud storage.
- Stay ahead of the hackers. Check the Have I been pwned website to see if your accounts were hacked in a known attack.
Follow these six National Cyber Security Alliance recommendations to better protect yourself online and make the Internet more secure for everyone:
- Fortify each online account or device. Enable the strongest authentication tools available. This might include biometrics, security keys, or unique one-time codes sent to your mobile device. Usernames and passwords are not enough to protect key accounts such as e-mail, banking, and social media.
- Keep a clean machine. Make sure all software on Internet-connected devices — including PCs, laptops, smartphones, and tablets — are updated regularly to reduce the risk of malware infection.
- Personal information is like money. Value it. Protect it. Information about you, such as purchase history or location, has value — just like money. Be thoughtful about who receives that information and how it’s collected by apps or websites.
- When in doubt, throw it out. Cybercriminals often use links to try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
- Share with care. Think before posting about yourself and others online. Consider what a post reveals, who might see it, and how it could be perceived now and in the future.
- Own your online presence. Set the privacy and security settings on websites to your comfort level for information sharing. It’s okay to limit how and with whom you share information.
- Always: Use a unique password for each account so one compromised password does not put all of your accounts at risk of takeover.
- Good: A good password is 10 or more characters in length, with a combination of uppercase and lowercase letters, plus numbers and/or symbols — such as pAMPh$3let. Complex passwords can be challenging to remember for even one site, let alone using multiple passwords for multiple sites; strong passwords are also difficult to type on a smartphone keyboard (for an easy password management option, see “best” below).
- Better: A passphrase uses a combination of words to achieve a length of 20 or more characters. That additional length makes its exponentially harder for hackers to crack, yet a passphrase is easier for you to remember and more natural to type. To create a passphrase, generate four or more random words from a dictionary, mix in uppercase letters, and add a number or symbol to make it even stronger — such as rubbishconsiderGREENSwim$3. You’ll still find it challenging to remember multiple passphrases, though, so read on.
- Best: The strongest passwords are created by password managers — software that generates and keeps track of complex and unique passwords for all of your accounts. All you need to remember is one complex password or passphrase to access your password manager. With a password manager, you can look up passwords when you need them, copy and paste from the vault, or use functionality within the software to log you in automatically. Best practice is to add two-step verification to your password manager account. Keep reading!
- Step it up! When you use two-step verification (a.k.a., two-factor authentication or login approval), a stolen password doesn’t result in a stolen account. Anytime your account is logged into from a new device, you receive an authorization check on your smartphone or other registered device. Without that second piece, a password thief can’t get into your account. It’s the single best way to protect your account from cybercriminals.
According to the US Department of Justice, more than 17 million Americans were victims of identity theft in 2014. EDUCAUSE research shows that 21 percent of respondents to the annual ECAR student study have had an online account hacked, and 14 percent have had a computer, tablet, or smartphone stolen. Online fraud is an ongoing risk. The following tips can help you prevent identity theft.
- Read your credit card, bank, and pay statements carefully each month. Look for unusual or unexpected transactions. Remember also to review recurring bill charges and other important personal account information.
- Review your health insurance plan statements and claims. Look for unusual or unexpected transactions.
- Shred it! Shred any documents with personal, financial, or medical information before you throw them away.
- Take advantage of free annual credit reports. In the US, the three major credit reporting agencies provide a free credit report once a year upon request.
- If a request for your personal info doesn’t feel right, do not feel obligated to respond! Legitimate companies won’t ask for personal information such as your social security number, password, or account number in a pop-up ad, e-mail, text, or unsolicited phone call.
- Limit the personal information you share on social media. Also, check your privacy settings every time you update an application or operating system (or at least every few months).
- Put a password on it. Protect your online accounts and mobile devices with strong, unique passwords or passphrases.
- Limit use of public Wi-Fi. Be careful when using free Wi-Fi, which may not be secure. Consider waiting to access online banking information or other sensitive accounts until you are at home.
- Secure your devices. Encrypt your hard drive, use a VPN, and ensure that your systems, apps, antivirus software, and plug-ins are up-to-date.
