Imagine the strongest vault door you’ve ever seen for a bank. How would you get in? Do you set explosives to get through the thick wall? Do you focus on picking the lock that opens the door? Or do you ask the person with the key to open the door?
“In many technological areas, we’ve already raised the bar significantly to make a hacker’s job harder,” says Ben Focht, manager of Nelnet Inc.’s cybersecurity team. “That’s why it’s so much easier and more profitable to target the people who have access.”
One of the most common tactics to target people is through phishing campaigns. In that instance, a fraudster tries to convince someone over the phone or via email to bypass safety procedures and give access to sensitive information. It could be a woman calling and needing her password while a baby cries incessantly in the background, or an enticing email providing a downloadable file. The con artist is relying on a helpful person giving into emotions, instead of following security protocol.
“Tactics are changing all the time,” says Ben. “If you’re only using knowledge and technology from 10 years ago to protect yourself against today’s attacks, you’re essentially not protecting yourself.”
Still, it can be a tough balance between customer service and security. Universities want an open network for students and families to navigate, but also want to keep everyone’s experience on the network safe. In that case, Ben recommends choosing which information is the most vital to protect and invest in your best barriers there.
“You want a depth of defense approach,” says Ben. “I’m not relying on one tool. I’m relying on a myriad of tools to reduce my risk and my institution’s.”
Since the biggest risk to an institution is unaware employees, educating individuals on personal cybersecurity is the first critical step in institution safety.
“You can’t eliminate risk, but you can mitigate it,” says Ben. “Security’s not a big magic tool. It’s about best practices followed consistently over time.”
Accept updates and reboot.
Everyone hates when the “update now” notification pops up on their screen while they’re working on a project. It’s even worse when the computer demands to restart to implement the updates. But these patches are designed to combat the latest cyber threats, and reduce long-term inconvenience. Patching is your first defense against an ever-changing landscape of attacks.
Create a root passphrase.
For passwords, most people use one short word with two digits at the end (usually referring to a year). It’s an easy pattern to hack.
“When it comes to passwords, length trumps complexity,” says Ben. “We spend so much time trying to make a password that’s hard for humans to remember and easy for computers to break. We need to do the opposite.”
So Ben suggests using a passphrase instead like, “The snow outside is piled high.” The length makes the phrase hard for a computer to decipher, but easy for a person to remember.
Never re-use a password.
If you use the same password on multiple platforms and one gets hacked, you’ve given a thief the key to more information.
Trying to have a unique password for every application can seem daunting. Ben suggests slightly altering your password based on each site.
For instance, the password for Facebook could be your root passphrase with a standard change, “The snow outside is piled high_FACE.” Twitter could have “TWITR” and LinkedIn “LNK” as the addendum to the root phrase.
Consider password creation tools.
There is a lot of password management software available that allows you to create tough passwords and then logs in for you.
However, they can feel a bit cumbersome. If you use a machine-based program, it only works on your computer, but doesn’t work with your phone. If you use a cloud-based tool to share your passwords across multiple devices, you’re transferring where your risk lies, because the tools themselves are prone to attacks.
The password management tools can be useful, but don’t assume you’re safe from attackers.
Anything that’s easy for you, makes it just as easy for an attacker,” says Ben.
Add dual-factor authentication.
Any service that allows you to add dual-factor authentication increases the amount of work for a hacker. This means that before accepting a login, a site sends you a number via text or email to your phone for validation.
“No method is 100 percent secure,” says Ben. “But you’re raising the bar on what it takes to hack your information.”
Ben Focht is a manager of the Cyber Security team at Nelnet who specializes in defensive strategies and tactics. He’ll be presenting a session at the 2019 Bursars SFS conference in San Antonio in April on common tactics to defraud students of their federal government loans and ways to increase campus cyber security and compliance.