Current Information Security Guidance for Home Working
Current Information Security Guidance for Home Working. This page is regularly updated by the Information Security Team.
Be wary of phishing scams - think before you click
Since home working became hugely prevalent, there have been increasing phishing attacks disguised as home working or covid related advice. These scams try to trick you into clicking a link or opening an attachment, so attackers can extract information or download malware to your devices.
If you have received an email to your University account which seems suspicious, you can report it via the IS Helpline which helps the University track, and prevent, any trending scams.
Additionally, the National Cyber Security Centre has a Suspicious Email Reporting Service (SERS): https://www.ncsc.gov.uk/information/report-suspicious-emails
NCSC have stated reporting this way can help them to track and stop many cyber criminals using phishing as a form of attack
Use anti-virus software on your devices
University supported devices will already have anti-virus software. For non-supported personal devices, ensure you use anti-virus software, and schedule updates automatically. This also applies to OS updates as these will provide ‘patches’ (fixes to any vulnerabilities) to prevent new malware invading your system
Keep passwords and credentials private
Never reveal your work login details or passwords to anyone. Password managers can help securely store your credentials.
Try to avoid using shared computers
When you are working at home, try to use a computer that is exclusively for your own use.
Security permissions on a shared computer may not have been appropriately configured. For example, it may be possible for any other user of the computer to overcome the permissions, gaining access to your files.
Avoid downloading work data to your local device
Unmanaged local copies of data cause a number of issues, from loss of version control to the potential for them to be compromised where a local device has weaker security. Where possible, ensure that university data stays on university systems and storage.
Avoid printing work documents away from the office
Local copies of data can form part of a wider breach of data handling good practice, as laid out within the General Data Protection Regulations and Data Protection Act.
If you have individual allowances to print sensitive documents, this material must be kept secure at your premises. Use a shredder if possible. When it is confirmed by your line manager that it is safe please return all confidential waste to the University.
Keep all work-related emails, discussion and data in your university services
Do not discuss or send any sensitive University information outside of University supported services. Your personal emails and webchats (for example Whatsapp, Messenger) do not have the same guarantees of data privacy that supported University services will have negotiated.
Use the University VPN if you are dealing with sensitive information on a non-supported device
Not only does it hide passwords from eavesdroppers, but also provides a degree of privacy, since it hides the content of your data. If you are processing sensitive data, or working from an untrusted network, you should use the VPN service.
Some services do not require the use of the VPN. The most frequently-used services which require or do not require the Virtual Private Network (VPN) or Remote Desktop (RDP) to gain access:
Office365's web can be used for work without having to download University data locally to your device. Since the connection to Office365 is encrypted this allows you to work from home securely and reduces the risk of sensitive University data being left on devices after the need to work remotely has ended.
For further information of how to use Office365 and the web interface, read through the advice from Information Services:
Many University staff have laptops, which are of course convenient to use while you are out the office. You can and should, use these for remote controlling your work computer (see above), but if you find this does not match the way you need to work, you can carry files locally on your laptop as long as you take special measures to protect them.
To conform with University policy you should:
|Encrypt the laptop||
In general, any device you use for University business and any important documents should be encrypted, which protects University information from being leaked if your laptop is lost or stolen.
Here is more information about encrypting devices and documents.
|Protect your passwords||
Never reveal your passwords to anyone.
The link below tells your more about how to choose a stronger password and how to manage your passwords better.
Back up all important files onto a supported University network file store
Ensure you won't lose any important information if your laptop breaks or is stolen.
Here is more information about Backups.
- Ethernet cables between your modem and your device may give better performance and reduce the load for other devices.
- If you connect via Wi-Fi, make sure you have a good strong signal. A poor signal strength on your device generally means lower bandwidth and lower quality.
- Can you move closer to your router or can you move your router to a more central place in your home?
- If your router is on or near the floor, even moving the router to waist or neck height can give better performance across your home.
- You may also wish to contact your broadband provider’s support as they may have recommendations for equipment that may help.
- Restarting your home broadband router can sometimes help with issues. Do this once every 2 weeks to clear any built-up problems in your router.
- Turn off or disconnect devices which don't need to use your home Wi-Fi.
- Be aware of what everyone else at home is doing on the internet and work with them to not overload things when you need to work. Live streaming of movies or live gaming can especially slow down your wifi for all.
- Rather than stream audio or video listen to the radio or watch broadcast TV.
- If you are streaming video, try reducing the quality – going from HD to SD saves 75% of the bandwidth.
- Many broadband providers have agreed with the UK Government to remove usage caps at this time. However, if you normally have a usage cap you may wish to confirm that this has indeed been removed, as you will be using substantially more data.
- Try and schedule any large application updates to happen overnight.
- Close down applications that are not being used but may still be using the network.
- If you are logged into the University VPN on a device, avoid using it for other non-work internet services.
- ISG can’t diagnose or resolve any issues you may be having with your home broadband or Wi-Fi – you will need to contact your broadband provider’s support.
- The speed of your broadband can change, at times of peak usage. Under current COVID-19 conditions peak usage may now happen throughout the day.
The link below gives details on how to connect to and remote control your workplace computer, and guidance on other aspects of connecting to necessary information when outside your normal workplace.
Note: the advice also includes some preparatory steps you need to take before you try to connect from off-site.
Frequently asked questions regarding virtual meetings. Please refer to guidance below, updated by the InfoSec team and Data Protection Officer
|What platforms can I use for virtual meetings/events?||
The University provides and supports a number of collaboration tools to support virtual meetings and events. Please see the link below for more details
|Can I record my virtual meeting/event?||
Yes, as long as you inform people at the time when you send out the meeting invites. The legal basis for recording will be ‘legitimate interest’ and that means that all participants must have the chance to opt out prior to the meeting. If anybody opts out, you won’t be able to record the meeting. However, if you intend to record meetings, please be aware that all recorded information held by the University may be requested under freedom of information or data protection law. Note please that Committee meetings will not be recorded.
What about research?
There is guidance for researchers on the ERO website:
If you collect data involving human participants, and this can be done over the telephone, via electronic surveys etc., this can continue as long as the general online security measures for access and storage are maintained.
Please refer to guidance below, updated by the InfoSec team and Data Protection Officer