I changed my privacy settings, did you?
Who among us didn’t review our Facebook privacy settings this past March? Were you spurred to do so by the Cambridge Analytica news? By Facebook’s full-page apology in the New York Times? Perhaps you are naturally cautious and just happen to always review your social media privacy settings on the second-to-last Sunday in March?
That Facebook was sharing more data than it stated really shouldn’t come as a surprise. That another organization didn’t delete data when it promised to do so and used it for other purposes shouldn’t be a surprise either. Yet it continues to be a bitter pill to swallow that the best defense against these vendor “oversharing” violations is a fundamental change in user behavior—especially for people who simply want to share photos of their latest family celebration or what they ate for dinner at the fancy restaurant last night, or circulate the social and political views closest to their heart.
Higher education information security and privacy professionals have long recognized that changing user behavior is at the core of any successful information security awareness strategy. When the higher education information security community first started to organize in the early 2000s, it recognized the importance of convening people to develop and share effective cybersecurity practices and of promoting cybersecurity awareness to the wider higher education community. Cybersecurity awareness is just as important today, and higher education practitioners continue to evolve and refine their approaches to information security awareness education.
Cybersecurity consultant Jessica Barker recently spoke at the 2018 EDUCAUSE Security Professionals Conference about the importance of cybersecurity awareness and suggested that approaching this type of awareness by emphasizing good cybersecurity hygiene practices, instead of highlighting the poor practices one must avoid, might lead to a more informed and security-savvy end-user.
Information security is the number one issue facing higher education IT organizations today, and effective awareness is crucial to informing higher-ed professionals about best security practices. This includes promoting data security and privacy literacy in an environment where resource constraints may mean that the most exciting up-and-coming security technologies are beyond the reach of even the best-funded IT organizations.
Many end users may have been caught off guard earlier this year with the news about Facebook and Cambridge Analytica. Teaching end users how to protect themselves is an essential step toward protecting the data of a larger enterprise, from ongoing business concern to higher education institution. And, the results are reflexive—any security hygiene practices learned and employed at work to secure organizational resources can be used to help secure a user’s personal data as well (and vice versa).
Here are some quick tips to help end users protect data at work, on campus and at home:
Use different passwords for every single account as well as a password manager tool to help keep track of all the different passwords. In most applications, passwords are coupled with an email address to grant you access to the application. Reusing an email and password combination runs the risk of having multiple resources compromised if a single password is exposed. At the very least, make sure that sensitive accounts (e.g., bank accounts, credit card accounts, work accounts) all have different passwords.
Be very suspicious of unsolicited requests received via electronic communications. Sometimes these types of communications are used to steal data or spread malware. Today’s phishing scams are far more sophisticated than the “prince in a far-off land” schemes of 10 years ago. Any unsolicited request that asks you to follow an embedded link, open an attachment, share personal credentials, enter banking information, or provide additional personal information should be reviewed with a critical eye. When possible, use another communication mechanism to verify that the first communication was authentic before navigating to a website, providing data, or opening an attachment.
Limit the types of personal data that you share via apps and other online services whenever possible. Often organizations and applications ask to use or access far more data than they need in order to offer you goods and services. They do this to build a user profile of you and serve additional advertisements. Read the user agreements before you download a new game or use a new service to see what perhaps your information will be used for and who it might be shared with. You may decide that using the new service is more important to you than sharing your Facebook friends list, or you may decide to forgo the new service because it asks for too much data.
Improving data security and privacy literacy is something that transcends and can unite every industry sector. The higher education approach to creating effective awareness and education programs, focusing on community, collaboration, and conviction, is something that any industry sector can emulate to improve user behavior.