For IT, cyber security and information security staff, lockdown triggered a whirlwind few weeks trying to quickly organise remote access for thousands of users, while also ensuring the safety of systems and data.
Home working and studying can be less secure than connecting to the internet while on campus via the dedicated education and research network, Janet. So, there are many and varied potential security potholes to negotiate for staff and students.
Jisc’s cyber security team has been flat out providing technical security expertise and services to colleges and universities while you’re all off campus, but there are simple steps we should all be taking to stay safe online. Here’s a round-up:
Protect your accounts
This advice applies to everyone, whether connecting to personal or university/college accounts, and is very simple: choose a strong password and, if it’s offered, switch on multi-factor authentication (MFA).
Believe it or not, the most popular password of 2019 was 123456. And ‘password’ came in at number four.
Come on! We can all do better than that, and if you don’t want your email, Amazon account or access to the virtual learning environment hacked, then you should make an effort. Use a different password for every account, too, otherwise you run the risk of multiple ‘hacks’. Using a password manager is really helpful here.
MFA is slowly being rolled out across the education sector and means that, in addition to your password, you must verify it’s you trying to log on, by a second method, for example by approving a request on an app, inputting a code in a text message, or a fingerprint.
Chances are you’ll be using a laptop at home for a while yet. Most will encrypt data while at rest, which will protect information on the device if it is lost or stolen, but if it’s your own device, do check.
Whether using a phone, tablet or laptop, make sure you update the operating system when prompted to do so – this will fix bugs and update security settings. And check out the National Cyber Security Centre’s (NCSC) bring your own device (BYOD) guidance.
Particularly if you’re working on sensitive material, whether that's research, a finance system or you’re using personal data, your IT/security team may insist you use a virtual private network (VPN). Through data encryption, VPNs allow remote users to securely access systems. You can download VPNs on to your personal device too.
Be very careful if using USB drives, which can be easily shared and are not easy to track. They can also introduce malware, too, so Jisc advises against their use altogether. There are other, more secure means of sharing files, such as corporate storage, like SharePoint, or collaboration tools, such as Microsoft Teams.
There’s been a lot of coverage about the pitfalls of video conferencing applications such as Zoom, and a previous blog by the head of Jisc’s security operations centre outlines simple steps to take to make these applications more secure.
This includes how to safely share links to meetings to prevent unwanted and uninvited guests, and to safely share screens, use a meeting password if possible, and to think carefully about how call recordings are stored and shared. And what’s in shot behind your webcam? Is there anything in view that should not be seen by all?
The NCSC has produced guidance, while the Janet computer security incident response team (CSIRT) has also published advice.
There have been many reported coronavirus scams.
Cyber criminals are quick to take advantage of any disaster, playing on emotions to commit fraud by encouraging people to click through to dodgy websites which, for example, offer face masks for sale, or ask for donations. Others may trick people into giving away passwords. There’s further information in a blog by Jisc cyber security delivery manager, Jon Hunt.
Think you’ve been sent a phishing email, suspect your device has been infected by a virus, or you’ve been harassed online? Make sure you know who in your organisation to report problems to – and don’t delay!
Are you confident you know how to protect yourself online? Jisc advocates security information awareness training for all staff and students? If your organisation doesn't have its own online modules, the NCSC's top tips for staff e-learning package will help fill the gap.
Chances are, you will all have been asked to sign up to an “acceptable use policy” covering devices and systems. Such policies are sets of rules designed to inform the ways in which networks or systems may be used, including not breaking the law, such as by launching cyber attacks; to stop users sending spam or touting for commercial gain; and to prevent cyber bullying or harassment.