Staying "Cyber" Safe

The following quick tips were written by Nelson Ody (Security Services Manager at Jisc).

• Suss out suspicious apps: Why, for example, would a calculator app be asking to access your phone’s camera? It doesn’t need to, so it probably has an ulterior spying motive. Apply common sense.
• Avoid the phisherman’s hook: One of the recent scams that first-year students are subjected to is an email telling them they’ve won a bursary and all they need to do to get it is to hand over their bank account details. The rule is, if it seems too good to be true then it probably is.
• Take care what you click: If you receive an unsolicited email from someone you don’t know, or a strange email from someone you do know that contains a puzzling attachment or a link, it’s best avoided – it could be a virus, or a spoof website.
• Resist temptation: Students are often targeted to use as mules to launder money. It sounds great – hand over your bank details and you get £50 a week, no questions asked – but you’d be breaking the law by allowing someone to use your account for illicit purposes.
• Beef-up passwords: Use a separate password for your email account, which if breached, can often provide access to many of your other online accounts. A solid password is one that comprises a short phrase of at least three words, plus numbers and/or other characters. Avoid using obvious passwords such as children’s or pets’ names, which criminals may be able to guess after looking at your social media accounts – so be careful what you post. It’s best never to repeat password and, so you don’t have to remember them all, use an online password safe, which will store them all securely. The government's Cyber Aware campaign has further advice.
• Keep computers healthy: Install anti-virus software (a free package is better than nothing), back-up regularly, and update software when prompted to do as they often contain security patches.
• Preserve privacy: be very careful of communicating personal or sensitive information when using public computers, or a pubic wi-fi network, which are vulnerable to hackers. Your name and address maybe all that’s required to steal your identity, for example. Be similarly wary what you post on social media and check your account privacy settings to limit who can see what. Ideally, use a VPN (virtual private network) which uses data encryption to hide internet activity.

• For each site that you use; you will need to visit the Privacy Settings page(s) and decide how visible you want to be. This can be a complicated process, but it is often better to be overly cautious with regards to your personal privacy.
• Periodically review the privacy policies/settings of those sites you use.
• You may want to consider using multiple profiles on some sites – creating separate profiles for your personal and professional lives. Your professional profile may be set as being more open and visible than your private one and can be used exclusively for your academic content, comment and communication.
• The connected nature of the internet means that it is possible to harvest an enormous number of trivial facts about an individual that can then be built up into a full profile and used for fraudulent means such as identity theft. Never publish personal details (your own or those of others) on social networking sites. This may include, but is not limited to, date of birth, phone numbers, financial details, home address, mother’s maiden name, etc.
• Carefully consider how you conduct your online relationships with students, customers and other stakeholders. How can these compromise your safety and/or identity?
• Use caution in your use of geo-tagging services. Revealing your current location may inform the world that your home or office are presently unoccupied.
• Do not use your university login credentials as your username and password for social networking or any other sites - a security breach at another site could allow someone to access your university account.
• If you would not do it offline – do not do it online. This may include arranging to meet strangers in an unknown or remote location or offering to phone someone outside of the working environment.

• Updated guide to Facebook privacy settings

You should also review your passwords, your online behaviour and your understanding of phishing - available from our Cyber Security page.

You are what others see

First (and often second) impressions count in almost all aspects of our lives. Future employers are very likely to search for you online to get a snapshot of the sort of person you are. Consider the following:

• Would you walk into a job interview straight from a night out and expect to be hired?
• Would you swear (visually or vocally) in a classroom or workplace?
• Would you teach in a school whilst wearing inappropriate clothing?
• Would you steal from a shop?

These are all things that the professional body, for your course, or a future employer could interpret from your online activity. Let's view these examples slightly differently.

• Have you (or your friends) posted images of you in a drunken or culturally inappropriate state?
• Have you made unpleasant comments about another person or posted images that show you offering a visual insult?
• Are there any pictures of you, online, that you would not want to be found by a class of 13 year old students?
• Have you ever spoken about watching a DVD before its official release date?

Can a person, searching for you online, view any negative information about you or from you?

Clean it up

If you completed an "Ego Surf" after reading Identity Fraud (above), then you should have a reasonable idea of what is good and bad about the content of your online presence. Now is the time to put it all right.

• Delete anything embarrassing.
• Delete anything that shows you in a bad light.
• If you wouldn't show it to your grandma or put it in your CV - then it probably needs to go!
• Teaching or coaching? If you don't want it to be found by a class of 14 year olds - then it probably needs to go!
• Got an old Bebo or MySpace account that you will never use again - get rid of it! See the BackgroundChecks website for information about how to delete your account at hundreds of popular sites.
• And don't forget to check your privacy settings. If in doubt - lock it down! 
• If your online existence is one long stream of "funny" GIFs, insults and rude jokes - maybe you need to delete your account(s) and start again.

Adding some shine

It does not all need to be negative. You can turn your online presence to your advantage. Showcase your best bits.

