Did you know?
According to a recent survey, most students have only met half of their Facebook contacts, and consider only 25% or less as close friends. But they still share personal information on their page.
- 73% include their relationship status
- 72% include their date of birth
- 41% share their email address
- 14% display their phone numbers
And men are at higher risk of student finance fraud than women, because they’re significantly more likely to make their profile public, accept anyone as a friend, and be less vigilant with their personal details.
Action Fraud - Online reporting service
The Action Fraud online reporting service should be used if you have been scammed, defrauded or experienced cyber crime in England, Wales and Northern Ireland.
You can report fraud or cyber crime any time of the day or night; the service enables you to both report a fraud and find help and support. They also provide help and advice over the phone through the Action Fraud contact centre.
IT security
Sharing data in this way can make you exposed and vulnerable. While you’re at University, you’ll use a wide range of IT systems and services, not all provided by the University.
We take great efforts to ensure the security of our IT systems. By taking some common-sense steps, you can help keep your personal data and equipment safe.
Safe browsing
- Remember to log off or lock a PC if you leave it, so other people can’t use your accounts, printing credit and personal network storage space. Don’t share your login details on social media sites, or with other people.
- Are your friends really friends? In Facebook, use the Privacy link to change your settings in order to make your details harder to find.
- ‘Shoulder surfing’ is another way people can collect information like your passwords and pin numbers. By reading the screen over your shoulder, or watching you type, this information can be used by someone who wants to borrow your identity to construct an accurate profile of you, and then impersonate you to obtain credit cards and bank accounts in your name.
- Always set a password on your own PC and mobile device, and don’t tick ‘remember my password’ or similar options.
- Public Wi-Fi hotspots can be a great help when you’re not on campus, but they can be insecure, especially if you’re not prompted for any security key.
- Treat sensitive and personal information about your friends and colleagues as you would your own information.
Physical security
Although the University is a relatively safe environment, be careful not to leave your personal IT equipment unattended.
Be wary of people trying to manipulate you into giving them information or belongings, perhaps through impersonation. This is known as social engineering. For example, they may claim to be from IT Help and remove your equipment to fix it elsewhere, or ask for your password.
We will never ask for your password, so don’t give it to anyone else.
Identity theft
When banking online, only submit your credit card or bank account details to the website of a well-known and respected organisation. Make sure you’ve typed in the web address yourself, rather than clicking on a link from an email.
When you log into a financial site, the web address should start with ‘https’ and there should be a padlock icon in the address bar or in the bottom right corner of the browser.
Cookies are mostly harmless files that websites use to remember you. But they can be used by malicious sites for targeted advertising or for identity theft. Search engines use them with your IP address, which means that your searches are not anonymous. You can set your browser to block or to warn you about cookies using the Security and Privacy options.
Online fraud
From time to time you may receive unsolicited emails carrying branding to make you believe the University or another reputable company requires some personal information from you. It may try to convince you that your computer has a virus, or of problems with your bank account. This is known as phishing.
Never respond to these unsolicited requests for confidential information. The Student Loan Company will never ask for bank details or personal information by email. If in any doubt contact the organisation directly using a trusted means of communication.
Similar fraudulent attempts to get your details may come through texts or phone calls. The latter is known as voice phishing, or vishing.
Viruses & trojans
There’s always a risk of infecting your PC with viruses, trojans and other malware. Here are some things you can do to minimise this risk.
- Make sure your virus checker is up to date. You should scan your files regularly, especially if you have plugged your mobile device into another computer.
- Back up your files regularly.
- It’s best not to open any files attached to an email from an unknown, suspicious or untrustworthy source.
- If you’re not sure about the content of attachments to emails, don’t open them – especially if the email has an odd title or poor spelling or grammar.
- Delete chain and junk emails rather than forwarding or replying to any of them.
- Be careful when downloading files from the internet. Ensure that the source is a legitimate and reputable one. It’s better if an anti-virus program checks the files on the download site. If in doubt, don’t open, download, or execute any files or email attachments.
Encryption
Encryption is the conversion of data into a form that can’t be easily accessed by unauthorised people. All confidential, personal and sensitive data should be stored securely, especially on laptops, tablets, USB sticks and phones.
If your assignments and project work have information relating to personal data – for example age or ethnic origin – it’s your responsibility to protect that information. Encryption is the best way of doing this.
Password policy
The password and user name used to access your account are the only two pieces of information required to see your files and emails, so your password should be treated as securely as any other piece of confidential information.
It must be at least 8 characters long and contain at least one each of
- an uppercase character
- a lowercase character
- a number
It shouldn’t contain your name or login code, family names, pet names, car details or any other easily identifiable information.
Protect your password at all times.
