Campus privacy and security professionals can adapt these materials to promote effective ways to work safely and securely in a remote environment. Use these tips and resources to help faculty, staff, and students better understand the risks of remote work and how to protect themselves and their families.
Campus Security Awareness Campaign 2020
This post is part of a larger campaign designed to support privacy, security, and IT professionals as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Community Group sponsored by the EDUCAUSE Higher Education Information Security Council (HEISC). View the other monthly blog posts with ready-made content on the security awareness resource page.
Some states are starting to reopen for business. While many of us remain focused on protecting ourselves in the physical world, this blog post details information security and privacy guidance to help us better protect ourselves in the virtual world. Shelter-in-place orders and curfews may be easing up, but many campuses continue full-time remote work. Even if you or your colleagues did not work from home much or at all before the coronavirus outbreak, it is important that we all follow these guidelines as we continue collaborating and working together from a distance.
Get the Word Out
Newsletter or Website Content
Here are some helpful tips and effective practices for working safely and securely in a remote environment, whether it's a temporary situation or a permanent transition.
- Use a VPN
Make use of the corporate VPN at your university for an extra layer of security any time you find yourself on a public or unsecure Wi-Fi network (if you are working at a coffee shop or a library, for example). You can usually request access to the company VPN through your IT department. If your institution does not offer a company VPN, check out a thirty-day money back guarantee offer here.
- Run Your Antivirus Software
If your university provides antivirus software, find out. Some universities equip employee computers with anivirus software or make antivirus software available online for download. You can usually get this information from the IT help desk or the campus security team. If your workplace does not offer antivirus software, MalwareBytes offers a good-quality virus scanner for free and a higher-quality one for purchase after a fourteen-day trial period. Run your antivirus program daily to pick up on any abnormal activity or possibly corrupted/malicious files that need to be quarantined or removed. Keep in mind that your VPN and antivirus software may not play well together. If this is the case, you may need to use one program at a time to make sure each piece of software works effectively. Please consult your help desk for guidance on proper use.
- Run Your Updates
Keeping your devices and applications up to date is probably the most underrated way to protect them. It is also the most ignored. Security and software patches are released with most updates. This means that when you ignore an update, you are leaving an application or operating system vulnerable.
- Beware of Phishing or Suspicious Emails
If you encounter suspicious messages or attachments, please forward them to the security team at your institution for further investigation. There has been a surge in malicious online activity as cybercriminals and cyberattackers leverage the heighted fear of the public during the coronavirus pandemic. Online criminals are delivering coronavirus-themed phishing messages via emails, direct messages, and text messages. These messages are often alarmist and include links or attachments with the call to action to "learn more." Clicking the link often results in account compromise, malware delivery, or something else. As always, slow down and double-check the sender field. If a request seems unreasonable or out of character, do not respond. Contact the sender directly to verify it was them who sent the request or email.
- Use Strong Passwords
Because there are a lot more threats out there during the pandemic, there are plenty of bad actors looking to take over accounts. The easiest way to protect your accounts from being compromised is to use long, complex, and unique passwords. A good rule of thumb is to make sure that your passwords are at least fifteen characters long and include a number, a capital letter, and/or a special character. The easiest way to accomplish this is to use passphrases that only make sense to you.
- DO NOT recycle passwords.
- DO NOT use variations of the same password.
- DO NOT use the same passwords for your professional accounts that you use for your personal accounts.
Recycling passwords, using variations of the same password, and using the same password for professional and personal accounts are all sure-fire ways to have more than one of your accounts compromised in the event of a breach. To keep an eye on what accounts may be exposed, utilize haveibeenpwned.com. If your university has an official password manager, you can use it not only to store but also to generate strong, unique, passwords. If you do not know whether your university uses a password manager, get in touch with your help desk or your security team.
- Employ MFA
Double down on your account security with multifactor authentication (MFA). MFA adds a second check to verify your identity when logging in to one of your accounts. This helps to keep your account from being compromised even if your password falls into the wrong hands. MFA is often done in one of three ways:
- SMS (text message). This is the least-secure two-factor authentication (2FA) option, largely because messages are unencrypted and susceptible to SIM hijacking attacks. However, keep in mind that SMS is still a better option than no 2FA at all. With this method, a single-use code made up of a string of numbers is sent straight to your phone.
- Third-party authenticator app. An authenticator app lives on your mobile device, and every time you enter your password, the app generates a one-time code, which you are required to enter. To use a third-party authentication app, you will need to download one (Google Authenticator, Microsoft Authenticator, etc.) from the app store for your mobile device.
- Security key (hardware token). This is the most secure 2FA option. It's a small physical key that you either carry or plug in to your device to complete your login. If your university issues security tokens, you should be able to request one from your IT or security department.
- Maintain a Clean Workspace
If you're using a shared workspace, be conscious of clearing it of sensitive, nonpublic information, especially if you have to step away. Also, avoid printing out company information at home or in public spaces if it's not necessary for your business function. In addition, if you are listening in on or participating in meetings that could be considered sensitive or in which you share nonpublic information, be sure to put on headphones. If you have the option, work in a separate, dedicated office space whenever possible.
- Maintain a Secure Workstation
Use company-issued devices for all your work so you can take advantage of security controls built in by your IT and security teams. If you would like to find out what settings to toggle on or off to secure your workflow and data on your company machine, please contact your respective IT and/or security department for advice.
If you follow these best practices while working from home—or wherever you may be—your work and your information (or other people's information that you might handle) will be at a much lower risk of being compromised.
We hope everyone is staying safe, healthy, and productive.
- Passwords are the door between you and a compromised account. #MFA is like a deadbolt on that door. If someone does get it open, you'll be happy you have added security! #PasswordSecurity #BeCyberSmart
- Don't wait, update! Find out why in this EDUCAUSE Review remote work tips blog post: https://er.educause.edu/blogs/2020/3/transitioning-to-remote-work #CyberAware #BeCyberSmart
- It can be tempting to use your personal machine for work during quarantine, but your company workstation comes with built-in security programs! Contact your support team to find out what they are, and make sure they are running. #BeCyberSmart
- Get an urgent email, call, or text out of the blue? Make sure to stop and think. Is it a reasonable request? Is this how the sender would normally contact you? Take a moment to evaluate and ask the sender if the request is legitimate. #BeCyberSmart. Prevent #phishing.
- Keep a clean machine! Install the latest security software and keep your OS and apps updated to defend against #malware. #BeCyberSmart
- Have peace of mind while online. Avoid public Wi-Fi and use a VPN for added security. #cyberaware
Ask staff to add a tip to their email signature block and link to your institution's information security page.
Jane or John Doe
Chief Privacy Officer
XYZ College or University
Keep your home network, computer, and mobile devices secure while working remotely. Learn more. [Link "Learn more" to your institution's information security page or link to the EDUCAUSE resource page on Working Remotely]
Embed or Share Videos
- SANS Security Awareness: Work From Home Deployment Kit
- Stop. Think. Connect.: Blog
- National Cybersecurity Alliance: Basics of Online Safety
For more information about information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page. Access additional security and privacy awareness resources through the Awareness Campaigns page.
Zarmeena Waseem is an Information Security Trainer at The New York Times.
© 2020 Zarmeena Waseem. The text of this work is licensed under a Creative Commons BY 4.0 International License.