Cyber Security for the Independent Music Teacher (IMT)
and Data Security for the IMT
James Heuser is a member of Music Teachers National Association and National Federation of Music Clubs
© Copyright 2022-2023: James Heuser; Four Points Piano Teacher. All rights reserved
for the IndependentMusic Teacher
April 26, 2022
(Updated May 10, and July 22, 2022)
Be aware this is an educational page, it takes time to read and digest.
My Previous Career in Information Technology (IT) makes me able to help you...
Some of my fellow music teachers know this about me. I had a couple of decades in between my piano teaching in the 1980's and my return to teaching privately in 2015, during which I had two other careers. The second one was a 14 year full-time career in Information Technology. During the last years of it before changing careers again to piano teaching, my focus was as an Information Security Administrator. Prior to that I was the senior technician for an Enterprise IT help desk.
To help my fellow teachers I am combining that expertise with my piano teaching experience to create awareness, and to eventually help other teachers by creating online courses in self-help cyber security, data security and related topics. This is very important and my first job here is to create the right kind of awareness and let you know you can learn to understand and protect your career as an Independent Music Teacher (IMT). Here we go!
Our ability to Teach is now at risk, we could lose it unless protected...
We are independent music teachers. Our livelihoods depend more and more on the data, apps and other information related to our teaching that is on our devices. Perhaps you teach piano, guitar, voice, violin, flute, trumpet or some other instrument. Have you thought about the data, apps or other information related to your teaching that is stored on your computer, laptop, tablet, iPad, smart phone or other device? Have you considered what would happen if that were stolen by cyber criminals or became otherwise inaccessible or unusable?
Think of the data you have right now on your computer, your iPad, your phone, your laptop that relates to your teaching: personal identifying information about your students such as birthdates-address-phone number; lesson and development plans for students; student assignments and goal achievement records, studio policies; repertoire history for students; music competition/festival documentation; theory exam records; performance exam records; music books purchase records and other business expense records; music you have composed or arranged; digital sheet music you own; federal and state tax related data; email lists - and more....
What if that data one day, were gone, or is there but won't open, or something similar-it just won't "work"? What is the cost in time and money to you to recreate that all over again? Is that even possible if it is not accessible, stolen, or corrupted beyond usability? Do you have a non-internet based "data backup" and do you know for sure it will work when needed? If you think your cloud backup is enough I am here to inform you that is simply not enough to protect yourself and your teaching career.
Why a backup to the "Cloud" is not nearly enough...
You may have heard of the "cloud" in relation to technology. It's basically a collection of computers ("servers") storing data somewhere out there in the internet, owned by a company for the purpose of storing your data and charging you a fee for that in most cases. Businesses and individual consumers use cloud services.
If you have a cloud backup service, have you ever really read the agreement to use the backup service? All cloud backup companies have these internet service agreements, or service level agreements. Apple iCloud, Amazon Web Services, Google Cloud Platform, Microsoft One Drive, etc. These agreements tend to be thousands of words long. Who really reads them? We just click to "agree" and hope for the best. All of these have language that states, essentially, the agreement can change at any time and that you are bound by the agreement when it changes, unless you specifically "opt out".
Of course to "opt out" means you stop using their cloud backup service! You are forced to play the game their way. It is typical in these agreements that the cloud service company can delete your account and/or all your data, even without having to notify you, if you "breach" the agreement, even if you breach it "unknowingly". So, do you have an ongoing, dependable, "off-line" (i.e. non-internet sourced) backup in place? This would be a backup to an external hard drive, or portable small USB stick as a minimal backup.
We as music teachers in an educational/artistic career tend to not understand technology as much as some other careers, though perhaps that is changing as far as our teaching goes if we teach online or have started to use apps in our teaching. But what about understanding technology enough to even ask the questions we should be asking? Such as the reality of the threats we face on a daily basis and the level of security we need to protect ourselves from those real threats?
What is cyber security, data security and why do I need it as an independent music teacher?...
