Information Security Guidance for Home Working

Information to help keep you and the University safe when you are working from home.

Be wary of phishing scams - think before you click

Phishing emails are a constant problem, whether you are at home or in the office. With the increase in hybrid working phishing emails may try and take that into account and catch you off guard. Phishing emails work by tricking you into clicking a link or opening an attachment, so attackers can extract information such as passwords, or download malware to your devices.

If you have received an email to your University account which seems suspicious, you can report it via the IS Helpline which helps the University track, and prevent, any trending scams

Use anti-virus software on your devices and keep up-to-date

University supported devices will already have anti-virus software, and it is easiest to always use a University support device. 

For personal (BYOD) or self managed devices, ensure you use anti-virus software that updates automatically and make sure that the operating system and software is also updated regularly, ideally automatically. 

Keep passwords and credentials private

Never reveal your work login details or passwords to anyone.

Avoid using shared computers

When you are working at home, use a computer that is exclusively for your own use. Security permissions on a shared computer may not have been appropriately configured. For example, it may be possible for any other user of the computer to overcome the permissions, gaining access to your files. Even if you act safely and securely the other users may not. 

If a University supported device is available to you then you should use that as it is the easiest secure option.

Avoid downloading work data to your local device

Unmanaged local copies of data cause a number of issues, from loss of version control to the potential for them to be compromised where a local device has weaker security. Wherever possible, ensure that University data stays on University systems and storage.

Avoid printing work documents away from the office

Local copies of data can form part of a wider breach of data handling good practice, as laid out within the General Data Protection Regulations and Data Protection Act. 

If you have individual allowances to print sensitive documents, this material must be kept secure at your premises. Use a shredder if possible. Please return all confidential waste to the University. 

Keep all work-related emails, discussion and data in your University services 

Do not discuss or send University data outside of University supported services. Your personal emails and webchats (for example Whatsapp, Messenger) do not have the same guarantees of data privacy that supported University services will have negotiated. 

Use the University VPN if you are dealing with University data on a BYOD or self managed device.

Microsoft Office 365

Microsoft Office 365's <link >  web interfaces can be used for work without having to download University data locally to your device. This improves security and reduces the risk of sensitive University data being left on devices after the need to work remotely has ended.

If you have a University supported laptop then you should use this for University work. This is always the easiest secure option.  

If you do not have a University supported laptop then you should follow the guidance on BYOD and Self Managed devices to ensure that you are able to follow the University Information Security Policy, Data Protection Policy and the Computing Regulations

The link below gives details on how to connect to and remotely use your office desktop computer, and guidance on other aspects of connecting to necessary information when away from the office. This can be a way to access data or software securely if required. 

Note: the advice also includes some preparatory steps you need to take before you try to connect from off-site.  

What platforms can I use for virtual meetings/events?     

The University provides and supports a number of collaboration tools to support virtual meetings and events. 

Can I record my virtual meeting/event?     

Yes, as long as you inform people at the time when you send out the meeting invites. The legal basis for recording will be ‘legitimate interest’ and that means that all participants must have the chance to opt out prior to the meeting. If anybody opts out, you won’t be able to record the meeting. However, if you intend to record meetings, please be aware that all recorded information held by the University may be requested under freedom of information or data protection law. Please note that Committee meetings will not be recorded.

Do:

  • Assess the risks of the data you are using and the circumstances you are in. If you are accessing high risk data then it should be only accessed securely on University supported IT equipment.
  • If possible, try to ensure your computer screen is not overlooked by anyone. This includes other people within the same household. Similarly, protect your password from being observed as it is entered.
  • Report any suspected data security incidents immediately to the IS Helpline or your local support team.
  • For services where there already is a level of encryption in transit (Office365, Teams, LinkedIn Learning etc.) and where the information being handled is not high risk, you may use direct connections. For services or data that would be of a higher impact, the VPN must be used.
  • Use University storage services (such as DataStore, Onedrive, Sharepoint) to keep your data safe, secure and available to you - University File Storage and Cloud Based Storage.
  • Set your device to lock automatically
  • Physically secure your device, especially at night
  • Beware of phishing emails

Don't:

  • Use a public or unsecured Internet connection when accessing sensitive or confidential data.   
  • Leave your computer unlocked when you are not in front of it – this should be automatic but Windows key + L on a PC and Command+Control+Q on a Macintosh will lock immediately 
  • Copy or download data from University approved IT equipment or storage services to your own personal hardware.  
  • Allow anyone else to use your work IT equipment.   
  • Discuss confidential data during phone calls or through video chats if you can be overheard.   
  • Use a shared computer. 
  • Share meeting joining details on social media or other public forums. This risks them becoming widely available and risks unwanted intrusion.