Guidelines on Securely Working from Home

Working from home – potentially with our kids being around and requiring our attention – during a long period of time is new to almost all of us. Today we must not only focus on our work and our self but we are also concerned about the wellbeing of our colleagues, friends, family. This situation can be overwhelming and we need to adjust to this new challenge. The goal of this document is to enable you to work from home as securely as possible. The best part is all of these steps not only help secure your work, but they will make you and your family far safer as you create a cybersecure home.

YOU

First of a word of warning: technology alone cannot fully protect you – you are the best defence. Attackers have learned that the easiest way to get what they want is to target you, rather than your computer or other devices. If they want your password, work data or control of your computer, they’ll attempt to trick you into giving it to them, often by creating a sense of urgency. In light of the ongoing crisis many scams are also related to COVID-19. Criminals create webpages offering information about the virus which try to infect the device you use to visit them. You might also see emails trying to explore the charitable spirit, e.g. asking you to donate money for sick kids. Please remember that you can report suspicious emails on your professional email account by forwarding them as attachment report-a-phish@uni.lu.

. The most common indicators of a social engineering attack are:

  1. Someone creating a tremendous sense of urgency, often through fear, intimidation, a crisis or an important deadline.
  2. Pressure to bypass or ignore security policies or procedures, or an offer too good to be true (no, you did not win the lottery!)
  3. A message from a friend or co-worker in which the signature, tone of voice or wording does not sound like them.

The best defense against such attacks is YOU!

– Please do not use any private cloud services to share the data of the university. Instructions on how to connect to the central fileservers or use OneDrive can be found on the service desk service.uni.lu

– Don’t forget to back up your data!

– In case of questions or support of any other questions in relation with personal data processing in your business activity, please feel free to contact the Data Protection Office via dpo@uni.lu.

Passwords

Passwords accompany us on a daily basis. We use them to access our computers, our emails and all other online services. While at the university you can use one account and password to access many of our systems you will need additional passwords to access services which are not connected to the central authentication platform. When you need to create a password, always create a strong password: the more characters it has, the stronger it is. Using a passphrase is one of the simplest ways to ensure that you have a strong password. A passphrase is nothing more than a password made up of multiple words and special characters, such as “bee honey bourbon.” Using a unique passphrase means using a different one for each device or online account. This way if one passphrase is compromised, all of your other accounts and devices are still safe.

Keep your passwords safe. Do not write them down on a piece of paper, instead use a password manager, which is a specialized program that securely stores all your passphrases in an encrypted format. It will also help you generating strong passwords. And all you need to remember is the password to open your password safe. Finally, enable two-step verification (also called two-factor or multi-factor authentication) whenever possible. It uses your password, but also adds a second step, such as a code sent to your smartphone or an app that generates the code for you. Two-step verification is probably the most important step you can take to protect your online accounts and it’s much easier than you may think.

Two-step-verification is also planned to come to many of the university’s services.

Additional information on passwords is available on the staff security awareness portal sectraining.uni.lu.

Updates

Cyber attackers are constantly looking for new vulnerabilities in the software your devices use. When they discover vulnerabilities, they use special programs to exploit them and hack into the devices you are using. Meanwhile, the companies that created the software for these devices are hard at work fixing them by releasing updates. By ensuring your computers and mobile devices install these updates promptly, you make it much harder for someone to hack you. To stay current, simply enable automatic updating whenever possible. This rule applies to almost any technology connected to a network, including not only your work devices but Internet-connected TV’s, baby monitors, security cameras, home routers, gaming consoles or even your car. Your university computer is configured to download updates automatically but will sometimes need your OK to install them. Please do so, even if it means that your computer will restart.

Make sure each of your computers, mobile devices, programs and apps are running the latest version of its software. Never disable the automatic download of updates.

Your Data

If you are using a laptop provided by the University it is easy to access your files. If they are not already on the laptop you can connect to the university’s servers using the VPN client. If you need to share data between a group of people you can use OneDrive to do so.  Please do not use a private cloud service you might have subscribed to (e.g. Dropbox).  Storing and/or sharing on a private cloud might grant access to unauthorized persons in breach of the GDPR and must be avoided.

For security reasons we cannot allow you to use a private device to connect to one of the fileservers. Without you knowing about this it could have been infected by malware and thus compromise the systems of the university. If you don’t yet have access to a university laptop and need data which is stored on a fileserver, please ask your colleagues to put it on OneDrive or send individual files via email to you.

The European Data Protection Board (EDPB), the European body providing guidance and interpreting GDPR, published a statement on 19th March 2020 about processing of personal data in the context of COVID-19 outbreak.  Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. The GDPR allows competent public health authorities and employers to process personal data in the context of an epidemic, in accordance with national law and within the conditions set in the GDPR. The EDPB underlines that, even under these exceptional times, the institutions processing personal data must ensure the protection of personal data of data subjects.

In the context of remote work data protection rules and data protection policy of the University remain applicable. We are all responsible to ensure the protection of data of individuals processed for business purposes. Storing and/or sharing on private cloud will grant access to unauthorized persons in breach of the GDPR.

We don’t know yet when we will be allowed be come back to our offices. In the meantime, make sure that you don’t lose data by mistake. If you store data locally, think about doing backups, e.g. by using a USB stick. These are easy to lose so please take care. Any loss of a professional device / USB stick with university data must be reported to the service desk immediately.

In case of incident involving personal data, you must report to the Data Protection Officer by entering a ticket on ServiceNow portal.

Make sure each of your computers, mobile devices, programs and apps are running the latest version of its software. Never disable the automatic download of updates.

Your Home Network

All of us have a network at home which we use to connect to the internet. Most home networks are controlled by an Internet router or a separate, dedicated wireless access point.  Both work in the same way: by broadcasting wireless signals to which home devices connect. This means securing your wireless network is a key part of protecting your home. We recommend the following steps to secure it:

  1. Use strong passwords to protect your home network. The password for the WIFI must be strong and differ from any other password you use. Remember, you only need to enter this password once for each of your devices, they will remember it.
  2. Allow only people in that you trust. Enable strong security on your network by using a strong password to protect your WIFI network. Some options offer you the possibility to create a guest network which can be used by your friends and visitors without the risk of compromising your devices.
  3. Change the default administrator password for all the devices (router, web cams, …). Administrator accounts is what allows you to configure the settings for your devices. An attacker could guess the password and abuse this information to spy on you and your data.

If you do not know how to access your internet router, ask your Internet Service Provider, check their website, check the documentation that came with your devices, or refer to the vendor’s websites. SIU will not be able to assist you setting up your private devices at home.

Kids and Guests

Make sure that your family and friends understand they cannot use your work devices.

Something you most likely don’t have to worry about at the office is children, guests or other family members using your work laptop or other work devices. They can accidentally erase or modify information, or, perhaps even worse, accidentally infect the device.

Do you have some spare time and want to know more? Visit cyberfalls.io to improve your cyber security skills.

Stay Safe!

In case of questions, please feel free to reach out to the service desk on service.uni.lu or using the phone number +352466669911 (Mo-Fr, 8:00-19:00).