That is a great question! Cyber security and data security revolve around protecting data, devices, networks, programs and apps from internet based attacks. Every IMT (Independent Music Teacher) has data, a network, devices, programs and apps if you use a computer, laptop, tablet, iPad, or phone. Good security for all these things is about implementing best practices to help ensure your business critical information is confidential to only those who should access it, retains its integrity as to being 100% accurate, and is accessible when needed.
I am your best practices guru for you, the Independent Music Teacher. I am here for your benefit if you care to pay attention....
Cyber security is also about using best practices for securing your devices and computers, how you should use the internet for searches, how to log into websites securely, your "browsing" habits, how you should interact with emails and texts from people you do not know, and many other things. We all tend to have more and more devices that connect to the internet, which makes all these things a target for the bad actors out there on the internet. And if your teaching data is on that device, that computer, of course it's THE target.
We even have refrigerators that are internet capable, to show how wide spread is internet based technology. We can talk to Siri or Alexa and it answers back. Internet based technology is becoming more and more part of our daily lives. We really can no longer escape it, at least not for long. This artificial intelligence (AI) is here to stay, businesses depend upon it more and more, and we must wise up and not allow it to control us. It is here for our benefit, we are not here for it. It's time for you to awake and master your digital life!
I am writing you today to help make it understandable we are at risk, and we need to take steps to protect our income, our livelihood as independent music teachers, considering the ever evolving landscape that is called cyber security. It used to be "network" security, then "cloud" security. Those things still remain. They are amplified now by the "internet of things", which now could be lumped under the term "cyber security" as how I'm presenting this to you today. I'm using "cyber security" for now as a more umbrella term for all things related to the need to secure our devices, systems and data from being stolen or made unaccessible or unusable, or otherwise compromised.
Is my password good? How to know and why be concerned at all....
We likely have heard in the news that passwords used by people have been breached, compromised, stolen. Passwords are intended to protect, among other things, our most sensitive and valuable information, right? Gone are the days, when you walk up to the door and the guard asks you "what is the password!" and you answer: "Swordfish!!". We all need a complex enough password of some kind to access almost any type of online account, websites and the like. So, how do we know that password likely will or will not be compromised? Why should it be "complex" you ask? It is to that it cannot be taken from you, or "hacked" as the term is used.
Passwords can be guessed in some cases, if you use too simple of a password like "password" or "qwerty" or "123456", etc. It used to be password length in about the year 2004 was recommended to be 8 characters a mix of letters and numbers. Soon after that, it was suggested to include more characters, like maybe 10, including a capital letter or two. Then it was suggested long phrases are good, that a person could remember, because passwords are starting to get kind of complicated to remember. Later 12-14 characters was suggested with a mixture of capital and lowercase letters, number, and symbols. By about the year 2013 or so, a 14 character, highly complex password would take, it was thought by some, to take from a few years to centuries or longer to "crack", or to break into as the word "crack" refers. The time to crack a password depends who you're talking to and how they are proposing the password be attacked, related sometimes to their level of technology expertise. You see, internet criminals use a computer or computing device to generate random password combinations until it finds the right one. That is essentially how it is done.
Today its' 16-20 characters a mixture of capital and lowercase letters, numbers, symbols AND special characters that is recommended by some experts. And some security experts don't feel safe yet with 20! Bad thing about this is the banks can't keep up! Some banks, healthcare companies, and credit card companies won't allow a password that long and complex! They exclude many special symbols which limits your password security. It is hard to keep up with the changes, but we need to give it our best.
Why do the recommendations for password length and complexity keep increasing as to number of characters? The simple answer is: increasing computer processing power.
Computing processing power is that which allows our devices to run and do things for us. It's like the brain of our devices. How thoroughly and quickly it works depends upon the hardware design and strength. Generally speaking, the higher the cost of a device the better and faster it works. Computer processing power is also utilized by internet criminals to run a program or app that tries to figure out (crack) passwords. Each year or so computing processing power is increased due to technology improvements. And that means the computations happen more quickly. Now that we have the ability of computers to combine forces on the internet meaning combining their computing power, for the functioning of things like botnets, the Tor network, and crypto mining, we see computing power is rising exponentially.