Password hygiene
All users must manage the password associated with their identifiers for each service they are authorised to access in a safe and secure manner. It is good practice that;
- Each password is appropriate and secret
- You should not use the same password for different services
- Everyone should have their own password, i.e. do not share your account or password details with anyone else
- Passwords should not be guessable i.e. not! your partner’s name, dates of birth, or names of your children - these are vert easy for criminals to research and find
- Passwords or logon details should never be divulged to any person; this includes the account holder’s manager, colleagues, staff and members of IT Services
- Identifiers, Passwords and logon details should not be written down
- You should not let your web-browser remember (cache) your passwords
- To facilitate the secure management of passwords on the IT systems, the following rules are applied:
- It is good practice to change passwords regularly, recommendations from the ICO, and under ISO27001 vary in advising this is done between every 15 to every 60 days.
- Passwords for the main University network will automatically expire after a maximum of 6 months for staff and after 3 years or the life of the course for students; passwords may not be reused.
- Passwords require a minimum of EIGHT characters (one of which must be numeric) with a mixture of upper and lower case characters. A stronger password will include at least one symbol (+, -, *, #, etc).
- Requests for password resets can be made via the self-service password reset facility available (24 hours a day, 7 days a week) via the University Internet site or alternatively can be handled by the SIZ.
- University email: Staff and Students are provided with University email accounts. Many day-to-day activities are undertaken using email, e.g. meeting requests, documents, business decisions, and requests for service/information. Confidential data should not be sent or stored as an email, (and should be removed to a case management system as soon as possible).
- Personal email: Many staff and students also have personal email through providers such as Gmail and Yahoo. The University permits users to access their personal email accounts on campus, however their use for private and for confidential data is not permitted.
- Email on mobile telephones: Mobile phones (of all makes) have very little security. Email on a mobile phone increase the risks of unauthorised access to accounts data and passwords. With a mobile phone, only web-email can be used. Email passwords should not be set to be ‘remembered’ by the device, and email should not be downloaded to the device.
Considerations when using email and instant messaging:
- Be careful to ensure you have input the email address you are sending to, correctly, as misspellings could lead to private information being sent to an unauthorised person.
- You should not use non University video conferencing, this can be intercepted (and recorded)
- Many of the alternative video conferencing platforms, sell on information from every keystroke, every syllable said, images, and profiles of your relationship to your contacts - these are bought, by marketing companies, but also potentially by criminals
- Email and instant messaging are unsecured communication tools, what you send can easily be intercepted
- University email should only be used for temporary storage of any type of data. Email attachments, and any email containing private or confidential data should always be removed to network storage.
- Personal email and personal instant messaging must not be used to transmit or store private and confidential data in or out.
- Mobile phones should only use password protected web-based email. You should not use an email ‘client’ service that downloads email to the device.
- The University’s email system will delete appointments and sent mail that is more than 12 months old.
Leaving the University
On leaving the University your access to systems and services is ceased. Your University storage areas and email account are archived for up to 90 days before being permanently deleted.
Students may be offered an Alumni email account, however we equally respect the right-to-be-forgotten
Where there is agreement to do so (and so long as it does not contravene UK Data Protection legislation) copies of private and public data (for example teaching notes, or your own research) may be made available for you to transfer to another organisation, or to a home account.
Lost laptops and mobile phones - especially those 'left on a train'
Any device that has the facility to access University IT services, whether on campus or off, whether owned by the University of not, is something that cyber-criminals will try to exploit.
Because of this relationship to the University, all devices with facility to access University services are ‘in-scope’ of any cyber-accreditations, audits and by for example those agencies that regulate data protection.
In addition to day to day attempts by cyber criminal’s to access and compromise devices, any device that is temporarily or permanently lost, becomes more likely to be ‘interfered’ with.
As we cannot account for whether equipment has been interfered with once it is outside of your control, then any lost equipment becomes something of concern. If this leads to any (even near-miss) data loss incidents, everything you, and the university did is highly scrutinised, whether or not this might logically be connected
to any previously lost device(s). The Government agencies that regulate data protection, can levy multimillion pound fines on the University, if we are not proactive, and effective in our reactive approach to all aspects of how any data loss occurs.
Found/Recovered device
You should make every attempt to recover the device. This includes contacting lost property at bus and train depots etc, etc in the context of left-on-a-train.
For property lost on campus, see https://help.chi.ac.uk/lost-property-guide
Equipment disposal
In order to reduce the risks of data loss, and to ensure compliance with environmental policies, (as well as to avoid unachievable liabilities for example from the sale of goods act), redundant or surplus IT equipment is rarely allowed to be retained by a leaving member of staff or a student, and is rarely sold. Surplus equipment is recycled through an accredited disposal company, who ensure that any residual data is securely deleted.