If you become a victim of identity theft:
- File a report with the US Federal Trade Commission at IdentityTheft.gov.
- Use the identity theft report to file a police report. Make sure you keep a copy of both reports in a safe place.
- Flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800-525-6285), Experian (888-397-3742), or TransUnion (800-680-7289).
Before you go:
- If possible, do not take your work or personal devices with you on international trips. If you do, remove or encrypt any confidential data.
- For international travel, consider using temporary devices, such as an inexpensive laptop and a prepaid cell phone purchased specifically for travel. (For business travel, your employer may have specific policies about device use and traveling abroad.)
- Install a device finder or manager on your mobile device in case it is lost or stolen. Make sure it has remote wipe capabilities and that you know how to do a remote wipe.
- Ensure that any device with an operating system and software is fully patched and up-to-date with security software.
- Makes copies of your travel documents and any credit cards you’re taking with you. Leave the copies with a trusted friend, in case the items are lost or stolen.
- Keep prying eyes out! Use strong passwords, passcodes, or smart-phone touch ID to lock and protect your devices.
- Avoid posting social media announcements about your travel plans; such announcements make you an easy target for thieves. Wait until you’re home to post your photos or share details about your trip.
While you’re there:
- Physically protect yourself, your devices, and any identification documents (especially your passport).
- Don’t use an ATM unless you have no other option; instead, work with a teller inside the bank. If you must use an ATM, only do so during daylight hours and ask a friend to watch your back. Also check the ATM for any skimming devices, and use your hand to cover the number pad as you enter your PIN.
- It’s hard to resist sharing photos or telling friends and family about your adventures, but it’s best to wait to post about your trip on social media until you return home.
- Never use the computers available in public areas, hotel business centers, or cyber cafés since they may be loaded with keyloggers and malware. If you use a device belonging to other travelers, colleagues, or friends, do not log in to email or any sensitive accounts.
- Be careful when using public wireless networks or Wi-Fi hotspots; they’re not secure, so anyone could potentially see what you’re doing on your computer or mobile device while you’re connected.
- Disable Wi-Fi and Bluetooth when not in use. Some stores and other locations search for devices with Wi-Fi or Bluetooth enabled to track your movements when you’re within range.
- Keep your devices with you at all times during your travels. Do not assume they will be safe in your hotel room or in a hotel safe.
When you return:
- Change any and all passwords you may have used abroad.
- Run full antivirus scans on your devices.
- If you used a credit card while traveling, check your monthly statements for any discrepancies for at least one year after you return.
- If you downloaded any apps specifically for your trip and no longer need them, be sure to delete those apps and the associated data.
- Post all of your photos on social media and enjoy reliving the experience!
- Phishing isn’t relegated to just e-mail! Cybercriminals will also launch phishing attacks through phone calls, text messages, or other online messaging applications. Don’t know the sender or caller? Seem too good to be true? It’s probably a phishing attack.
- Know the signs. Does the e-mail contain a vague salutation, spelling or grammatical errors, an urgent request, and/or an offer that seems impossibly good? Click that delete button.
- Verify the sender. Check the sender’s e-mail address to make sure it’s legitimate. If it appears that your institution’s help desk is asking you to click on a link to increase your mailbox quota, but the sender is “[email protected],” it’s a phishing message.
- Don’t be duped by aesthetics. Phishing e-mails often contain convincing logos, links to actual company websites, legitimate phone numbers, and e-mail signatures of actual employees. However, if the message is urging you to take action — especially action such as sending sensitive information, clicking on a link, or downloading an attachment — exercise caution and look for other telltale signs of phishing attacks. Don’t hesitate to contact the company directly; they can verify legitimacy and may not even be aware that their name is being used for fraud.
- Never, ever share your password. Did we say never? Yup, we mean never. Your password is the key to your identity, your data, and your classmates’ and colleagues’ data. It is for your eyes only. Your institution’s help desk or IT department will never ask you for your password.
- Avoid opening links and attachments from unknown senders. Get into the habit of typing known URLs into your browser. Don’t open attachments unless you’re expecting a file from someone. Give them a call if you’re suspicious.
