Brushing up on cybersecurity
With Data Privacy Day this week, campus expert offers timely advice on safeguarding sensitive digital information
Equating digital data security to personal hygiene might not be the most obvious analogy, but it may help ensure your computer’s health.
UC Irvine’s Office of Information Technology is encouraging faculty, staff, students and community members to treat their passwords like their toothbrush in recognition of Data Privacy Day on Wednesday, Jan. 28.
“Choose a good one, change it often, and don’t share it,” says information security officer Isaac Straley.
Data Privacy Day is an international effort that aims to educate consumers about how their personal information may be exploited and inspire them to take data privacy and security into their own hands by making informed, thoughtful decisions when sharing and storing sensitive data.
“We want to get people thinking about their role in protecting information, not just their own personal information but the data about others they might have access to,” Straley says.
The day also provides an opportunity to learn about relevant campus resources, including expanded device destruction services offered by OIT and the Equipment Management Office.
Straley received Be Smart About Safety funding from the University of California Office of the President to enhance on-campus services for the disposal of corrupted devices with high-risk data. Now UCI employees can contact their information security coordinator or fill out an equipment pick-up form to ensure that their compromised electronic components, such as hard drives and flash drives, are collected and handled appropriately. It should be noted on the form that a device contains sensitive information and needs to be destroyed.
“You don’t have to be an IT person to be concerned about data security,” says Tawny Luu, director of UCI’s Public Records Office. “Everybody should be concerned about data protection. No one is looking over your shoulder to monitor how you’re using your computer – it’s one of the great things about this institution. That said, you have to be proactive about information security.”
Here, Straley offers advice on how to do just that:
Q. How do you define high-risk data?
A. Some examples would be Social Security numbers, health information, financial information, credit card numbers, bank account numbers and, in some cases, taxpayer ID numbers. Imagine it’s your information, and it was published in a newspaper. If your stomach drops at that thought, you should be mindful of the way you’re handling that information.
Q. What are the biggest risks associated with insufficient data security?
A. We’re mostly concerned about data getting into unauthorized hands and people using it to commit identity theft. If they’re not careful, people could end up with serious IRS problems or even be accused of medical insurance fraud. Those are some significant hard consequences, but there are also security breaches with softer consequences that can affect one’s reputation. As an academic institution, one of our most valuable resources is the research that we do. At UCI, we need to live by the values that make us special as an institution. We understand that information should be free, but it should also be protected.
Q. How do I select a secure password?
A. Treat your password like your toothbrush. Choose a good one, change it often, and don’t share it. You want a password that’s long and complex and that nobody can guess. The more you’re thinking about needing a good password, the more likely you are to choose something a little more complex. I really like phrases that are unique and uncommon. If you use a 36-character phrase, it’s mathematically more complex than an eight-character password with various requirements (like capitalization and special characters). You want to take into account what’s being protected. Changing your password every six months is a pretty good time frame for most people. You should also avoid using the same password for multiple services.
Q. What other tips would you give someone on campus to make sure their information is secure and protected?
A. It’s important to know what data you have. It sounds kind of laughable at first, but when you really think about it, do you know what data you have? Do you know how sensitive it is and where it’s stored? You may have just one piece of high-risk data, but it’s located in your email, in the cloud and on your hard drive. Knowing what you have and thinking about where it is and where you transmit it is very important.
Using the same device to access different levels of data should be avoided. If you’re doing something that involves the use of really sensitive data, like medical records or Social Security numbers, think about checking your email or browsing websites on another system. Nowadays, attackers have gotten really good at inserting malicious code into ad networks. You may go to a legitimate website that uses third-party services to host ads. Those advertisements could potentially carry malicious software that can infect your computer.
Q. What should people do if they think their data or device has been compromised?
A. The most important thing is to contact somebody who can help. Most departments have an information security coordinator who should be the first person to assess the situation and determine if there has been a data breach. A problem we come across is that people try to clean their computers by themselves. If a computer with sensitive information on it has been compromised, trying to use anti-virus software to clean it doesn’t really do us any good. When your computer is infected with a virus, there’s pretty much no way to get rid of it without reformatting. If necessary, a user can access the campus’s device destruction services.