Why Would Teesside be targeted?
We hold a great deal of information that could be exploited if it gets into the wrong hands. This information includes personal details and research data. As an example, the loss or theft of personal details, such as name, date of birth and address, could lead to your bank accounts being compromised or credit agreements being set up. Research data is Intellectual Property, even though it may contain additional confidential information, such as medical records. Much of the information collected will be confidential, which may be valuable to potential thieves.
If you suspect that personal data of any nature may have been lost or disclosed, it's vital that you report this as soon as possible. You can report this via the IT Support portal, or by contacting Legal & Governance Services on 01642 342563.
- Social Engineering
Social engineering is the art of manipulating people into giving
up their valuable personal information. The goal of these attacks may
vary but often involves trying to steal passwords, banking information
or other valuable confidential information.
- Malware & Cyber attacks
Malware is the term used for 'malicious software' which encompasses a
range of different types of cyber threats to information security. At the University we use several technical controls to counter this kind of threat. We implement antivirus software on desktop PC's and prevent certain applications from running. For further advice and guidance, contact the IT Helpdesk.
- Phishing Scams
Phishing is the term given to the way fraudsters try to lure people into
giving away personal data. This is normally done by email but can also
be done by letter and by SMS (text message) too. Phishing generally occcurs in 90% of successful Cyber Attacks. This theat is one of the largest we face as an institusion, so we have developed guidance dedicated solely to this threat.
- Social Media
Think before you post anything online which could reveal personal
information about you or your family and friends which could be
exploited by others.
A survey by the UK consumer organisation 'Which?' reviewed the social
media profiles of 44 volunteers and found that they were giving away a
lot more than they realised. 'Which?' even found it possible to obtain a
credit card using the information which one of them had provided!
Be aware of the risks!
Working away from your usual work location takes advantage of the latest technologies, allowing you to take the office with you, working on various devices and connecting in different ways to the information you need. But there are a number of additional risks to information security when working in this way.
- Shoulder Surfing
Just being around other people is enough to put information at risk. Someone can overlook as you enter your password or other key information. This is called shoulder surfing.
- Unauthorised access to devices
Anyone who can get access to your computer or other devices can potentially get access to confidential information. Again, unauthorised access can happen anywhere (including in the office) but you are at increased risk when working remotely and in public spaces in particular.
- Loss or theft of devices
It only takes a moment for a device to be stolen, particularly smaller devices. But these can hold lots of confidential information which can be very useful to thieves and fraudsters.
- Public connections
Public (Wi-Fi or mobile data) connections are not as secure as your institution's own network, which will have several layers of security in place. Some public connections have little or no security measures in place. Remember, you may only connect to check one piece of information, but in the background your device could be syncing emails and files from your institution's servers etc.
- Insecure environment
Be aware of your phone calls being overheard in a public, insecure environment (such as a coffeshop, or public transport) Don't discuss anything sensitive that could be easily overheard.
Be very careful when using public USB charging ports, there is always the potential that they could be configured to act in a malicious way!
If you or your team needs to consider purchasing or using a cloud service, you should -
Check with Legal and Governance Services, and IT & Digital Services - they must be involved in the procurement or commisioning of any cloud service to be used for University work.
- Is there any need to use a cloud service?
- Does the University already provide an alternative approved service?
- Integration - consider the requirements for any Cloud services to communicate with existing or planned future technology i.e. there
would be little point setting up a Cloud service which cannot actually be properly accessed via the institutions IT equipment
- Where is your data stored? You might be in breach of the Data Protection Act if it's outside the European Economic Area. Seek advice from your IT department.
- Are you clear on how the service works and, as a consequence, what happens to your data? For example, will the service copy your data to every device you log on to?
- Who owns the data once it's stored in the cloud, and who has access to it?