April 26, 2022
(Updated May 10, 2022)
My Previous Career in Information Technology (IT) makes me able to help you...
Okay, some of my fellow music teachers know this about me. I had a couple of decades in between my piano teaching in the 1980's and my return to teaching privately in 2015, during which I had two other careers. The second one was a 16 year full-time career in Information Technology. During the last years of it before switching again to piano teaching, my focus was as an Information Security Administrator. Prior to that I was the lead tech on an Enterprise IT help desk. To help my fellow teachers I am combining that expertise with my piano teaching experience to create awareness, and to, eventually help other teachers by creating online courses in self-help cyber security, data security and related topics. This is very important and my first job is to hopefully create the right kind of awareness and let you know you can learn to understand and protect your career as an Independent Music Teacher (IMT). Here we go!
Our ability to Teach is now at risk, we could lose it unless protected...
We are independent music teachers. Our livelihoods depend more and more on the data, apps and other information related to our teaching that is on our devices. Perhaps you teach piano, guitar, voice, violin, flute, trumpet or some other instrument. Have you thought about the data, apps or other information related to your teaching that is stored on your computer, laptop, tablet, iPad, smart phone or other device? Have you considered what would happen if that were stolen by cyber criminals or became otherwise inaccessible or unusable?
Think of the data you have right now on your computer, your iPad, your laptop that relates to your teaching. Lesson plans and development plans for students, student assignments and goal achievement records, studio policies, repertoire history for students, music competition/festival documents, theory exam information, music books purchase records and other business expense records, music you have composed or arranged, digital sheet music you own, perhaps quickbooks data or other you use for federal taxes each year, email lists, contact information for students perhaps including birthdates, addresses, phone numbers... the list goes on and on.
What if that data one day, were gone, or your data file is there but won't open, or something similar-it just won't "work"? What is the cost in time and money to you to recreate that all over again? Is that even possible if it is not accessible, stolen, or corrupted beyond usability? Do you have a non-internet based "data backup" and do you know for sure it will work when needed?
Why a backup to the "Cloud" is not nearly enough...
You may have heard of the "cloud" in relation to technology. It's basically a collection of computers ("servers") storing data somewhere out there in the internet, owned by a company for the purpose of storing your data and charging you a fee for that in most cases. Businesses and individual consumers use cloud services.
If you have a cloud backup service, have you ever really read the agreement to use the backup service? All cloud backup companies have these internet service agreements, or service level agreements. Apple iCloud, Amazon Web Services, Google Cloud Platform, Microsoft One Drive, etc. These agreements tend to be thousands of words long. Who really reads them? We just click to "agree" and hope for the best. All of these have language that states, essentially, the agreement can change at any time and that you are bound by the agreement when it changes, unless you specifically "opt out".
Of course to "opt out" means you stop using their cloud backup service. It is typical in these agreements that the company can delete your account and/or all your data if they desire, even without having to notify you, if you breach the agreement, even if we breach it "unknowingly". So, do you have an ongoing, dependable, "off-line" (i.e. non-internet sourced) backup in place? This would be a backup to an external hard drive, or portable small USB stick as a minimal backup.
We as music teachers in an educational/artistic career tend to not understand technology as much as some other careers, though perhaps that is changing as far as our teaching goes if we teach online or have started to use apps in our teaching. But what about understanding technology enough to even ask the questions we should be asking? Such as about the level of security we need or should have?
What is cyber security, data security and why do I need it as an independent music teacher?...
That is a great question! Cyber security and data security revolve around protecting critical data, devices, networks, programs and apps from internet based attacks. Every IMT (Independent Music Teacher) has data, a network, devices, programs and apps if you use a computer, laptop, tablet, iPad, or phone in the same physical location where you teach or store data related to your teaching. Good security for all these things is about implementing best practices to help ensure your business critical information is confidential to only those who should access it, retains its integrity as to being 100% accurate, and is accessible when needed.
It also is about using best practices for securing your devices and computers and how you use the internet whether it is doing searches, logging into websites, "browsing" habits, how you interact with email and many other things. We all tend to have more and more devices that connect to the internet, which makes all these things a target for the bad actors out there on the internet. And if your teaching data is on that device, that computer, of course it's THE target.
We even have refrigerators that are internet capable, to show how wide spread is internet based technology. We can talk to Siri or Alexa and it answers back. Internet based technology is becoming more and more part of our daily lives. We really can no longer escape it, at least not for long.
