Coronavirus has forced education providers to implement home working and studying on a grand scale. For IT, cyber security and security information staff it’s triggered a whirlwind few weeks trying to quickly organise remote access for thousands of users, while also ensuring the safety of systems and data.
Home working can be less secure than connecting to the internet while on campus via the dedicated education and research network, Janet. So, there are many and varied potential security potholes to negotiate.
Jisc’s cyber security team has been flat out providing technical security expertise and services to colleges and universities. Here’s a round-up of their broad advice:
New accounts or accesses
Insist on strong passwords for all user accounts and, where possible, implement two-factor authentication. Please refer to the National Cyber Security Centre (NCSC) guidance for system owners responsible for determining password policy.
Make sure devices encrypt data while at rest, which will protect information on the device if it is lost or stolen. Also check that devices include tools that can remotely lock access to the device, and erase or retrieve data.
If you are permitting people to use their own devices to work remotely, please refer to the NCSC's bring your own device (BYOD) guidance.
Virtual private networks (VPNs)
Through data encryption, VPNs allow remote users to securely access IT resources, such as email and file services, and is advisable for those dealing with sensitive information. If using a VPN, make sure it is fully patched.
There’s been a lot of coverage about video conferencing applications such as Zoom, and a previous blog by the head of Jisc’s security operations centre outlines simple steps to take to make these applications more secure. The NCSC has produced guidance, while the Janet computer security incident response team (CSIRT) has also published advice.
Ensure users know how to update software on their devices and why that’s important.
Make sure staff know how to report problems. This is especially important for security issues.
Jisc advocates security information awareness training for all staff and students. For organisations that don’t have their own online modules, the NCSC's Top Tips for Staff e-learning package will help fill the gap, while Jisc also offers specific training on phishing.
USB drives can be easily shared and are not easy to track. They can also introduce malware, so Jisc advises against their use. There are other, more secure means of sharing files, such as corporate storage or collaboration tools.
There have been many reported coronavirus scams. Cyber criminals are quick to take advantage of any disaster, playing on emotions to commit fraud by encouraging people to click through to dodgy websites which, for example, offer face masks for sale, or ask for donations. Others may trick people into giving away passwords.
Janet CSIRT is available to support colleges and universities deal with cyber security incidents or queries. Even if no assistance is required, please let the team know of incidents as it helps Jisc to determine if there is a wider cyber campaign affecting the sector.
For more advice on dealing with the coronavirus crisis, refer to Jisc’s dedicated information pages.