- When you’re not sure, call to verify. Let’s say you receive an e-mail claiming to be from someone you know — a friend, colleague, or even the president of your college or university. Cybercriminals often spoof addresses to convince you, then request that you perform an action such as transfer funds or provide sensitive information. If something seems off about the e-mail, call them at a known number listed in your institution’s directory to confirm the request.
- Don’t talk to strangers! Receive a call from someone you don’t know? Are they asking you to provide information or making odd requests? Hang up the phone and report it to the help desk.
- Don’t be tempted by abandoned flash drives. Cybercriminals may leave flash drives lying around for victims to pick up and insert, thereby unknowingly installing malware on their computers. You might be tempted to insert a flash drive only to find out the rightful owner, but be wary — it could be a trap.
- See someone suspicious? Say something. If you notice someone suspicious walking around or “tailgating” someone else, especially in an off-limits area, call campus safety.
- Use a unique password for each site. Hackers often use previously compromised information to access other sites. Choosing unique passwords keeps that risk to a minimum.
- Use a password manager. Using an encrypted password manager to store your passwords makes it easy to access and use a unique password for each site.
- Know what you are sharing. Check the privacy settings on all of your social media accounts; some even include a wizard to walk you through the settings. Always be cautious about what you post publicly.
- Guard your date of birth and telephone number. These are key pieces of information used for verification, and you should not share them publicly. If an online service or site asks you to share this critical information, consider whether it is important enough to warrant it.
- Keep your work and personal presences separate. Your employer has the right to access your e-mail account, so you should use an outside service for private e-mails. This also helps you ensure uninterrupted access to your private e-mail and other services if you switch employers.
- There are no true secrets online. Use the postcard or billboard test: Would you be comfortable with everyone reading a message or post? If not, don’t share it.
You should understand how to present yourself on social networking sites and how to safeguard your information. What many may consider temporary or fleeting will most likely remain on the Internet forever. As a result, keep these dos and don’ts in mind when sharing online.
- Ask questions about who can access the information you are posting online, who controls and owns the information, and what is shared with third party.
- Maintain a backup of the content you post on professional networking sites (e.g., LinkedIn).
- Understand the default privacy settings on the social networking sites you use and how to change them to match your comfort level.
- Keep your personal information private. Assess whether it’s necessary to share sensitive information such as your birthday, mailing address, phone number, e-mail, mother’s maiden name, sexual orientation, or Social Security number.
- Be cautious about accepting requests to connect online. Connect only to people you trust who will not misuse the information you post.
- Check the location settings on photos and videos you post to social networking sites.
- Avoid joining online groups where you don’t know all the members or what they stand for.
- Use passphrases to protect your social media accounts. A passphrase is a set of words that create a phrase that is 20 to 30 characters long.
- Don’t share too much information that could be used to complete a profile about you. For example, share your birthday, but not the year you were born. Or share your hometown, but not the address where you live.
- Don’t share any information that is being used for verification purposes such as your mother’s maiden name, the name of your first pet, or the street where first lived. Consider making up alternate answers to those questions that only you would know.
- Don’t post when you are traveling or going out of town on vacation. It’s an open invitation letting criminals know that you are in a different location and that your home is vacant.
- Don’t post photos of inappropriate or illegal activities.
- Don’t click on attachments or links without checking the source.
- Don’t “check in” to every place you visit. That information could be used to identify you in a vulnerable location.
- Don’t use weak passwords, and never share your passwords!
The threat of identity theft (ID theft) is real, and it can take months or years to recover once you become a victim. Recent statistics show that each year approximately 15 million U.S. residents have their identities used fraudulently. In addition, nearly 100 million Americans have their personal information placed at risk of theft each year when records in databases are lost, stolen, or accessed by unauthorized individuals. EDUCAUSE research shows that 21% of respondents to the annual ECAR student study have had an online account hacked, and 14% have had a computer, tablet, or smartphone stolen. Here are some tips to help prevent ID theft:
- Read your monthly statements carefully. Review bank, credit card, and pay statements, as well as other important personal accounts (e.g., health care, social security). If a statement has mistakes, charges you don’t recognize, or doesn’t arrive when expected, contact the business.
