Partner Spotlight
Safeguarding Your Data and Privacy: 10 Pro Tips We’ve Gleaned from Teaching Cybersecurity Boot Camps
Considering HTML—the markup language for creating websites—was invented only 30 years ago, the world’s cyber journey has been a pretty amazing race. For the first few years of this high-speed adventure, progress was prioritized over any big-picture “risks” for the future. But today, the cost of our breakneck exploration has been a significant security debt that’s left us incredibly vulnerable. Nearly every day we read about data breaches, ransomware attacks, large-scale compromises, and even adversaries going undetected for years. We shouldn't be surprised by the prevalence of these cybersecurity incidents, but rather by how lucky we've been at the relatively light cost of their impact compared to a truly significant event like a wide-scale water, power, or hospital shutdown.
While there’s no denying that the world faces significant cybersecurity challenges, we’ve hit a turning point where a three-faceted approach can help decrease a malicious actor’s advantage—an approach we teach in The Ohio State University’s Cybersecurity Boot Camp. First, when we build new systems, we need to intentionally design them with robust cybersecurity in mind at the start. Second, we must keep working on reducing the security debt; with payment cards, for example, the adoption of chips, elimination of raised digits, and planned removal of magnetic stripes are all progress on that front. Finally, we need to plan for failure and build resilient recovery systems that can help us quickly recover, so that we can continue safely conducting business and living our lives.
The overarching point here is that we need to focus on cybersecurity as a whole rather than individual events. Too many instances of cyberattacks could have been prevented by people just following simple procedures and processes. Thinking ahead and being prepared for the future is critical to reducing the impact and risk of the inevitable. That’s why, from our years of expertise, we’ve put together the following 10 tips and tricks for everyone to keep in mind, as part of National Cybersecurity Awareness Month. All of our tips don’t focus on technology per se, as cybersecurity ultimately relies on people. While technology eventually becomes outdated, adopting a certain general mindset keeps our collective approach timeless and universally applicable.
1) Have confidence in yourself—and don't let others pressure or persuade you into poor practices.
Vishers and other fraudsters exploit our desire to be polite, socially acceptable people. To protect yourself, sometimes you need to break society's unwritten rules.
Will’s example: This spring, a medical office legitimately called me, but when my hello immediately triggered a request for my social security number, I hung up. Even though providing my SSN is a “best practice” from the medical office’s point of view, I know providing sensitive information when called is a bad idea. So, to this day, I insist on calling them back, despite my wife's groans.
2) Don't be afraid to ask for help.
The world’s trust models and best practices have changed over time. Regularly listening to experts, reevaluating your practices, and asking others for help are all necessary processes to stay safe.
Will’s example: While my parents taught me to never give out information when called, they also taught me to never get in a car with a stranger or give out my personal information online. Yet today, people do both on a regular basis when they use services like Uber. When I called that medical office back to validate the call was legitimate, they argued I should’ve checked the number on caller ID. But based on my experience with caller ID spoofing, I know better than to trust that. I kindly pointed out that they were asking me to use a dated model (caller ID) to trust them—while also using an ill-advised piece of information (SSN) to authenticate me.
3) Learn from your mistakes.
Look at our first two tips: “DON’T listen to others” followed by “DO listen to others.” That's obviously a gross oversimplification, but it’s a great example of how even good cybersecurity advice is nuanced. Truth is, you're likely to be given bad advice from sources who we generally consider educated and intelligent. When adversaries trying to exploit our human nature are piled on top of all the other stresses and distractions in our lives, is it any wonder that people fall for phishing, vishing, and other fraudulent schemes? No one is immune—not even your friendly cybersecurity experts here!
4) Enable multi-factor authentication (MFA).
A factor of authentication is something you must present to prove you are who you say you are. Using a single factor, such as a password, is no longer sufficient to protect medical, financial, or other personal information. Two additional kinds of authentication layers include “possession” and “inherence” factors. Possession factors are something you have, like a phone hosting an authenticator app or a physical token like YubiKey. Inherence factors are something you are, like biometric data (a fingerprint or retinal scan). Although the most common MFA combination is a password and one-time code via SMS text, we discourage SMS as an option, because text messages are not encrypted and susceptible to SIM card swapping. Instead, use an authenticator app or physical token.
5) Use a password manager.
Many people reuse the same password, as it’s easy to remember one single password rather than a unique one for each service. Attackers count on this and use the stolen credentials to attempt to gain access to various services. A password manager lets you create unique, long, and complex passwords for each service. Many of them offer standalone, cloud, or self-hosted solutions and include cross-platform applications that let you access all your passwords no matter what device you’re on. Choose a password manager that suits your risk tolerance and has the features you desire—but also make sure it’s really serious about security. Look for password managers that have paid bug bounty programs—they have an open-source codebase and pay outside companies to perform security assessments and penetration testing.
6) Use random information for “security questions.”
If you’ve spent any amount of time on social media, you’ve likely seen people sharing and responding to the “What was your first car?” or “What was the name of the street you grew up on?” posts. Unfortunately, many of these seemingly innocent posts tend to be very similar to the “security questions” you’re asked to fill out for resetting account passwords. It's best practice not to respond to these social media posts at all. And then here’s a second layer of protection: When choosing and answering security questions, use random information versus the correct answer. For example, use your dream car instead of your first car, or your favorite band name instead of the street you grew up on.
7) Backup your data and verify.
Backing up your data can benefit you on multiple levels, be it a natural disaster or ransomware attack. Having the ability to restore your data is worth the minimal investment. Additionally, accidental deletions, corrupted storage media, and other events can result in data loss of medical, financial, or other unreplaceable personal data. The good news is that backing up data does not have to be expensive or complicated. Many solutions offer automatic, secure, and encrypted backups to the cloud or a local external hard drive. A critical aspect to remember is that it's not a backup solution until you verify that you can restore your data. So test the functionality of your backup solution periodically.
8) Avoid “Internet of Things” (IoT) devices.
Sure, it's neat to be able to ask your refrigerator if you're out of milk, your faucet to dispense a cup of water, or Alexa to play your favorite song. But at what cost? Many IoT devices are designed for simplicity, not security. There are no standards for them, and they’re often shipped with insecure default settings that are difficult or impossible to change. Additionally, many IoT devices lack the power to run security software. Comcast released its first Xfinity Cyber Health Report last year, highlighting the risks of devices and frequency of attacks on consumers. IoT devices introduce many security risks to home or business networks, enabling attackers to perform denial-of-service, passive wiretapping, and zero-day attacks. Avoid these devices whenever possible or choose ones that can be secured.
9) Monitor your data.
If your employer, bank, or credit card company offers a data breach monitoring tool or benefit, be sure to sign up for alerts. Actively monitoring your data and being aware of any breaches can put you a step ahead—and give you the advantage of changing passwords or deactivating cards before an event takes place.
10) Have a “cybersecurity day” for yourself.
One of the best things you can do to prevent a cybersecurity incident is to stay up-to-date. So pick a day each month to be your “cybersecurity day.” Update all of your computers, laptops, tablets, phones, and other devices with any pending system or app updates on this designated day. In addition, this is a great day to verify your backup solution discussed in tip #7!
~~~
Get even more tips and tricks—and learn how 2U helps safeguard data and privacy for our university partners—in this leadership profile on Andres Andreu, 2U's SVP of cybersecurity.
Latest.
Learn more about us.
At 2U, we’re on a mission—to eliminate the back row in higher education and help universities thrive in the digital age. To learn more about who we are and what we do, follow the links below.