I am writing you today to help make it understandable we are at risk, and we need to take steps to protect our income, our livelihood as independent music teachers, considering the ever evolving landscape that is called cyber security. It used to be "network" security, then "cloud" security. Those things still remain. They are amplified now by the "internet of things", which now could be lumped under the term "cyber security" as how I'm presenting this to you today. I'm using "cyber security" for now as a more umbrella term for all things related to the need to secure our devices, systems and data from being stolen or made unaccessible or unusable.
Is my password good? How to know and why be concerned at all....
We likely have heard in the news more than once in the last few years that passwords used by people have been breached, compromised. Passwords are intended to protect, among other things, our most sensitive and valuable information, right? Gone are the days, when you walk up to the door and the guard asks you "what is the password!" and you answer: "Swordfish!!". We all need a complex enough password of some kind to access almost any type of online account, websites and the like. So, how do we know that password likely will or will not be compromised?
Passwords can be guessed, if you use "password" or "qwerty" or "123456", etc. It used to be password length in about the year 2004 was recommended to be 8 characters a mix of letters and numbers. Soon after that, it was suggested to include more characters, like maybe 10, including a capital letter or 2. Then it was suggested long phrases are good, that a person could remember, because passwords are starting to get kind of complicated to remember. Then a few years later 12-14 characters was suggested with a mixture of capital and lowercase letters, number, and symbols. By about the year 2013 or so, a 14 character, highly complex password would take, it was thought by some, to take from a few years to centuries or longer to "crack", or to break into as the word "crack" refers. The time to crack a password depends who you're talking to and how they are proposing the password be attacked. You see, internet criminals use a computer or computing device to generate random password combinations until it finds the right one. That is essentially how it is done.
Today its' 16-20 characters a mixture of capital and lowercase letters, numbers, symbols AND special characters that is recommended by some experts. And some security experts don't feel safe yet with 20! Bad thing about this is the banks can't keep up! Some banks, healthcare companies, and credit card companies won't allow a password that long and complex! It is hard to keep up with the changes, but we need to give it our best. Now you will likely ask why the recommendations for password length and complexity keep increasing as to number of characters?
The simple answer is computing power. Computing power is used to run a program or app that tries to figure out (crack) passwords. Each year or so computing power is increased due to technology improvements. And that means the computations happen more quickly. Now that we have the ability of computers to combine forces on the internet meaning combining their computing power, and computing power is rising exponentially, eventually passwords will be likely become obsolete and we'll need another solution. Unless technology changes in an unexpected way. It changes so quickly no single person is a one-stop-shop expert on all things cyber security.
But for now, the only solution really, if you cannot remember 16 character passwords that combine letters, numbers, symbols, special characters, or really really long password phrases with interspersed non letter characters, and if using an RSA token is too cumbersome (I won't explain them here just yet) then you need a password manager like Keeper Security or NordPass or LastPass, (there are others) which will generate for you a long password, highly complex password for every account you use, that you can use on your computer, phone, iPad, etc so you don't have to remember them. BUT you need a long, complex master password to get into your password manager that you WILL remember, hence you need to remember only one password to have access to all of them. And that one should probably be changed often enough but on an unpredictable schedule.
You might quip, saying; "well, if it takes only one password to get into all my passwords, how is that a good thing?" That's one point of view. Consider that your master password must be complex enough and long enough so it is not likely a criminal will want to spend the time trying to break it, and even if they try they won't live long enough to "crack" it. That's the beauty right now of using a password manager. And never share with anyone else your master password. As long as passwords are required for our digital life, this is the best approach. Just think it through carefully, and it will be obvious.
January, 2022 Forbes reported: "cyber perils are the biggest concerns for companies globally in 2022"(1,2).
Wow! Isn't that an astounding statement! Cyber perils are the BIGGEST CONCERN for companies everywhere in the world. Our music teaching IS a company in this definition though small. And attacks on small companies are increasingly on the rise these last few years. (3)
Are we aware that emails we receive, if opened, can have links in them to direct us to infected websites that install malware on our devices? Or can have an attachment when opened that will do the same thing? "Malware", short for malicious software, is software installed that is used to gain access to a computer or device that then sends data from your device, or your home or business network, to the internet criminal. Malware can also render the infected computer or device unusable. Are we aware of the risks in searches we might do on Google, Bing or Yahoo, and how to minimize that risk, so we are much less likely to click on a "bad" website that could infect our systems?
How about our credentials we use on the internet, the usernames and passwords that are our access to our digital lives. There are free or low cost password hacking tools available to internet criminals. If your password is not complex enough or long enough it could be easily compromised. And if you use the same password for everything, or reuse others, because they are just too hard to remember, and the criminal gets those passwords, he has access to your digital life, your music teaching digital life, your mission critical data. He can do what he wants with it.