Eventually passwords will be likely become obsolete and we'll need another solution. Unless technology changes in an unexpected way. Technology changes so quickly no single person's brain is a one-stop-shop expert on all things cyber security. This is why we constantly research, investigate and expand our understanding of cyber security and its application in our ever changing world. This becomes a constant learning experience for us all.
I highly and emphatically suggest you NEVER use your fingerprint, your physical fingerprint, to logon to your devices or websites. That is because it is a form of identity you can never change. Some of my security friends may object saying a person's fingerprint is secured by a hash or other encryption methods. None of those methods are impervious to compromise/attack I will point out. Maybe today, but you never know what next month will bring.
If you give your fingerprint for your phone, as an example, maybe your iPhone, to access it, that fingerprint is turned into a data file at the simplest level of existence. It matters not that the file remains on the phone and is not uploaded to iCloud. Any smart phone can be hacked, no matter what company engineered and created it. The Pegasus spyware exploit that was exposed about 6 years ago did an end run around Apple security so the user did not notice it. The point of bringing up Pegasus is for a history lesson that a phone, not matter how securely designed, can and WILL be compromised at some point. Any encryption method, security procedure or security engineering/design WILL EVENTUALLY BE BROKEN. This has been proven over and over in IT Security history. No security measure, design or architecture, whatever descriptor you use with "security" protects forever. Due to this....
...we must constantly upgrade our security methods because the internet criminals find a way to compromise any type of security. Again, HISTORY proves this concept.
Concerning Pegasus, if it has not yet it will eventually morph into the public domain as a larger issue, directly or indirectly as a cousin-engineered concept, and not remain private as it has been. Just as the Stuxnet worm was engineered privately for a specific purpose to take down the function of machines - the nuclear program of Iran in this case, and later exposed publicly and further engineered for sale on the dark web for internet criminals to purchase and compromise other computing systems - so will the Pegasus exploit, mark my words, given enough time will suffer the same fate. It will be the basis, in one way or another, for more prolific exploits that will affect devices around the world. This is the history of criminal activity in creating new "malware" of various types.
We the good guys seldom get ahead of the bad guy. The bad guy figures out a way to break into devices and cause havoc, and then the good guys become aware of it and create a fix for that particular problem. Then these bad actors find another way to compromise the security of our "castle", and then if and when the good guys are aware of that one, they fix it that one. It's a series of one-upmanship, back and forth. This is why we need to be eternally aware and take appropriate action to protect our livelihood as IMT's as the landscape of cyber security continually unfolds.
This is also why you need a security partner, me in this case, to help you navigate successfully this cyber world we are a part of. I am here to help you, to serve you.
But for now, back to passwords, the only solution really, is a "password manager" app, such as Keeper Security, OnePass or LastPass. Or perhaps an RSA token, though it is less universally applicable at this time. It is usually not possible to remember all your 16 or more character passwords that combine letters, numbers, symbols, special characters - or really really long password phrases with interspersed non letter characters. A password manager will generate for you a long password, highly complex password for every account you use, that you can use on your computer, phone, iPad, etc so you don't have to remember them. But you need a long, complex master password to get into your password manager that you WILL remember, hence you need to remember only one password to have access to all of them. And that one should probably be changed often enough but on an unpredictable schedule (internet criminal mentality is based upon that which is predictable.)
At this point you might say; "well, if it takes only one password to get into all my passwords, how is that a good thing?" That's one point of view. Consider that your master password must be complex enough and long enough so it is not likely a criminal will want to spend the time trying to break it, and even if they try they won't live long enough to "crack" it. That's the beauty right now of using a password manager, you can create a password as long as complex as can be used. And, of course, never share with anyone else your master password. As long as passwords are required for our digital life, this is the best approach. Just think it through carefully, and it will be obvious. Take a moment here and really think this one through, is my suggestion. And do research.
January, 2022 Forbes reported: "cyber perils are the biggest concerns for companies globally in 2022"(1,2).
