The bad news...
Data breaches have compromised the private information of one in five Americans. And it's estimated that cybercriminals will make $160 billion selling stolen data. This means they are always looking for new ways to steal our most sensitive, most important information.
Many of us access and use data but don't always consider how well we're protecting it. Do you ever think about what and how much data you have and share online? Do you know how to protect that data to ensure it stays out of the hands of bad actors?
When it comes to what we consume online, we can never be too careful with our information.
The good news...
Protecting your online information is easier when you know your risk. Once you know your risk, you can "make your match" to ensure the systems you use are protecting your data accordingly. Let us show how you can build your cyber muscles to best protect your work and personal information.
Would you leave your wallet on the dashboard of your car? A better option might be to lock it away in your glove compartment. Or, better yet, carry the wallet with you. Simply put, knowing something's risk allows us to protect it properly.
How are you protecting your high-risk data? Do you know where it's stored and who has access to it? Once you know your risk, you ensure your personal information is being protected correctly.
got MSS? They are Yale Minimum Security Standards (MSS). And the MSS are the foundation of how Yale protects its data and systems. They also guide Yale's classification of risk. Read on to learn more about how Yale classified risk and the MSS.
When you know your risk, you’re working securely in a way that makes sense.
Knowing your risk is all about protecting our data and systems based on the risk they carry. Does it make sense to pay $100 dollars for a lock to protect a $50 bike? Would you make your credit card information publicly available for strangers to see? Of course not. Knowing your risk is about applying security based on what you are trying to protect.
The Goldilocks Dilemma
Remember the story of Goldilocks and the Three Bears?
This is an easy way to remember why knowing your risk is so important.
Doing "too little" security
If we don’t apply enough security to our data and systems, we are putting our important information at risk.
At Yale, doing too little can have major financial and reputational consequences. It can also make our data and systems unavailable when we need them most.
At home, doing too little puts what's important to you at risk. This can result in financial loss, identity theft, or exposure to your private data.
Doing "too much" security
Doing too much security can also be a costly mistake. Security controls cost money, time, and resources to maintain. Not only does this cost resources, it doesn't always support the work we are doing.
Yale requires an open technology environment to deliver its mission. This means we can't secure all data the same way.
The same goes for security at home. Do you store all your belongings in a safe or just the ones you value most? We want to apply this mentality to the way we protect our information online.
Getting security "just right"
Knowing our risk helps us get security “just right”.
This allows us to identify our most valuable data at Yale and at home and protect it as such. It also allows us to share data as needed.
Knowing our risk provides the balance we need to make security make sense. Without knowing the risk of the work we do, we can’t protect it appropriately.
Know Your Risk at Yale & at Home
The most important step: Know Your Risk
No matter if you’re working with Yale data or your personal data, we can’t protect what we have if we don’t know what we have. Knowing the risk - or the sensitivity, confidentiality, or importance of our data - is the first step to protecting it correctly.
Stop. Don't share.
Yale data is classified as High Risk if:
- It can be exploited for criminal purposes.
- It would customarily be shared only with an individual's family, doctor, lawyer, accountant, etc.
- Yale is contractually obligated to keep the data confidential.
- The data is essential to the delivery of Yale's mission and is not easily replaceable.
Slow down. Think before you share.
Yale data is classified as Moderate Risk if:
- The data is hidden from public consumption.
- The loss of confidentiality, integrity, or availability of the data would cause harm to Yale’s mission or reputation.
Go ahead and share! It's public data.
Protect your personal data
Protecting what you have is all about thinking of where you access and store your data. Is your high-risk data accessed and stored in a secure place? How can you be sure?
While there's no official policy for protecting data at home, we should take the same precautions as we would at Yale. Read below for tips on how to know where your most sensitive and important information is and protect it accordingly.
Where is your personal high-risk data stored?
If you're storing this data directly on a device (e.g. your laptop, desktop, or mobile device):
- Enroll the device in auto-updates.
- Protect the device with a strong password.
- Ensure the device is encrypted.
- Add password protection to individual files that contain your personal high-risk data.
If you're storing this data in an application:
- Enroll the application in auto-updates.
- Use a secure username and password to access the application. This should be a different password than the one used to access the device.
- Limit who can access that information within the application to only those who need to access it.
Can you limit the number of places your personal high-risk data is stored?
- Limit the number of places your sensitive data is stored. This decreases the number of ways a cybercriminal can gain access to it.
- If the data is no longer needed, delete it.
Can you limit the number of people who have access to the devices/applications that store your high-risk data?
- Limit who has access to where your high-risk data is stored. The fewer people with access, the better.
- Ensure children or others with access to the device are using it securely. Oftentimes, online gaming and downloads can lead to unauthorized access to your device. If the high-risk files are stored on the device, they are fair game to whoever has access to it.
Protect Yale data
No matter what you do at Yale, you play an important role in protecting your information.
Once you know the risk of the data you have, you need to protect it accordingly.