1. Grab yourself a LinkedIn account and start to create a professional profile. "Friend" some important and some local people in your chosen field.
2. Sign up to one or more suitable social sites that will allow you to showcase your talents:
   • Vimeo or YouTube if you're in the arts or handy with a video camera.
   • Flickr or Google Photos if you're good with a camera
   • Search for dedicated networks for your chosen career - there are a few out there (lots for educators)
3. If you have a professional body - add them to your network of friends on one or more platforms (often Facebook and Twitter as a minimum).
4. Consider creating a "nameplate" site - these are one-page websites that let you create a public profile like a brief visual CV, but some are so much more than that. Add videos, create portfolios of projects, keep a blog (online diary), write a traditional CV and more:
   • About.me - Simple one page site with image and brief details/link(s) (example Olivia Lane)
   • Flavors.me - you can draw in a feed of your content from other sites such as Facebook, Twitter, Vimeo and Flickr (example Future Female)
5. Why not sell yourself through a "sticky" post on Facebook and/or Twitter. You can write something amazing and then "pin" it to the top of your wall or profile.

Reputation Management

An excellent article from Status Labs that is worth a read: Reputation Management for Individuals – 20 Essential Tips

There are times when data/information is required to be transferred between the university and external organisations.  It is therefore important to understand the various methods that are available to you in order to transfer data securely according to the sensitivity of the data.

Staff

Staff should read the following advice in StaffHub, as it contains some additional advice and links to staff-only resources:

Staff Guidance for Secure Data Transfer (staff login required)

Students

Email

Email should be considered one of the least secure communication methods when communicating with external users/organisations.  Why?  The university's email service within Office 365 uses an encryption process which encrypts the connection between your device and the email service at Microsoft.  Although this provides protection from a malicious user trying to intercept data that you send or receive, the message itself is not encrypted and there are no guarantees that the recipient's email provider creates a secure connection for its users.  In addition, emails can easily be forwarded to other people/organisations unknown to you (or mistakenly by the recipient). Again, the email message is not encrypted and any recipient can open it without their identity being confirmed.

It is important to determine the sensitivity of the data being transferred before using email as a method to distribute.  If in doubt, password protect and encrypt the data before sending.  Please continue reading for further guidance on these methods.

OneDrive for Business

All university students have access to OneDrive for Business. OneDrive for Business allows you to share (editable or view-only) a specific folder or file with a user inside and outside of the university. The data remains in one place (in your OneDrive) and only the recipient stated will have access to the data in question.

Click here for further information on how to share using OneDrive for Business.

Password Protect and Encrypt an MS Office Document, Workbook or Presentation

Where data is held within a Office 2016 document, dorkbook or presentation (Windows and Mac), it is possible to encrypt the data and password protect it. This provides some reassurance that if a recipient's device becomes compromised and the file readily accessible, then a password will be required in order to decrypt and open the file.

The password should not be your university password (or anything similar) or any other password you use for university or personal services. In the unlikely event the password should be discovered outside your intended audience, you do not want a user using your password to access any other accounts you have. Do not write this password down other than in a secure password store and ensure you can remember it. Information Services will not be able to gain entry to files that are password protected. It may be wise to ensure an unencrypted copy is available to you.

Windows 10 

Click here for further information on how to set file encryption and password protection.  

Mac OSX

Word - click here, Excel - click here, PowerPoint - click here 

Note this feature will only be available for Microsoft Word, Excel and PowerPoint files.

Encrypt a folder and contents

​Where multiple files are required to be sent to someone and where the data is deemed sensitive or confidential, (compressing as a .zip), encrypting and password protecting an entire folder is a sensible procedure. This ensures that should the files be sent via email the data is protected through encryption and password. This method cannot only be used with email but with encrypted USB sticks or even OneDrive for Business for additional protection.

Windows 10

• Before attempting to encrypt a folder you must first ensure the correct application is installed; 7-Zip File Manager. For the majority of corporate Windows 10 desktops and laptops, 7-Zip is already installed.
• Open 7-Zip File Manager and select the folder you which to encrypt and password protect.
  
• Click 'Add' and a new 'Add to Archive' window will appear.
  
• Provide a name for the archive (the .zip folder).
  
• There are multiple options available but for basic encryption and protection move to the 'Encryption' section and enter (and re-enter) a suitable password (see Password Security for more information).
  
• Ensure your screen is not being overlooked by another user/individual and select 'show password'. Ensure this is the intended password and you can remember it.  Do not write this password down other than in a secure password store. It may be wise to ensure an unencrypted copy of the data is available to you in a safe place such as your OneDrive​.
  
• Leave the Encryption method as 'AES-256' and select OK.    
  
• The 'zipped' folder will be generated in the location selected. This folder can now be sent using an appropriate method. The recipient will also require 7-Zip installed (this is free to download and install) and of course the password. The password should not be sent via email but via SMS (text) or by speaking to the recipient.

Mac OSX

​Please contact the IT Service Desk for assistance on appropriate software installation and process.

​Encrypted USB Stick

Where data needs to be physically transferred it should be done so on an encrypted USB stick (FIPS compliant) as per the Information Security Policy. Again, a password is required to encrypt the data residing on the USB stick. Ensure you can remember the password and do not write the password down other than in a secure password store.