One of the more dubious perks of studying cybersecurity is the sheer number of mandatory security trainings I’m called upon to help friends and family members complete at the beginning of the academic year. In many ways, this is a good sign: When I was a student, there were no mandatory cybersecurity trainings for the students, faculty, and staff on college campuses—and the devices and accounts on those campuses were routinely compromised. But as pleased as I am that universities are devoting more time and resources to raising awareness about online risks, I often find myself frustrated with these training modules for focusing on such obvious, unhelpful, or unproductive lessons. It’s a massive missed opportunity to provide some genuinely useful guidance instead of lengthy videos portraying extended hypothetical scenarios the upshot of which are, inevitably, that you shouldn’t write your password on a Post-it note stuck to your computer screen.
In the past few years, universities—like everyone else—have become increasingly aware of online threats. Campuses have seen their payroll systems compromised by criminals who steal faculty and staff passwords, often by means of phishing emails, and then use those credentials to redirect direct deposit salary payments. Several have been targeted by ransomware attacks—including, just in the past month, Regis University and Stevens Institute of Technology. Some have seen email accounts compromised and used to send out those phishing messages because emails sent from authenticated addresses ending in .edu are often able to evade spam filters. The risk of intellectual property theft looms large for some campuses, as does the risk of spies or criminals using compromised servers on U.S. campuses as “hop points” to rout an attack directed at another target, like a government agency or private company.
So it’s very much to their credit that so many schools have invested in security measures like two-factor authentication, automated backups of school systems, and training modules to educate their campus communities about the risks of phishing, malware, and weak passwords. But having sat through far more than my share of these trainings, I am consistently surprised by how much they seem to skip over a few essential, useful, nonobvious points about cybersecurity.
For instance, one training had eight multiple-choice questions, one of which asked participants to identify something that was NOT a reason for them to understand why cybersecurity is important. The correct answer? “Attackers love it when potential victims understand how to defend themselves.” Another question asked whether the statement “I should use the same password for every account” was true or false. Another training, at a different school, asked respondents what the best metaphor for a firewall would be, if that firewall were a person. (Correct answer: someone in the workplace who strictly enforces all rules and policies.) If you’re going to impart eight pieces of wisdom to everyone at the start of the school year, these are not the ones I would choose!
So, in the spirit of constructive criticism, and in hopes of eliminating long, un-fast-forward-able videos on the myriad threats of cyberspace, here are the things I think everyone on a college campus should know for the new school year:
1. Stop complaining about needing to log in to your email and your virtual private network with two-factor authentication. According to a new report from Microsoft, it helps prevent more than 99 percent of attempted account compromises. That means it protects your VPN from being compromised and protects your email account from being hijacked to send spam (and, if you’re on the payroll, it keeps your paycheck safe). If it’s also required to access library databases or course management websites, that’s probably because administrators are concerned about protecting copyrighted materials stored on those networks. That’s a valid concern, but I, personally, would prefer to put as few barriers as possible between my students and the assigned readings, so I’ll permit some complaining about these restrictions.
2. Use the VPN when you’re off-campus or not at home, especially when you’re somewhere with unsecured Wi-Fi or in a foreign country whose networks you have reason to mistrust. If you’re traveling to China or Russia for work, ask your university information technology department to provide you with a clean burner laptop to use for travel.
3. Don’t respond to any emails or phone calls asking you for your passwords or other login credentials. Yes, even if they have your university logo at the top and they come from “IT SYSTEMS SUPPORT” and the subject line is “URGENT: ACCOUNT EXPIRATION.” If you’re legitimately concerned that something may be wrong, look up your college’s IT help desk number and call them and ask. Do not call the number included in the email!
4. If you click on the links in emails telling you to log in to a university system, always double-check, when the webpage loads, that the beginning of the address really is your school’s domain and that it has established a secure connection. (Don’t fall for tutfs.edu for tufts.edu, for instance.) If you have any doubt at all about the link or can’t see the full URL in the email, open up a new browser window and search for the relevant login page to be sure you’re not being misdirected.
5. Don’t open attachments that you weren’t expecting to receive or that seem even remotely suspicious—especially if they have a file type you don’t often see or even don’t recognize at the end of their names (.zip, .rar, .exe, .jar) or if they don’t have any file type extension at all. If your school uses a web-based email program, like G Suite for Education or Outlook Web App, you can often preview certain types of attachments or open them as webpages before downloading them onto your computer.
6. Enable full disk encryption on your computer. This is easy to do for both Mac and Windows computers. You should also make sure it locks and requires a password to access after being left untouched for five minutes.
7. Set up a system for online backups of your hard drive. Pick a cloud-based storage system like Dropbox, Box, iCloud, Google Drive, or whatever service your school subscribes to. Additionally, choose a physical, offline backup system—an external hard drive or a USB drive, and set a reminder on your calendar to connect it to your computer and back up everything you care about to that at least once per week (and yes, ideally, you should encrypt that hard drive or USB drive, too). Don’t start the school year without feeling confident that if your laptop fell into the ocean, was stolen, or was infected by ransomware, you would be able to start over from scratch without losing anything important. You may be confident you would never fall for any malware masquerading as an emailed calendar invite (though don’t get too cocky there—we are all fallible), but your computer is connected to a larger campus network. Imagine your most gullible co-worker or classmate or student. Your security could be in their hands. Make sure you’re in a position to recover from their mistakes, as well as your own.
8. Never pay online extortion demands. It just encourages more ransomware attacks, and you might not get your information back anyway.
9. Never give someone remote access to your computer. Even if they say they’re calling from IT! Even if they know your name and your password and your ID number!
10. Whenever you start to wonder whether something is maybe a little bit funny about an online message or phone call, it’s always better to take a little more time to check things out before responding. Even—especially—if you’re being told that your boss or someone you love has been in a car accident and needs a gift card immediately.
11. Actually, that last one deserves its own tip. Always beware emailed requests for gift cards.