Wow! Isn't that an astounding statement! Cyber perils are the BIGGEST CONCERN for companies everywhere in the world. Our music teaching IS a company in this definition though small. And attacks on small companies are increasingly on the rise these last few years. (3)
Are we aware that emails we receive, if opened, can have links in them to direct us to infected websites that install malware on our devices? Or can have an attachment when opened that will do the same thing? "Malware", short for malicious software, is software installed that is used to gain access to a computer or device that then sends data from your device, or your home or business network, to the internet criminal. Malware can also render the infected computer or device unusable. Are we aware of the risks in searches we might do on Google, Bing or Yahoo, and how to minimize that risk, so we are much less likely to click on a "bad" website that could infect our systems?
How about our credentials we use on the internet, the usernames and passwords that are our access to our digital lives. There are free or low cost password hacking tools available to internet criminals. If your password is not complex enough or long enough it could be easily compromised. And if you use the same password for everything, or reuse others, because they are just too hard to remember, and the criminal gets those passwords, he has access to your digital life, your music teaching digital life, your mission critical data. He can do what he wants with it. This reason alone is enough to want to use a password manager as suggested earlier.
How you could lose all your teaching data from one single internet event
Ransomware is on the rise and is expected to continue to increase. "Ransomware" is a cybercrime and occurs when your device is broken into by an internet criminal, who "locks" all your data on your computer or device so you cannot use it at all. Its like a criminal that gets into your house, changes all the locks to work with a different key, so you cannot get into your own home! This internet criminal who locked your data with ransomware then demands you give a lot of money to them in order to receive a code to unlock your own data so you can use it again. But, guess what, you give them money once and they'll do it to you all over again. So you need to be in a position where IF your computer or device was held hostage due to ransomware, you have a recourse to never pay the criminal, because you have a copy of ALL your data, every bit of it, somewhere they cannot access.
According to Norton, one of the top US based global security companies, "The government says that...
...75 percent of all ransomware attacks are on small businesses..." (3) (wake up call: this includes YOU the Independent Music Teacher)
The independent music teacher is of course the owner of a small business whether you are incorporated or not, are a sole proprietor with a full time income, or teach music as a side income. We are just as prone to these cyber attacks as any other small business. We music teachers are not used to thinking in these terms that we are a business with mission critical business data that is like hanging fruit to the cyber criminal. But we are. We need to get educated about it, and understand what we can do without paying huge sums for an IT consultant to come to us to help us. You can do this in an affordable manner, and I am here to help you with the "how".
Do you have a website? Is it "secure"? The simple solution for protection...
Do you have a website? Is it secured with SSL/TLS, which means the website address starts with "https" rather than the insecure "http"? I you have the secure "https" website address, your website has that little lock icon by the address on all pages. That lock means connections to your website from a prospective student or anyone else are encrypted and safe. In 2014 Google announced encrypted websites improve Google search rankings (5). In 2017 Google announced they will start showing "not secure" warning for the insecure "http" website addresses (6). Those who use Safari, Firefox, Edge, Brave and other "browsers" as they are called, now see similar warnings, since they have followed Google's example.
When a prospective student lands on your insecure "http" website they will see a separate warning, or it shows in the website address as "not secure..". Will they leave your website looking for one that is safer? If this was you, not the student, would you feel comfortable reaching out to the website, through a contact form, with your personal identifying information? Or would you find another "safer" website? (7). If a website shows the "not secure.." warning, do you know if the person who says they own that website, really does own it? After all just "who" are they?
These websites use certificates, a combination of a private and public certificate, to allow your devices to access any such website. Certificates use complex mathematical formulae to be created and are based upon cryptography best practices to generate and use them. The certificates are forms of identity, one public one private. Both must be present for the device's browser to access the website. They are referred to as fingerprints, forms of identification. It is a far superior design than the insecure "http" website which requires no proof of identity. This helps make sure the website you are visiting is the one you want to visit and not an imposter website that will steal your data.
Even though this is great and necessary, it is possible in some cases for the private certificate to be "spoofed", which means impersonated and can take you to a malicious website instead.(10)
This is one of many reasons that we need a security app running and evaluating our internet behavior at all times - even for Apple devices.
