Cybersecurity Best Practices
We care about the security of our members and employers. In a lot of ways, your online safety better protects us from bad actors that may look to breach our systems.
The following tips and recommendations are intended to help you stay safe online.
Secure Your Passwords
Our online passwords have become one of our more precious pieces of personal information — the stronger the password, the better protected you are from cybercriminals.
Here's a list of tips to help ensure your passwords are strong:
- Use a complex mix of letters, numbers, and, when allowed, symbols.
- Aim for a password length of at least 16 characters.
- Never reuse the same password for another site. You might want to try using a password manager on your computer or mobile device. These applications can store all your unique passwords in one place, with a single master password providing you access to them all.
- Always keep your passwords to yourself.
- Avoid storing passwords in areas where they can be found by others (like under your keyboard).
Limit Posting Identifiable Information Online
Whether on websites or social media applications, don't post any identifiable information that you wouldn't be comfortable with a stranger knowing. For example, showing off your favorite pet "Fido" on social media can leave you vulnerable if your password security questions ask for the name of your favorite pet. Even if information or photos are deleted, they may still exist as a cached webpage or saved on other devices.
Assume any online activity will leave a permanent digital footprint.
Check Your Account Settings
Most online accounts have settings to help you keep your account secure. If you haven't already, explore the settings offered, as they might not be implemented by default. Here's a quick list of features to look for:
More sites are employing multifactor authentication (MFA) as an added security setting for your online accounts. MFA is a security process that requires more than one method of identity verification. MFA may already be familiar to you, as many banking and financial institutions require both a password and a one-time code from either a text, phone call, or email.
According to the National Institute of Standards and Technology (NIST), MFA should be used whenever possible, especially when it comes to your most sensitive data—like your primary email, financial accounts, and health records.
Log in and activity alerts initiate email, text, and/or other communications every time an account is logged in from a new device or browser.
Many sites incorporate personal security questions for added security during the password/username recovery. You’ve probably seen these, with questions such as, “What was the name of your first pet?”, or, “What was the first car you owned?”.
Some websites display security questions from information about you already available online, while others let you choose your own security questions — which is an opportunity for you to provide another layer of security. If you can set your security question answers; get creative. For instance, “What was the first car you owned?” could be answered, “Fido.” In the same way, “What was the name of your first pet?” could be answered “Dodge Stratus.”
Email: Think Before You Click
If you receive an unanticipated email or an email from an unknown sender don't follow any links or open any attachments. Links with unknown destinations should be avoided as well. Undetermined links, senders, or attachments could potentially contain paths for cybercriminals to access your computer and personal information. Simply delete the email. If you're ever in doubt as to whether an email came from a company or organization you're familiar with, contact them directly to verify authenticity.
Mobile Device Precautions
With mobile devices, we increase our range of communications through phone calls, SMS/text, and other various messaging services. Regardless of what communication channel you're utilizing, you should take the same precautions — messages, links, or attachments from unknown senders should be treated with care.
Unsecured Wi-Fi and Device Charging Stations
Always think twice before connecting to "free" Wi-Fi hotspots in public. Public Wi-Fi signals are often unsecured and can lend your online details to spying third parties. These third parties can take sensitive information from your connected devices and use them for malicious purposes. They may also be able to see any business you conduct — that means your usernames, passwords, and any info you enter in to a website.
Similarly, charging kiosks and public USB ports can be intentionally compromised by bad actors to steal information from any connected devices. This captured information can be seen remotely by the individual who compromised the ports. A popular terminology for this is also known as "juice jacking". Consider carrying your own external battery if you foresee the need to charge later in the day or charge directly to an electrical outlet using an AC adaptor.
Read Privacy Policies
A privacy policy is a declaration that describes how an organization will collect and use data about individuals who agree to it. By agreeing with an organization's privacy policy, you are expressing consent for that organization to use your data as described within its policy. One common misconception is that all privacy policies are statements about protecting personal data. In fact, privacy policies vary widely, and all exist simply because an organization is collecting personal data. Some policies can be documents explaining that the data collected will be protected in various ways, while others can be documents stating that your information may be shared with third parties anywhere in the world.
It's important to read and understand privacy policies before agreeing to them. Different people may be comfortable with different levels of privacy, but everyone should understand exactly what they are consenting to. As a rule of thumb, if you don't have time to read it, don't accept it.
View the CalPERS Privacy Policy.
Additional Cybersecurity Resources
The digital landscape's continuously changing. It's up to all of us to protect ourselves and the individuals in our lives. While anything can happen on a given day, follow the best practices outlined on this webpage to help ensure your online privacy and security. In addition to these best practices, there are many agencies providing resources to better protect personal information and devices. The following are some state, federal, and nonprofit resources that are freely available:
- Cybersecurity and Infrastructure Security Agency: Tips
- FBI: Cyber Crime
- California Department of Justice, Office of the Attorney General: Business Privacy Resources
- National Cyber Security Alliance: Update Your Privacy Settings
- United States Department of Justice: Computer Crime and Intellectual Property Section
When to Contact Us
If you suspect your personally identifiable information or protected health information has been compromised in any way, contact us immediately by phone at 888 CalPERS (or 888-225-7377) or by secure message through myCalPERS.