Top 5 things to do first
- If the file you are working is S3 (private) or S4 (restricted) data, DO NOT save the files on a personal computer.
- Make sure to update your personal computer, install current anti-virus software and turn on auto-updates.
- Be on the lookout for phishing scams, especially regarding Covid-19 that will try to steal your login credentials or personal information.
- Set strong passwords and don't reuse them.
- Educate yourself on protecting yourself, your work and your family.
As we adjust to a “new normal”, many of us are asking: how we can be as productive working remotely as we are in the office? Among the challenges, it is also important to consider how to protect yourself and your work from cyber threats.
If you are an employee of Ohio State, you can access the Ohio State Cybersecurity 4 You security awareness platform for short, actionable articles, podcasts and videos on how to protect yourself and your systems. You earn rewards while learning to protect yourself and your family, including fully licensed anti-virus, anti-malware and VPN software for personal use on your home devices.
Additional questions you may be asking
1. How do I protect against COVID-19 related scams and attacks?
Social engineering is the largest concern at this juncture. Social engineering is a collection of psychological attacks designed to trick you into clicking bad links or accessing nefarious websites. The bad guys capitalize on fear to upload malware or to steal your credentials/accounts.
In times of crises, such as natural disasters and pandemics, the likelihood of charity fraud grows. You may also see an increase in “work from home” job offer scams. The bulk of these attempts are delivered through phishing emails. Attempts can also occur via social media, texting or phone calls. Using your best judgment is key. If something smells “phishy,” better to hang up, delete the text, or report the email through firstname.lastname@example.org.
During our current COVID-19 crisis, phishing messages may take many forms. COVID-19 infection maps containing malware can be attached to email messages, links to fake websites that contain information about the virus, or requests for users to log in to websites to review or accept new policies/procedures that could all be utilized in relation to the pandemic.
Always remember: never share personal or financial information through email, text or a non-solicited phone call. No person from the university (or any legitimate business) should ever ask for your password or social security number. Remain vigilant.
2. How do I report a security incident?
A security incident refers to an event that may suggest a computer, application or data is compromised. If you believe that an Ohio State-related tool may not be working correctly due to a security issue, please report this to your local IT team (or by sending an email to email@example.com, or calling 614-688-4357).
If you work for the Wexner Medical Center, you should report security incidents by emailing ISSecurity@osumc.edu or calling 614-293-3861.
3. What data should I access?
Refrain from accessing university Private (S3) or Restricted (S4) data when working from a personal device. If you don’t know what S3 or S4 data are, you can find an activity on Cybersecurity 4 You that helps explain it here. Do not save university data directly to your personal device or hard drive.
4. How can I protect my personal computer and devices?
Always make it a priority to keep current/updated anti-virus running. If you are an Ohio State employee and need anti-virus/anti-malware software for your home computer, you can obtain them for free (personal use only). Educate yourself on protecting you and your family.
Accessing the Cybersecurity 4 You security awareness platform and achieving Level 2 offers free anti-virus, anti-malware and VPN for your personal devices.
You can also find out more about protecting personal devices by visiting the following page and clicking on the "Personal Devices" link.
Update Operating System, Browser and Critical Software
If you’re currently running a Windows 7 computer, upgrade to Windows 10. Make sure you are using the latest version of your web browser. Browsers can be just as vulnerable as an old operating system. Frequently used software, like Adobe Acrobat, for instance, requires recurring updates. Consider using software's internal auto-update settings so you don't miss a crucial fix.
5. How can I protect my home wireless?
It is crucial to ensure your home wireless is secure by enabling a WPA2/WPA3 password on the network and changing default passwords. You can find more information on Wi-Fi safety here.
Also, remember that any device you connect to your home wireless (baby monitors, gaming consoles, TVs, audio assistants) are access points where others could potentially hop on your network. Be sure to change the default passwords on any device you connect to the same network you use for work.
6. What is a VPN and should I use one while working remotely?
VPNs, or Virtual Private Networks, allow you to securely access departmental files or resources from a remote location. Units across the university provide a variety of VPN options for employees. Before you access S3 or S4 data, reach out to your local IT to get access to the appropriate VPN for your area. Learn more about VPNs in general here.
7. How do I keep my accounts safe when working from home?
- If credentials are for a university purpose, and the person knowing the credentials is incapacitated, that will cause a business continuity issue. Avoid that risk by using the university-approved solution for university passwords is Privileged Access Manager (PAM). Contact your security coordinator, or local IT and find out how to get access to PAM.
- When considering business continuity, consider your own personal business as well. If you manage family accounts, make sure others know how to do so if you are incapacitated by illness. The use of a password manager can help.
- You should take advantage of multi-factor authentication for any account (university or personal) that provides that feature. Many university systems already require the use of BuckeyePass for login. For critical accounts like banking, credit cards, health care sites; use the method recommended by the providing company to prevent unauthorized access. In addition, it is important to establish a secondary authentication method beyond your cell phone in case that device is misplaced or without battery power.
8. Should I work on a free, open or unsecured Wi-Fi connection?
Only use public Wi-Fi networks when absolutely necessary, and always use a VPN while connected to them. It is preferable to utilize a cellular hotspot instead of a free Wi-Fi network if you have one. If you are an employee of Ohio State, you can review the following activity on Cybersecurity 4 You to learn more about the usage of free Wi-Fi.
9. How do I collaborate with my co-workers securely?
Always use the tools recommended/provided by Ohio State for collaboration. Ohio State offers file sharing via BuckeyeBox/Office 365, conferencing via Skype for Business/CarmenZoom, teaching tools via Carmen and Microsoft Teams.
10. How do I secure my remote office space?
We get it: kids running around, family members lurking. Distractions are a part of this “new normal.” In spite of all of this, don’t lose sight of your computer accessing university systems or data. Treat the machine as seriously as you would on campus. Do not allow your children to surf the internet on an Ohio State device. Always lock your screen when walking away from the computer. If possible, move your work to a segmented space in your home to gain some privacy.
11. What should I do to protect myself against ransomware?
The best practice is always to back up your data somewhere safe. University data should always be stored on a university system. However, remember that those personal photos, files, and documents are important to protect too. Choose an online backup solution or a trusted external device (hard drive, flash/thumb drive) to store those files in case your primary files are encrypted by a cybercriminal.
Avoiding malware like ransomware starts with a good anti-virus, updating your computer, and not falling for phishing scams.
However, if you experience what you believe to be a ransomware attack on your data, first consider whose data it is. If it is university data, you are not permitted to pay the ransom without getting university administration approval. Contact your local IT immediately. DO NOT attempt to correct the issue on your own by deleting files, or shutting down the machine. Otherwise, critical clues about how to get the data back may be lost.
12. How do I keep data safe when I'm using a 3rd party, or cloud, application?
Any 3rd party application that handles university data should go through a security assessment. To check to see whether your app has already been assessed, check the Cloud Assessment Registry. It will give you details on what data classification it can safely handle.
If the application or cloud service you wish to use is not identified on the registry, please contact the Enterprise Security Risk Assessment Team.
For more questions about cybersecurity preparedness during the COVID-19 response, please email firstname.lastname@example.org.
For a security issue or incident, please report this to your local IT team (or by sending an email to email@example.com).
If you work for the Wexner Medical Center, you should report security incidents by emailing ISSecurity@osumc.edu.