Imagine the strongest vault door you’ve ever seen for a bank. How would you get in? Do you set explosives to get through the thick wall? Do you focus on picking the lock that opens the door? Or do you ask the person with the key to open the door?
“In many technological areas, we’ve already raised the bar significantly to make a hacker’s job harder,” says Ben Focht, manager of Nelnet’s cyber security team (parent company of FACTS). “That’s why it’s so much easier and more profitable to target the people who have access.”
One of the most common tactics to target people is through phishing campaigns. In that instance, a fraudster tries to convince someone over the phone or via email to bypass safety procedures and give access to sensitive information. It could be a woman calling and asking for student information while a baby cries incessantly in the background, or an enticing email providing a downloadable file. The con artist is relying on a helpful person giving into emotions, instead of following security protocol.
“Tactics are changing all the time,” said Focht. “If you’re only using knowledge and technology from 10 years ago to protect yourself against today’s attacks, you’re essentially not protecting yourself.”
Still, it can be a tough balance between customer service and security. Schools want an open network for students and families to navigate, but also want to keep everyone’s experience on the network safe. In that case, Focht recommends choosing which information is the most vital to protect and invest in your best barriers there.
“You want a depth of defense approach,” said Focht. “I’m not relying on one tool. I’m relying on a myriad of tools to reduce the risk to my institution.”
Since the biggest risk to an institution is unaware employees, it’s critical to educate individuals on personal cyber security as a first step to institutional safety.
“You can’t eliminate risk, but you can mitigate it,” said Focht. “Security’s not a big magic tool. It’s about best practices followed consistently over time.”
Accept updates and reboot.
Everyone hates when the “update now” notification pops up on their screen while they’re working on a project. It’s even worse when the computer demands to restart to implement the updates. But these patches are designed to combat the latest cyber threats and reduce long-term inconvenience for the user. Patching is your first defense against an ever-changing landscape of attacks.
Create a root passphrase.
For passwords, most people use one short word with two digits at the end (usually referring to a year). It’s an easy pattern to hack. “When it comes to passwords, length trumps complexity,” said Focht. “We spend so much time trying to make a password that’s hard for humans to remember and easy for computers to break. We need to do the opposite.”
So he suggests using a passphrase instead like, “Grasshoppers jump higher than children.” The length makes the phrase hard for a computer to decipher, but easy for a person to remember.
Never re-use a password.
If you use the same password on multiple platforms and one gets hacked, you’ve given a thief the key to more information. Trying to have a unique password for every application can seem daunting. Focht suggests slightly altering your password based on each site.
For instance, the password for Facebook could be your root passphrase with a standard change, “Grasshoppers jump higher than children_FACE.” Twitter could have “TWITR” and LinkedIn “LNK” as the addendum to the root phrase.
Consider password creation tools.
There are a lot of password management tools available that allow you to create tough passwords and the tool then logs in for you.
However, they can feel a bit cumbersome. If you use a machine-based program, it only works on your computer, but doesn’t work with your phone. If you use a cloud-based tool to share your passwords across multiple devices, you’re transferring where your risk lies, because the tools themselves are prone to attacks.
The password management tools can be useful, but don’t assume you’re safe from attackers.
“Anything that’s easy for you makes it just as easy for an attacker,” says Focht.
Add dual-factor authentication.
Any service that allows you to add dual-factor authentication increases the amount of work for a hacker. This means that before accepting a login, a site sends you a number via text or email to your phone for validation.
“No method is 100 percent secure,” said Focht. “But you’re raising the bar on what it takes to hack your information.”
This article was originally published by our higher education organization, Nelnet Campus Commerce, as “The Key to Cyber Security.”