>> Want even more information about the OPM breach? Read our recent post, 12 Things You Should Know About the OPM Breach
The recent Office of Personnel Management (OPM) data breach has everyone on edge. The personal information of approximately 4 million current and former federal employees may have been compromised by hackers. The OPM will be contacting those affected by June 19, 2015 and the OPM website has a lot of information about the data breach and what all federal employees should know.
Even if your data was not part of the OPM breach, this is a reminder to pay attention to keeping your personal and work information secure. You might be doing things that put your agency at risk and not even know it.
Here are seven ways you could be putting your agency at risk:
1. Accessing work systems and information from personal devices and accounts
If you send work documents to your personal email account, log in to your work accounts from your personal computer or phone, or put work files onto a USB device, a cloud server like Dropbox or Google Drive, or other file storage, you’re potentially doing your agency more harm than good.
While you might think you’re being an efficient employee, using personal devices and accounts for work can put agency data at risk. Only use personal devices and accounts for work when you have been given explicit permission by your agency’s IT or security staff. If anything happens that might compromise the security of your approved personal device or account, report it to your agency immediately.
2. Working on a free public wi-fi connection
Before you start working from a coffee shop, think about the security—or lack thereof—of free public wi-fi. Never trust a free wi-fi signal if you don’t know who manages it. Hackers might set up fake free wi-fi and use it to steal your data, files, and passwords. Even if you know it’s legit wi-fi, scammers can also grab your data if the wi-fi signal is unencrypted.
If you’re thinking of using wi-fi at a coffee shop, hotel, library, or anywhere outside of work, make sure you secure the information on your phone or your computer. Turn off file sharing (Windows/Mac). Check that website URLs begin with “https.” Make sure your virus protection software and firewall are enabled and up-to-date. Update your operating system, browsers, plugins, apps, and other software to close known security holes. Delete the credentials of any wi-fi accounts you use. Use a VPN service. Never use a wi-fi connection outside of work for anything that could put your agency’s or other government data at risk. And remember, if the free wi-fi seems too good to be true, it probably is.
3. Falling for a phishing attempt
Hacks like the OPM data breach aren’t the only way that someone will try to get access to your information. Hackers may come after you and your data through a phishing attempt, which can take the form of an email, text message, instant message, letter, or phone call.
Phishing is not always obvious. The attempts are often very sneaky or downright evil. “Social engineering” is where a scammer manipulates human behavior to get the information they want. They’ll create elaborate mock emails and websites that look like the real thing. They’ll use your emotions against you by offering temptations, making threats, holding your data ransom, and using other trickery. They’ll impersonate people and companies you trust.
When in doubt, check it out. Before clicking on any links, check that the message you’ve received is legitimate. Learn how to recognize phishing emails and sites and spot suspicious email attachments.
4. Not reporting a phishing attempt or identity theft
When you work for the government, a phishing attempt or successful identity theft may be trying to more than rack up charges on your credit card. Someone may be trying to use your personal information to gain access to agency information or systems. Or, they may be looking for skeletons in your closet that can be used to pressure you into revealing sensitive information.
If someone has tried phishing for your information or if your personal information or your identity has been stolen, by reporting it promptly you can help your agency keep its data secure. Let your supervisor or your IT security staff know the details, including website screenshots, notes about any phone calls you receive, or copies of emails, IMs, or texts. If you have your identity stolen or if your personal information has been compromised, the FTC’s IdentityTheft.gov provides guidelines on what to do.
5. Practicing poor password security
Have you written passwords on a piece of paper? Do you store your passwords in a spreadsheet? Do you use the same password for multiple accounts? Is your password easy to guess? These are serious signs of poor password security.
For better password security, avoid the most common passwords and instead choose a really strong password. Use a password manager like LastPass, Dashlane, 1Password, or Kaspersky Password Manager to store your passwords and help you create strong passwords. If you want to use a password manager at work, check with your agency’s IT staff to make sure the one you choose is approved.
Sending a password to someone by email or instant message can put the security of your accounts at risk. Instead, hop on the phone or securely share the password using your password manager (a feature offered by LastPass and others).
6. Not monitoring your accounts for irregular activity
The sooner you spot a problem, the sooner you can take care of it. Regularly check your accounts for unusual activity. Review your credit card and banking statements once a month or more. Check your credit report annually or more often, and consider signing up for a credit monitoring service. Check your email inboxes, social media accounts, cloud storage, photo and music sites, and other accounts for signs that someone has gained access.
Whenever available, turn on two-factor authentication to help secure your accounts—it’s one of the best ways to protect your accounts from being hacked. As Matt Cutts explained, “Two-factor authentication means ‘something you know’ (like a password) and ‘something you have,’ which can be an object like a phone” is needed to log in to a site. Twofactorauth.org lists which sites offer two-factor authentication.
7. Not adhering to your agency’s security policies
Your agency has put security policies in place to help protect its data, your data, and the data of the people you serve. Follow the rules to the letter and request training or support if you need help.
What other ways can you help keep your agency’s data secure? Share your tips in the comments.