Security Guidance: Common Mistakes for Users to Avoid

Purpose: To protect student data, prevent security breaches, and promote safe digital practices among program staff and tutors, this reading outlines common mistakes and basic strategies for safeguarding devices, passwords, and digital systems. Use this guidance to strengthen everyday security habits and reduce risks to student information. This list is not exhaustive nor a replacement for hiring an information security expert.

Physical Device Security
Keep your devices under your control; otherwise, you cannot secure their data.
Set up Mobile Device Management (MDM) for your program’s equipment.MDM helps keep software up-to-date and secure and enable location tracking and remote data wipes of lost devices.
Use a dedicated device for work.Do not recreationally browse the web on devices that have student data.
Do not leave a device unattended without logging out or locking it.This applies regardless of location. If you use a device to access student data, lock it when you step away and log back in when you return.
Do not write down login credentials.Writing down login credentials — such as on a sticky note — is an insecure method of storing sensitive information. If login credentials are compromised, so is access to student data.
Password Security
Use long and unique passwords, and keep them to yourself.
Do not rely exclusively on passwords.Use two-factor authentication if possible.
Do not use weak passwords.

Weak passwords are:

  • Short: Any password shorter than 10 characters can be instantly guessed in an automated attack. Long passwords are strong passwords and, best of all, are memorable multi-word passphrases. Aim for 16 characters as a safe balance between convenience and security.
  • Reused: Never reuse passwords. Your password on one service should be significantly different from your password on any other service. This prevents a cascade failure where a security breach in one service compromises all your accounts. It is highly recommended to use password manager software to create and securely store a unique password for every service.
  • Commonplace: Avoid predictable passwords such as“Password1!” or any similar variations. These are among the first attempted in automated attacks.
Do not share login credentials.

Common mistakes here include:

  • Multi-person accounts: Avoid shared accounts. Each user must have a unique username and password to ensure data security. Do not share your account credentials with colleagues, and do not let them share theirs with you.
  • Saving students’ passwords: Your students’ passwords are theirs. While it may be tempting to record student passwords in a spreadsheet for convenience, that spreadsheet becomes a high-value target. If compromised, every student account is also at risk as well as their personal accounts.
  • Falling for phishing: Only enter your password into the actual login page for that service. Double check the URL, and do not click on links in unsolicited emails. Beware of fake links to similar-looking web pages. Report suspicious emails and make sure a page is not fake before entering any personal credentials.
Digital Systems Security
Keep all student data inside your organization’s secure system to ensure security.
Do not save student data to personal/shared devices.If you must use a shared device, use incognito or private browsing, log out of all accounts afterward, and do not download student data to the device itself.
Do not save student data to flash drives.Use enterprise-grade cloud storage to sync data across devices.
Do not save student data to personal email or cloud storage accounts (e.g., Gmail & Google Drive).Consumer-grade accounts lack adequate privacy protections because they are used for data harvesting.
Do not make shared documents publicly accessible.“Anyone with the link” is never the right choice for sharing student data. Restrict document access to specific users or at least to your organization.