How you could lose all your teaching data from one single internet event
Ransomware is on the rise and is expected to continue to increase. "Ransomware" is a cybercrime and occurs when your device is broken into by an internet criminal, who "locks" all your data on your computer or device so you cannot use it at all. Its like a criminal that gets into your house, changes all the locks to work with a different key, so you cannot get into your own home! This internet criminal who locked your data with ransomware then demands you give a lot of money to them in order to receive a code to unlock your own data so you can use it again. But, guess what, you give them money once and they'll do it to you all over again. So you need to be in a position where IF your computer or device was held hostage due to ransomware, you have a recourse to never pay the criminal, because you have a copy of ALL your data, every bit of it, somewhere they cannot access.
According to Norton, one of the top US based global security companies, "The government says that...
...75 percent of all ransomware attacks are on small businesses..." (3) (wake up call: this includes YOU the Independent Music Teacher)
The independent music teacher is of course the owner of a small business whether you are incorporated or not, are a sole proprietor with a full time income, or teach music as a side income. We are just as prone to these cyber attacks as any other small business. We music teachers are not used to thinking in these terms that we are a business with mission critical business data that is like hanging fruit to the cyber criminal. But we are. We need to get educated about it, and understand what we can do without paying huge sums for an IT consultant to come to us to help us.
Do you have a website? Is it "secure"? The simple solution for protection...
Do you have a website? Is it secured with SSL/TLS, which means the website address starts with "https" rather than the insecure "http"? I you have the secure "https" website address, your website has that little lock icon by the address on all pages. That lock means connections to your website from a prospective student or anyone else are encrypted and safe. In 2014 Google announced encrypted websites improve Google search rankings (5). In 2017 Google announced they will start showing "not secure" warning for the insecure "http" website addresses (6). Those who use Safari, Firefox, Edge, Brave and other "browsers" as they are called, now see similar warnings, since they have followed Google's example.
When a prospective student lands on your insecure "http" website they will see a separate warning, or it shows in the website address as "not secure..". Will they leave your website looking for one that is safer? If this was you, not the student, would you feel comfortable reaching out to the website, through a contact form, with your personal identifying information? Or would you find another "safer" website? (7). If a website shows the "not secure.." warning, do you know if the person who says they own that website, really does own it? After all just "who" are they?
Your internet service devices are an essential level of defense....
Do you teach online from home or an office? Does your home or office network have a "known good" digital perimeter of safety around it, protecting you from the most common internet attacks? Were you aware you need such a perimeter of verifiable safety, that you can have it and that it is not hard to maintain if you know what to do? If you ever had to restart your modem or router and it fixed a connection problem with anything on the internet, such as your Zoom or Skype lesson, you may have been an unnecessary victim of an internet attack.
It is important to periodically check for updates for your home internet service equipment or your teaching location equipment, whether or not you have connected your own WiFi device or "router" to your Internet Service Providers (ISP) equipment. Though your internet service provider "should" do periodic security updates to the equipment they gave you, like your cable modem for example, they do not necessarily do so. Why should you be at risk because your ISP is not doing their due diligence? Also, is your home and teaching location internet equipment configured properly to avoid being "scanned" from the internet to see if your "internet front door" is open?
Your devices(s) that provide your internet service are the front door to all devices on your home or business network and if that door is not locked correctly, your entire home or business network is at risk of being intruded. No different than if you left home to go shopping, and left your front door unlocked - anyone who walks up to the door could get in.
The Independent Music Teacher typically does not have an IT department. We also tend to not understand WHY we are exposed, HOW we are compromised, nor do we tend to understand WHAT we can do about all that, even if we have no or little understanding of technology. Just like a piano student can learn to play the piano, you too can learn to improve your cybersecurity, your computer/device security, to protect what is important, and in a lot less time than it takes to learn toplay the piano.
The IoT (internet of things) creates heightened security concerns...
You may have heard of the "Internet of Things" or "IoT" for short. This is the total assemblage of gadgets, devices, cool toys, practical devices that are not computer devices per se, but use the kind of technology found in computers to create a multiverse of things that talk to other devices and/or the internet. Even if they don't talk to the internet directly they talk to another device that does talk to the internet. These things usually have the name "Smart" in front of them: smart refrigerators, smart watches, smart door locks, smart bicycles, smart fire alarms, smart security camera systems, smart speakers, smart baby cams, medical related sensors, fitness and health trackers, Google Alexa, the list goes on and on.