Apple will not admit this as a necessity for security because they are financially invested in your believing they are nigh impenetrable to internet criminals. Apple devices are by design more secure than others, that is generally accurate, but that does not make them impenetrable. (12)
Your internet service devices are an essential level of defense....
Do you teach online from home or an office? Does your home or office network have a "known good" digital perimeter of safety around it, protecting you from the most common internet attacks? Were you aware you need such a perimeter of verifiable safety, that you can have it and that it is not hard to maintain if you know what to do? If you ever had to restart your modem or router and it fixed a connection problem with anything on the internet, such as your Zoom or Skype lesson, you may have been an unnecessary victim of an internet attack.
It is important to periodically check for updates for your home internet service equipment or your teaching location equipment, whether or not you have connected your own WiFi device or "router" to your Internet Service Providers (ISP) equipment. Though your internet service provider "should" do periodic security updates to the equipment they gave you, like your cable modem for example, they do not necessarily do so. Why should you be at risk because your ISP is not doing their due diligence? Also, is your home and teaching location internet equipment configured properly to avoid being "scanned" from the internet to see if your "internet front door" is open?
Your devices(s) that provide your internet service are the front door to all devices on your home or business network and if that door is not locked correctly, your entire home or business network is at risk of being intruded. No different than if you left home to go shopping, and left your front door unlocked - anyone who walks up to the door could get in.
The Independent Music Teacher typically does not have an IT department. We also tend to not understand WHY we are exposed, HOW we are compromised, nor do we tend to understand WHAT we can do about all that, even if we have no or little understanding of technology. Just like a piano student can learn to play the piano, you too can learn to improve your cybersecurity, your computer/device security, to protect what is important, and in a lot less time than it takes to learn to play the piano.
The IoT (internet of things) creates heightened security concerns...
You may have heard of the "Internet of Things" or "IoT" for short. This is the total assemblage of gadgets, devices, cool toys, practical devices that are not computer devices per se, but use the kind of technology found in computers to create a multiverse of things that talk to other devices and/or the internet. Even if they don't talk to the internet directly they talk to another device that does talk to the internet. These things usually have the name "Smart" in front of them: smart refrigerators, smart watches, smart door locks, smart bicycles, smart fire alarms, smart security camera systems, smart speakers, smart baby cams, medical related sensors, fitness and health trackers, Google Alexa, the list goes on and on.
In 2021 it was estimated there were about 12 billion IoT devices in the world. Remember there are about 7.6 billion PEOPLE in the world! By the year 2025 it is estimated that there will be about 27 billion IoT's connected and in use in the world. (8)
Ask yourself how many of these devices are in your home now and how many might you have in a few years? Understand that each one of these IoT devices is another potential open doorway into your home, your business, and wherever you store and keep your teaching related data. So, I'm of the opinion that our homes or small offices where we teach will need a simple to use hardware "firewall" and that the market for that will likely increase. One company trying to make them simple enough and affordable for a home or small business for a person with limited understanding of technology, is "Firewalla" (9) . Their solution is easy, you connect it to your internet, and manage it from your "smart" cell phone. I expect more companies like Firewalla will spring up over time. The need is there now, and will be more in the future.
Strive to Find the Balance between Security and Stability
Whatever you do for your cyber security and data security, I suggest strive to find a balance with security and usability, so that we don't get too overzealous with the idea of security for its own sake. Plan your security and roll it out wisely is my suggestion. As I mentioned earlier, I'm in the process of developing courses independent music teachers can take to educate themselves about all these things and more, and to learn how to take the needed steps for security and how to keep up with the changes in technology going forward. And I will focus on making this easy to understand and implement wisely.
Steps you can take to protect from cyber threats and secure your data
Some steps we can take to protect ourselves from cyber threats are below and steps 1 and 8 below are the most critical as something you can do NOW, before the other steps:
1. update your software, apps and operating system, keep it updated, with the ability to maintain software stability (sometimes updates can break stability-so its a good idea to research the update for known issues before installing, especially if the device is used for teaching directly). These updates include security updates and that is why it is important to update your device, even if you feel you won't need or use the new features they offer. Understand that specific security updates are created for specific cyber threats that are CURRENTLY ACTIVE on the internet. That is why we need these security updates on our devices, to protect against this. It's a game of keeping up with what the bad actors on the internet come up with as their latest ploy, and we need to protect ourselves from it.
