CISA recommends a series of words with symbols replacing letters in some cases. For instance, instead of the password “football,” use 1LmGBp! for the phrase “I love my Green Bay Packers!” Using a combination of upper and lowercase letters, numbers and special characters creates a password very different from any common word that could be found in a dictionary.
Other ways to protect passwords include:
• Two factor authentication: This requires additional information to gain access to a system, such as a code sent to a cellphone to verify the person using the password is the one who created it.
• Password managers: Rather than having to remember a long list of passwords, a person need only remember one password to access all the rest of the passwords. Avoid using the same password for more than one account.
Log Out Of Apps, Websites
Whenever young people are using your network, they should be closely supervised by staff members or volunteers who have been thoroughly trained in cybersecurity best practices. One of the most important things they need to know is that they should never stay logged in to a site after they are done using it.
Consider this scenario: A youth has been playing on a gaming site using one of your devices all morning. During that time, he interacts with several other anonymous users who know him only by his screen name. Instead of exiting the game, he walks away for lunch, intending to return after he has eaten to continue his game.
While his account is inactive, another user who lives halfway across the country takes the opportunity to hack into your system and steal his username and password. By the time the original user returns to the game, the cybercriminal has already exited and is using the youth’s stolen information to open an account on other sites.
It’s unrealistic to expect the youth participating in your program will remember to log themselves off every time. So, empower responsible adults with checking and double-checking on them. Just one indiscretion could put one or more people at serious risk.
Find A Security Vendor
There are many companies that offer data protection technologies. Do your homework and fi nd a vendor that will work for your individual needs. Your vendor should offer credit card and bank account security, donor fraud protections, multifactor authentication and IP security.
Develop A Written Policy
In a worst-case scenario, a cybercriminal is able to access your organization’s network while youth are playing a game. For that situation, you may be liable for signifi cant damages — both for your organization and for the young person. Investigators will start examining your organization’s practices and determine whether you had appropriate safety measures in place.
This is where a written policy comes in. Your policy regarding cybersecurity should detail who has access to the network, when they have access, who will be supervising them while they are online and how those supervisors will be enforcing the rules. The policy should also require that supervisors show participants what acceptable behavior and usage looks like.
Conduct Criminal Background Checks
Not all threats to cybersecurity emerge from outside your organization. It could be incredibly costly for you if it turns out one of your staff members or volunteers is stealing students’ information. This is why you should perform thorough background checks on every person who will be working with your program — both at the start of their employment, and every two to three years afterward. These checks will determine whether the candidate has ever been charged with a crime such as child abuse or cyber attacks.
Background checks aren’t enough. According to David Finkelhor, director of the Crimes Against Children Research Center, less than 10% of sexual offenders are ever criminally prosecuted. This means that more than 90% of offenders have no criminal record to check. So, while you should certainly perform background checks for all volunteers, you need to take other steps to protect children, as well. Those steps include asking applicants to:
• Submit a thorough application.
• Provide references who can give you a sense of their character.
• Participate in an interview with you and others in your organization.
Consider Cyber Liability Insurance
No matter how many protective measures you take, you are still open to liability if there are young people accessing your organization’s network. Threats can range from introducing malware or ransomware into your system and exposing participants’ personal information to outsiders to allowing cybercriminals to steal your participants’ identities. If young people at your program are actively communicating with others through their multiple player games, they could even be the target of sexual abuse.
Insurance is the best way to protect yourself against any of these possibilities. Talk to your insurance company about what it would take to add cyber liability insurance to your policy. The amount of money it would add to your premium pales in comparison to what you might need to pay if your cybersecurity is compromised.
TO DO LIST:
• Keep Software Up To Date
• Approve System Access
• Strenghthen Passwords
• Always Log Out
• Find Good Security Vendor
• Develop Policy – In Writing
• Check Backgrounds
• Get Cyber Liability Insurance
Nick Vaernhoej is assistant vice president, IT chief information security officer at Church Mutual Insurance Company, S.I. (a stock insurer). Reach him at [email protected]