In 2021 it was estimated there were about 12 billion IoT devices in the world. Remember there are about 7.6 billion PEOPLE in the world! By the year 2025 it is estimated that there will be about 27 billion IoT's connected and in use in the world. (8)
Ask yourself how many of these devices are in your home now and how many might you have in a few years? Understand that each one of these IoT devices is another potential open doorway into your home, your business, and wherever you store and keep your teaching related data. So, I'm of the opinion that our homes or small offices where we teach will need a simple to use hardware "firewall" and that the market for that will likely increase. One company trying to make them simple enough and affordable for a home or small business for a person with limited understanding of technology, is "Firewalla" (9) . Their solution is easy, you connect it to your internet, and manage it from your "smart" cell phone. I expect more companies like Firewalla will spring up over time. The need is there now, and will be more in the future.
Strive to Find the Balance between Security and Stability
Whatever you do for your cyber security and data security, I suggest strive to find a balance with security and usability, so that we don't get too overzealous with the idea of security for its own sake. Plan your security and roll it out wisely is my suggestion. As I mentioned earlier, I'm in the process of developing courses independent music teachers can take to educate themselves about all these things and more, and to learn how to take the needed steps for security and how to keep up with the changes in technology going forward. And I will focus on making this easy to understand and implement wisely.
Steps you can take to protect from cyber threats and secure your data
Some steps we can take to protect ourselves from cyber threats are below and numbers 1 and 8 are the most critical as something you can do NOW, before the other steps:
1. update our software and operating system, keep it updated, with the ability to maintain software stability (sometimes updates can break stability-so its a good idea to research the update for known issues before installing, especially if the device is used for teaching directly). These updates include security updates and that is why it is important to update your device, even if you feel you won't need or use the new features they offer. Understand that specific security updates are created for specific cyber threats that are CURRENTLY ACTIVE on the internet. That is why we need these security updates on our devices, to protect against this. It's a game of keeping up with what the bad actors on the internet come up with as their latest ploy, to protect ourselves from it.
2. Use a comprehensive security program/app on our computers and devices(Yes, even Mac and iOS - they are not immune to being compromised. Yes, Apple designs them with built in protections, BUT, they have been directly bypassed in the past, even bypassing ALL security designs and going straight to the "Kernel" where all power resides over your device. Even with the best design, the best intentions, its never foolproof. This is why a known good data backup is essential from step 8 below. Use this security program/app to scan all on your computer when you have no programs or apps open and are not using your computer. Once you complete step 8 below, scan that backup using your security program/app to look for "bad stuff" and delete it.
3. obtain training for yourself and those who work with you to raise awareness of suspicious links and attachments in emails (I hope to provide training like this in the future, so please stay tuned...)
4. use multi-factor, two factor (2FA) authentication as much as is available; especially your banking website, your business credit card online accounts, and other financial related accounts. (However, I do not recommend using your fingerprint for authentication because it cannot be changed. A password or RSA token can be changed, but never your fingerprint, unless you are Tom Cruise in a spy movie..... ha!) Understand that a person's fingerprint is essentially turned into a computer file. When that file is disclosed to someone other than you, notice I said "when" and not "if", THEY have YOUR identity for the rest of your life. So, I'm thinking that's not such a good thing.)
5. use a password manager, such as Keeper Security, LastPass, NordPass and others, so all your passwords can be unique and complex enough to be strong and accessible when you need it, from any of your devices, and you never have to remember any of them. Today 16-20 characters a combination of letters, numbers, symbols and special characters is considered by some a minimum necessity for security. A password manger will generate for you a complex password, the length and complexity of your choice. You need to remember only one long, complex password, and that is the password needed to get into your password manager.
6. learn wise methods of conducting safe internet searches
7. have a daily cloud service backup of your data. This could be backup up automatically however often makes sense for your computer usage, though I suggest NOT running it all the time on a device you use to teach, if you teach online, because it will likely negatively impact your online lesson performance.
8. have a physical (non-cloud) backup to a device connected to your computer that is stored at your home or business (you may want to include an entire computer backup not just data files). However please do NOT leave it connected to your computer at all times or it will be constantly exposed to risk.
9. have a full weekly and/or monthly and/or quarterly backup to a device connected to your computer that is stored OFF SITE, such as in a safe deposit box at your bank (again, consider doing a full computer backup not just data files)
More will be coming later on these and related topics. I have not yet created a blog. I will at some point convert this to a blog...... But I wanted to get started here without delay. I also hope to create some courses for you! Please check back often
Cyber Security for the Independent Music Teacher (IMT)
and Data Security for the IMT
© Copyright 2022, James Heuser, Four Points Piano Teacher, All rights reserved