2. Use a comprehensive security program/app on your computers and devices(Yes, even Mac and iOS - they are not immune to being compromised. Yes, Apple designs them with built in protections, and in theory an iPhone is more secure than Android, and we can make a case that MacOS is inherently more secure than Windows, BUT, Apple's iOS security design and measures have been directly bypassed in the past, the threat going straight to the "Kernel" where power resides over your device. Even with the best design, the best intentions, its never foolproof. This is why a known good data backup is essential from step 8 below. Use this security program/app to scan all on your computer when you have no programs or apps open and are not using your computer. Once you complete step 8 below, scan that backup using your security program/app to look for "bad stuff" and delete it. Depending on how to use your non-computer devices, you may want additional security measures in place that solutions like BitDefender, Webroot, Sophos and others can do. It's risk vs. benefit compared with how you use your device, what is stored on your device as to its need for your eyes only.
3. Obtain training for yourself and those who work with you to raise awareness of suspicious links and attachments in emails (I hope to provide training like this in the future, so please stay tuned...)
4. Use multi-factor, two factor (2FA) authentication as much as is available; especially your banking website, your business credit card online accounts, and other financial related accounts. (However, I do not recommend using your fingerprint for authentication because your fingerprint cannot be changed. A password or RSA token can be changed, but never your fingerprint, unless you are Tom Cruise in a spy movie..... ha! But seriously, thoughTouch ID/fingerprint scanner works, it has an unintended consequencethat far outweighs the convenience and supposed level of security. Understand that this technology takes a person's fingerprint and converts it into a data file. It matters not the data file is encrypted with the best modern standards. If the device the data file resides on is compromised and that data file is taken from your device by criminals either taking your physical device or through the next generation of PEGASUS SPYWARE or similar; it will be stored on a server somewhere until development in the future will allow for enough computing power and advancement in breaking security measures, that your fingerprint will someday be revealed and useable as your fingerprint. That is the unintended consequence of identity theft from Touch ID/fingerprint scanner. When that data file is disclosed to someone other than you, THEY have YOUR physical identity through that fingerprint, for the rest of your life. So do you really want to store a file equivalent to your fingerprint on your device?? Really??...)
5. Use a password manager, such as Keeper Security, LastPass, NordPass and others, so all your passwords can be unique and complex enough to be strong and accessible when you need it, from any of your devices, and you never have to remember any of them. Today 16-20 characters a combination of letters, numbers, symbols and special characters is considered by some a minimum necessity for security. A password manger will generate for you a complex password, the length and complexity of your choice. You need to remember only one long, complex password, and that is the password needed to get into your password manager.
6. Learn wise methods of conducting safe internet searches and go to websites that have "https" as the first part of the address, never "http". "Https" means a secure encrypted connection from your device's browser to the website. "Http" means unsecured non-encrypted connection. Encryption is a method of scrambling data so it is understandable only for the intended parties involved. It uses a series of mathematical computations to protect the data so that a cryptographic "key" is required to open and use the data.
7. Have a daily cloud service backup of your data. This could be backup up automatically however often makes sense for your computer usage, though I suggest NOT running it all the time on a device you use to teach, if you teach online, because it will likely negatively impact your online lesson performance.
8. Have a physical (non-cloud) backup to a device connected to your computer that is stored at your home or business (you may want to include an entire computer or device backup not just data files). However please do NOT leave it connected to your computer at all times or it will be constantly exposed to risk. Disconnect from the internet, reboot your device, then perform the backup. This is the safest way to approach that.
9. Have a full weekly and/or monthly and/or quarterly backup to a device connected to your computer that is stored OFF SITE, such as in a safe deposit box at your bank (a full computer backup not just data files)
More will be coming later on these and related topics. I have not yet created a blog. I will at some point convert this to a blog...... But I wanted to get started here without delay. I also hope to create some courses for you! Please check back often