I recently volunteered as an AV tech at a science communication conference in Portland, OR. There, I handled the computers of a large number of presenters, all scientists and communicators who were passionate about their topic and occasionally laissez-faire about their system security.
As exacting as they were with the science, I found many didn’t actually see a point to the security policies their institutions had, or they had actively circumvented them.
A short survey heard reasoning like
- My college doesn’t actually care.
- It takes too long, so I disabled it.
- I *want* my data to be accessible by other scientists. Why should we secure it?
- I have bigger things to worry about – you know my research is on <insert critical issue>?
- Too many systems require passwords, so I just use the same one.
- I travel a lot, so I automatically connect to open WiFi networks.
- All my stuff is on Google Docs anyway.
- Set up the computers to take updates automatically. An old or unpatched OS has known security vulnerabilities that can be exploited or even just bugs you could hit by accident. This might include putting a habitual reboot into your schedule, which many folks forget to do for weeks on end.
- Use a password vault and have different passwords for each tool or data store. The vault will have a master password which can be something a human can remember – for instance, four unrelated words strung together – and then the various tools can have unintelligible passwords if required, but one can log in via the vault and not have to retype the long, secure passwords.
- Have an antivirus tool installed and confirm the signatures get updated regularly. If it needs to be turned off to do an install, be sure it gets turned on again. If it stops working, get assistance.
- Only connect to trusted networks. The coffee shop may be fine, but be skeptical of miscellaneous hotspots that may be reviewing data being transmitted.
- Read the institution’s security policy.