It's safe to state that everyone has read the nearly continuous stream of media articles about massive thefts of personal and financial information, in recent years. It’s also safe to say that nearly everyone reading this internal control article has varying levels of access to software systems supporting their district’s financial accounting, payroll, human resources or student information systems. Accordingly, it is timely to discuss a few of the more basic controls to minimize avoidable risks to our organization because the risks for being the next newspaper article are greater than ever as the use of mobile devices proliferate.
The first basic rule involves the continuous remote connectivity capabilities of mobile devices, and the expanding proliferation of free Wi-Fi networks in hotels, restaurants, coffee bars and other spaces people visit. These free networks are very convenient but everyone should STOP and THINK about certain security risks the next time you consider connecting to a free public network. If you must connect to a public Wi-Fi never: shop online, access your school district’s networks, access your personal financial institution web site or access other sensitive systems. Also, be sure to turn off the WiFi auto-connect feature on your mobile device so your device will not automatically seek and connect to hotspots in the area (another person’s hotspot is definitely suspect if you don’t have to ask for the password to connect). You should also proactively use two-factor authentication for an additional layer of security when signing onto sensitive systems, for added protection if your log in and password to a system are ever compromised. We continue to live in a wild, wild West where cybercriminals never cease in their efforts to access our personal and financial information. Simply said, your school district’s financial assets are too valuable to risk the convenience of connecting to a free Wi-Fi network, and so trying to avoid fees for the use of air cards or hotspots for Wi-Fi access is virtually guaranteed to have tragic consequences over the long-run.
A second basic rule involves rigorous adherence to secure password practices. A few basic tips for secure passwords include:
- Use passwords that are at least 12 to 15 characters long. The number of characters should be your first priority over other recommendations for secure passwords. So by all means get this recommended practice right.
- Use a password that no one else would probably think of, so avoid common sports and pop culture terms.
- Add special characters, including digits, symbols and capital letters, throughout the middle of the password. Don’t just add one special charter at the beginning or end of the password.
- Use unique passwords for each of your sensitive accounts. Remember that your efforts to keep your important accounts secure will be no stronger than a single weak link.
- Use a password manager to avoid the practice of recording potentially unsecure lists of passwords.
A third basic rule is to direct employees to never open an even remotely suspect email from an unknown sender, especially if there is an attachment, without assistance from the technology department. Hopefully any suspect emails are automatically quarantined by the school district’s up-to-date virus scanning and other network security systems. However, no security system is perfect so all employees must always be alert.
The school district’s employee handbook needs to cover these basic rules and all employees need to be required to complete and sign the handbook signature page related to this topic before they are provided log in credentials to the school district’s software systems and networks.
The above tips are relatively easy to follow to thwart most of the less-sophisticated cybercriminals, which will help ensure your school district is not the next newspaper article. Even with the best of systems, security events will eventually happen; however, the district should be effectively insulated from issues relating to avoidable risks. You may also consider hiring a consultant to do a gap analysis related to technology system best practices involving security if you have any questions about your district's status.