We’re zooming through summer! July is here! Look for the return of the monthly security awareness posters in August!
For now, here’s a reminder about maintaining the safety of those portable devices we now depend on – our smartphones, tablets and even laptops.
With an increasing amount of sensitive data being stored on personal devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is stolen or misplaced.
- Encrypt sensitive information. Add a layer of protection to your files by using the built-in encryption tools included on your computer’s operating system. Use BitLocker for Windows, FileVault for MacOS, and for Android and iOS devices use the encryption that is part of the system, which in some cases is enabled by default.
- Secure those devices and backup data! Make sure that you can remotely lock or wipe each mobile device. That also means backing up data on each device in case you need to use the remote wipe function. Backups are advantageous on multiple levels. Not only will you be able to restore the information, but you’ll be able to identify and report exactly what information is at risk. (See Good Security Habits for more information).
- Never leave your devices unattended in a public place or office. If you must leave your device in your car, place it in the truck, out of sight, before you get to your destination, and be aware that the summer heat of a parked car could damage your device.
- Password-protect your devices. Give yourself more time to protect your data and remotely wipe your device if it is lost or stolen by enabling passwords, PINs, fingerprint scans, or other forms of authentication. (See Choosing and Protecting Passwords.) Do not choose options that allow your computer to remember your password.
- Put that shredder to work! While not directly related to portable devices, paper records are VERY portable! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing them away.
- Be smart about recycling or disposing of old computers and mobile devices. Properly destroy your computer’s hard drive. The User Support department will do this for your Berry machines, but you should do the same for your personal devices. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
- Verify app permissions. Don’t forget to review an app’s specifications and privacy permissions before installing it! Use some common sense. Device permissions unrelated to the purpose of the app should not be accepted.
- Be cautious of public Wi-Fi hot spots. Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots. If you must, find a good VPN application for your device and use it.
- Keep software up to date. If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities. (See Understanding Patches and Software Updates.)
What can you do if your laptop or mobile device is lost or stolen? Report the loss or theft to the appropriate authorities. These parties may include representatives from law-enforcement agencies, as well as hotel or conference staff. If your Berry device is lost or stolen and contained sensitive institutional or student information, immediately report the loss or theft to your supervisor and OIT so that they can act quickly. Even if you believe the device did not store sensitive or confidential information, report the incident as quickly as possible.
Two more items:
First, the external email banner is now active in Outlook and on Outlook Web Access. Emails received from non-Berry addresses will have the banner alerting you to this fact at the top of the message. There have been a number of questions about this service and I want to address them.
- I am very glad that some of you are confident in your ability to discern the validity of any given email, but we have a large percentage of faculty, staff, and students who cannot. This is intended to help them when they receive an email from “President Briggs” or from “their supervisor” asking them for “a favor”.
- There is no way to exclude certain addresses from the banner – if the email came from a non-Berry account, it will contain the banner.
- If you need to forward the email to someone else, and don’t want the banner in the forwarded correspondence, the banner is removable in the edit window for the forwarded email.
- Email banners like this one are common both at other higher education institutions and in the corporate space.
I understand it requires a new process for handling the vast amounts of emails we receive on a daily basis. We tested another way to alert users by inserting a tag in the subject line of the email, instead of using the banner, but the banner was the preferred method according to the test group.
Unfortunately, it only takes one phished user to compromise a large portion of our information systems. We have been lucky so far that the only phishing attempts our users have fallen for involved buying gift cards or giving up their username and password, both easily remedied.
I would be happy to discuss this further with anyone, but for now, this policy stands for our entire email user population.
Second, you are strongly encouraged to sign up for multi-factor authentication (MFA) to improve the security of your account. Check out the May Information Security Newsletter for more information.
Have a great rest-of-the summer!