Read below for tips and tools on:
- How to know the risk of the data you work with at Yale
- How Yale protects its data and IT Systems based on risk
- Your role in protecting the Yale data you work with every day
How do I know the risk of the data I access at Yale?
There are two key elements to consider when thinking about the risk of the data you have access to at Yale:
- Data classification identifies the sensitivity or confidentiality of the data
- External obligations determine if the data is subject to third-party controls (such as HIPAA, FERPA, PCI, etc.)
Tips & Tools to classify your data:
Watch the following short video to find out more about data classifications and external obligations at Yale.
Next, review the Data Classification Questionnaire to help determine your data's risk classification and external obligations. This questionnaire is a set of questions to help you:
- Align the sensitivity of your data with a risk level of high, moderate, or low.
- Determine if your data is subject to any common external obligations used at Yale.
How does Yale protect its data and IT Systems based on risk?
At Yale, we protect systems based on risk using our Minimum Security Standards (MSS). The MSS are baseline security requirements for protecting Yale IT Systems based on the risk they carry.
All Yale IT Systems must meet and maintain these security requirements based on their risk level. Some systems are built to meet the High Risk MSS, meaning they are a secure place to access and store High Risk data. Other systems are only built to secure moderate or Low Risk data.
What is my role in protecting the Yale data I work with every day?
As a user of Yale's data, you are responsible for:
- Knowing the risk of the data you work with every day.
- Ensuring you are accessing and storing your data in a system that is built to protect that risk level.
For more details on how to ensure you are working from systems that meet your risk level, see the Make Your Match section of the toolkit.
Make Your Match
At Yale, we classify our data and systems based on risk - high, moderate, or low. As users, we must know the risk classification of the data we use.
To ensure we are working securely, we must match the risk of our data with a system that protects that level of risk. This is what it means to "Make Your Match".
Two ways to make your match
Choose an existing service that matches the classification of your work.
Yale maintains a list of commonly used services by risk classification. To view this list, see the webpage Risk Classification of Commonly Used Services at Yale.
Build or purchase a new system and ensure it meets the Minimum Security Standards for your risk level.
For details on understanding and applying the MSS, view Yale's MSS webpage.
Make Your Match Example
As an example, let’s consider a group of users that needs to store High Risk data files securely. They can either:
Choose an existing service. For example, Microsoft Teams is a file sharing and storage service that is classified for High Risk data.
Build or purchase their own service. The service must be configured to meet the High Risk Minimum Security Standards.
No matter what option the group chooses, they are working securely! This is because they are either using an existing service or configuring a new one that will meet the MSS for the classification of their work (High Risk).
Can I store High Risk data in a Moderate Risk service?
What if this group wanted to use Yale Box? Yale Box is only built to secure Moderate Risk data. If you find you are currently accessing or storing data in a service that is not protected for your risk level or higher, talk to your supervisor. As a member of the Yale community, we all have a responsibility to protect Yale's data.
Ways to Win Exclusive Know Your Risk Swag!
Our virtual background is a simple way to remind yourself and your colleagues about the importance of Knowing Your Risk.
Our infographic poster is a simple way to remind yourself and your colleagues about Knowing Your Risk. Post it in your workspace, either at home or on campus.
Ready to win some swag? Here's how you can!
We have exclusive Know Your Risk prize packs to give away and we want YOU to be a winner! Enter for a chance to win by following the instructions for each contest, below.
(Through September 30)
Contest 1: Use the Know Your Risk virtual background
Download and use our virtual background during a Zoom meeting!
- Download the Know Your Risk virtual background
- Upload the background to Zoom.
- Take a picture (or capture a screenshot) of you using the background during a Zoom meeting.
- Submit your entry.
Contest 2: Use the Know Your Risk poster
Display the Know Your Risk poster in your work office, home office, or department
- Download and print the Know Your Risk poster
- Take a picture of the poster displayed in your favorite spot.
- Submit your entry.
Simple ways to spread the word!
We'd love your help to let more people know about our Know Your Risk toolkit and resources. Here are some ways you can help:
- Email your colleagues with a link to the Know Your Risk toolkit.
- Encourage your colleagues to visit the Awareness Program events page and sign up for an upcoming event.
- Share the Know Your Risk toolkit at a staff meeting.
- Download the Know Your Risk poster and display it in a common area in your workspace (near printers or in kitchens are two ideas).
- Lead the charge in getting your whole team to download and use the Know Your Risk virtual background.
Confused about the latest cybercrime in the news? Overwhelmed by trying to figure out if a scam applies to you?
You’re not alone! Understanding how cyber events impact us is no easy task.
Let us help you demystify cybersecurity on the Bee Cyber Fit podcast where we simplify cybersecurity for everyone. Listen to the preview and sign up to receive notifications when new episodes are released.
Sign up by October 31 and be entered to win our exclusive Bee Cyber Fit prize pack including a Yeti water bottle!