While talking with Dewight Kramer and Tye Stallard about the new security training videos now available at UC Davis (see "New videos for UC Davis amp up your information security awareness in less than an hour"), we asked, "What are the most common cyber-security mistakes people make on campus?" Their answer had several parts:
The biggest mistake is that people don't consider themselves a target. They think, 'What do I have that would be so important?' You\031d be amazed by the novel business cases that hackers can create by compromising an account, even if there's nothing in the account. They'll leverage your account to use the access you have.
That is the fundamental underlying issue. It leads to symptoms that include, for example, clicking on phishing, or not encrypting your laptop. If your laptop is lost or stolen, and the information is not encrypted, then the information is now freely available to whoever took it.
Another big one: People don't recognize the trust the students give us. Let's say I deal with files all day long, and have for years. Part of my job is dealing with student information. Those students have to trust me as part of my job. Everything's on the up and up, but when I don't take that trust seriously, when I copy something off up to the web because I'm going to work on that file at my home computer, that puts students' identity information on the Internet. When my kids start clicking on my home computer, who knows what will happen to the security of my home computer with that personal information?
You need to know you're a target, and you need to know your responsibility. You might protect your own information to a degree, but you should protect information that doesn't belong to you just as much. In fact, y ou might need to protect that other information better than you do your own. People do not think they are a target, so they keep very loose controls of their personal information. That is their right, but they should treat others' information better, and keep it secure.