There are many benefits to being on social media for educators and academics – not least the ability to keep peers, employers and funders aware of what you’re doing – but an online public presence is not without its security risks.
Abigail McAlpine is a postgraduate researcher in cyber security at the University of Huddersfield. She’s also a social media user, despite the risks she encounters in her work. Here’s her quick guide to the who, where, when and what of managing social media security risks.
Who are you?
Most of us feel it’s vital to maintain our online professional identity across several social media accounts, not least LinkedIn and Twitter, but we should avoid exposing too much of the personal.
So separate out professional and private accounts. On Twitter, for example, use a nickname for your personal account so that only your real friends and family know who’s posting all that personal information, or consider locking your account. And to deter discovery, don’t use your date of birth, year of birth or other personal information in your username.
You can retain some of your personality in your professional profile but restrict the information you give away to what is professionally necessary and beneficial to you.
You can also separate your critical and less critical identities by using different email addresses – eg one for your social media accounts and an entirely separate one where security is paramount, such as online banking. So if your social medium of choice happens to expose the email address and password they hold for you (and many have – see below), your more vital identity remains secure.
Where are you?
Treat public wifi with caution. Public networks are easy to hack – or for a hacker simply to join and survey who else is using it – and so you become more vulnerable when you’re posting messages that expose what public wifi network you’re using.
At a conference or similar, the negatives of vulnerability are often outweighed by the positives of tweeting or posting messages about the event or using the event hashtag, so you may be willing to take the risk. But you can mitigate it somewhat if you’re wary of giving away any other information about your comings and goings and if, in particular, you avoid tagging your hotel and exposing your identity on that public network as well.
It’s all too easy to join online conversations about your hotel, such as complaints about its wifi, but you should resist. Keep your location private when you can.
If you feel you're going to be communicating any sensitive, personal or private information or any account details, try coming off the public wifi and using the more private 4G instead. It’s easy to forget to do this: you’re Googling something and then checking your bank balance and you forget to switch over – we all just flick through applications automatically – but the discipline of switching to 4G is worth the effort.
Another alternative is to set up a VPN – a virtual private network. It's best to get one that uses an app on your phone and that you can use with any device including your laptop. Basically, a VPN encrypts all the information from your phone, laptop or other device, as if you were on a private network instead of a public one. Check which VPNs are recommended as best for your device and have a look at the reviews.
When were you there?
Sometimes you need to post something immediately. It may be breaking news, feedback from a conference floor, reactions to an announcement, arrangements to meet.
But if it isn’t necessary, however attractive and enjoyable instant posting may be, consider not posting in real-time. Muse on the day’s events at work when you’re no longer there. Divulge the fact that you were away after you’ve returned. Post photos of your hotel after you’ve checked out. In short, separate the location of your topic from the location of your post.
What's been going on?
Just over a year ago, Facebook announced that 50 million of its users had been “exposed by a security flaw”. In 2012, LinkedIn suffered a security breach and then announced four years later that the stolen data, including email addresses and passwords, had become available online; this was followed by news reports that more than 117 million account details were being sold on data sharing websites.
Other global services have suffered similar data losses. Last December, more than 770 million email addresses and passwords were posted to a popular hacking forum. Yet many of us are still using the same email address and password combination that we’ve used for years. If you do, the chances are high that the hackers have them.
Clouds – including the cloud – can have silver linings. Since 2013, security researcher and Microsoft regional director Troy Hunt has been collecting stolen data and listing compromised email addresses and usernames (without the passwords!) at haveibeenpwned.com. This means you can visit the site, for free, enter your email address and you’ll see if you’ve been compromised (“pwned”) and where the breach was found.
If you’ve been pwned and haven’t recently changed your password on key sites, this should convince you to do so, using a strong, long password and setting up two-factor (or multi-factor) authentication if it’s available.
But don’t rely on secondary authentication instead of decent password security: authenticators can also be breached (especially if they rely on sending a text to your phone: phone numbers can easily be cloned), so your security-conscious regime should look after passwords as well as other authentication.
And remember the idea of having more than one email address to separate out critical and non-critical online identities. Your security online can be in your control.