- Shred outdated documents. Make sure you shred any documents that show sensitive financial or medical information before you throw them away.
- Be careful when sharing personal info. Avoid responding to pop-up ads, e-mails, texts, or phone messages that ask for personal information such as your Social Security number, password, or account number. Legitimate companies don’t ask for information in this way.
- Protect your online accounts. Create strong passwords or passphrases that are at least eight characters long and include a mix of letters, numbers, and special characters. Don’t use the same password or passphrase for multiple accounts.
- Limit use of public Wi-Fi. If you must use a public wireless network, make sure it is fully encrypted before sending sensitive information. Use HTTPS (for websites) and SSL (for applications like e-mail) whenever possible, and use a VPN (virtual private network) if you have access to one. Save your most sensitive browsing and work for when you are in a place where you know the Wi-Fi is secure.
- Use secure devices. Whenever possible, encrypt your hard drive, make sure operating system and application software and plug-ins are up-to-date, and install antivirus software (and keep it current).
- Keep personal information private. Limit what you share on social media. For instance, don’t share your vacation pictures publicly until you return home (so thieves don’t target your empty home).
- Review your credit report every year. You can request a free annual credit report.
If you’ve been a victim of ID theft:
- Create an Identity Theft Report by filing a complaint with the Federal Trade Commission online (or call 1-877-438-4338).
- Use the Identity Theft Report to file a police report. Make sure you keep a copy of the police report in a safe place.
- Flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800-525-6285); TransUnion (800-680-7289); or Experian (888-397-3742).
- Information Security Awareness PSA: “When You Least Expect It”
- Information Security Awareness PSA: “I’m Mike!”
- Information Security Awareness Training Video: “Identity Theft”
Did you know?
- 93% of Americans believe their online actions can help make the web safer for everyone.
- However, 28% of Americans say they lack knowledge about ways to stay safer online. [Source]
It is important for each of us to be aware of the increasing security risks of mobile devices, from laptops and tablets to smartphones and wearable technology, and 24/7 access to our personal data.
- Protect Your Device: Add a passcode to your cell phone, tablet, or laptop right now!
- Use Strong Passwords or Passphrases: Especially for online banking and other important accounts.
- Check Your Social Media Settings: Review your social media security and privacy settings frequently. Enable two-step verification whenever possible.
- Educate Yourself: Stay informed about the latest technology trends and security issues such as malware and phishing.
- Get Trained: Contact your institution’s IT, information security, or privacy office for additional resources or training opportunities.
- Information Security Awareness PSA: “Attention College Students!”
- Information Security Awareness Training Video: “Phishing: E-Safe”
- Information Security Awareness PSA: “Protecting Your Computer in a Public Place”
Did you know that most passwords are easily broken? Have you found it hard to create a good, strong password that you can remember? Creating a strong, but easily remembered, password can be a challenge, but a few “secrets” can help you. Check out the dos and don’ts below.
Do you want to create a strong password? (Your answer should be YES.)
- Use at least 8 characters, preferably more
- Use a mix of upper and lower case letters, numbers, and symbols
- Create an easy-to-remember passphrase by choosing a phrase and adding numbers and symbols. Length is more important than complexity. For example:
- “It might seem crazy what I’m about to say” becomes “Itmightseem7CrazywhatI’mabout56to$ay”
- Fairly easy to remember, but far stronger than a typical complex password such as 79RtiO)m^B or something similar
- Consider using a password safe or manager such as LastPass or KeePass
- Change your password or passphrase regularly
- Be sure you’re on the correct website before entering your password or passphrase
You won’t do these things we’re asking you not to do, will you? (Your answer should be NO.)
- Don’t include your username or account number in your password or passphrase
- Don’t use the same password for multiple services
- Don’t use a single word, in any language
- Don’t use consecutive repeating characters or a number sequence
- Don’t use your pet’s name
- Don’t use your birthdate, address, phone number, or any other type of information someone can easily obtain
- Don’t share your password or passphrase
- Information Security Awareness PSA: “Passwords”
- Information Security Awareness Training Video: “How to Create a Secure Password”
- Information Security Awareness Training Video: “Security Spy”