Top 5 things to do first
- If the file you are working is S3 (private) or S4 (restricted) data, DO NOT save the files on a personal computer.
- Make sure to update your personal computer, install current anti-virus software and turn on auto-updates.
- Be on the lookout for phishing scams, especially regarding Covid-19 that will try to steal your login credentials or personal information.
- Set strong passwords and don't reuse them.
- Educate yourself on protecting yourself, your work and your family.
As we adjust to a “new normal”, many of us are asking: how we can be as productive working remotely as we are in the office? Among the challenges, it is also important to consider how to protect yourself and your work from cyber threats.
If you are an employee of Ohio State, you can access the Ohio State Cybersecurity 4 You security awareness platform for short, actionable articles, podcasts and videos on how to protect yourself and your systems. You earn rewards while learning to protect yourself and your family, including fully licensed anti-virus, anti-malware and VPN software for personal use on your home devices.
Additional questions you may be asking
1. How do I protect against COVID-19 related scams and attacks?
Social engineering is the largest concern at this juncture. Social engineering is a collection of psychological attacks designed to trick you into clicking bad links or accessing nefarious websites. The bad guys capitalize on fear to upload malware or to steal your credentials/accounts.
In times of crises, such as natural disasters and pandemics, the likelihood of charity fraud grows. You may also see an increase in “work from home” job offer scams. The bulk of these attempts are delivered through phishing emails. Attempts can also occur via social media, texting or phone calls. Using your best judgment is key. If something smells “phishy,” better to hang up, delete the text, or report the email through firstname.lastname@example.org.
During our current COVID-19 crisis, phishing messages may take many forms. COVID-19 infection maps containing malware can be attached to email messages, links to fake websites that contain information about the virus, or requests for users to log in to websites to review or accept new policies/procedures that could all be utilized in relation to the pandemic.
Always remember: never share personal or financial information through email, text or a non-solicited phone call. No person from the university (or any legitimate business) should ever ask for your password or social security number. Remain vigilant.
2. How do I report a security incident?
A security incident refers to an event that may suggest a computer, application or data is compromised. If you believe that an Ohio State-related tool may not be working correctly due to a security issue, please report this to your local IT team (or by sending an email to email@example.com, or calling 614-688-4357).
If you work for the Wexner Medical Center, you should report security incidents by emailing ISSecurity@osumc.edu or calling 614-293-3861.
3. How can I easily change my password while not on campus?
Changing your password is seldom enjoyable. We get it. That said, it is one of the best ways to ensure cybercriminals don’t find an old password and gain access to your Ohio State accounts.
Making this change is a smooth process when you are physically on campus, as you are already on a trusted network. When attempting to change your password while working remotely, however, technical difficulties may be experienced.
Follow these quick tips to change your password with ease while working remotely
- It may go without saying, but don’t let your password expire. Changing your password on your available time means you won’t be forced to do so while in the middle of completing a critical task.
- Have all your devices readily available before resetting your password, such as your computer, phone and tablet. This will be helpful for multi-factor authentication and for updating the password on those devices as well
- Close all applications running on the computer. Close all tabs in your browser but one to avoid any complications.
- Connect to your department’s virtual private network (VPN). If you are unsure if you have a VPN, contact your local IT group. For managed IT services (MITS) customers, use Cisco AnyConnect and choose the OSULAN VPN profile.
- Visit my.osu.edu
- Change your password following the provided password change process.
- If you don’t remember your password, click the forgot your password link
- After changing your password, log in to all your services and apps on all devices. Make sure you are able to sign into everything.
- After the password is changed force the computer to update by locking and unlocking or reconnecting with the new password:
Windows Computer: lock the computer by pressing Windows key + L or Ctrl+Alt+Del and select lock.
Apple Computer: Click the enterprise connect icon in the top right and select reconnect
- Open Outlook to be prompted for a new password if you are using the University Email System.
- Open each of the other applications like Teams, Skype, etc. If prompted, login with the new password.
- Update all of your mobile devices with the new password to keep wireless access and email if you are using the University Email Service
- BONUS: Just like changing the batteries in your smoke detectors when you change your clock for daylight savings, If you have passwords on other systems that expire every 180 days this would be a great time to update them as well for consistency (ie: Medical Center passwords, departmental passwords, etc...)
- Also, any network share drives which were added manually (not standard drives mapped automatically) will need to be removed and re-mapped.
If on an Ohio State managed Laptop
- If the laptop doesn’t update the local password you may have to use the old password to get the laptop to unlock. Retain your old password as you may need it during this process.
- Update all devices and applications on your devices with the new password as soon as possible. Wireless or Office 365 applications, such as OneNote, Outlook, Teams, etc…
- Before changing your password, log out of BuckeyeMail and all browsers & mobile device apps and be ready to change your password on all mobile devices such as iPhones, iPads and Android Devices.
- Go to my.osu.edu and update your password.
- Update your mobile devices with your new password to stay connected to osuwireless and email if you’re using BuckeyeMail.
- Your new password may be delayed by up to 15 minutes for BuckeyeMail.
4. What data should I access?
Refrain from accessing university Private (S3) or Restricted (S4) data when working from a personal device. If you don’t know what S3 or S4 data are, you can find an activity on Cybersecurity 4 You that helps explain it here. Do not save university data directly to your personal device or hard drive.
5. How can I protect my personal computer and devices?
Always make it a priority to keep current/updated anti-virus running. If you are an Ohio State employee and need anti-virus/anti-malware software for your home computer, you can obtain them for free (personal use only). Educate yourself on protecting you and your family.
Accessing the Cybersecurity 4 You security awareness platform and achieving Level 2 offers free anti-virus, anti-malware and VPN for your personal devices.
You can also find out more about protecting personal devices by visiting the following page and clicking on the "Personal Devices" link.
Update Operating System, Browser and Critical Software
If you’re currently running a Windows 7 computer, upgrade to Windows 10. Make sure you are using the latest version of your web browser. Browsers can be just as vulnerable as an old operating system. Frequently used software, like Adobe Acrobat, for instance, requires recurring updates. Consider using software's internal auto-update settings so you don't miss a crucial fix.
6. How can I protect my home wireless?
It is crucial to ensure your home wireless is secure by enabling a WPA2/WPA3 password on the network and changing default passwords. You can find more information on Wi-Fi safety here.
Also, remember that any device you connect to your home wireless (baby monitors, gaming consoles, TVs, audio assistants) are access points where others could potentially hop on your network. Be sure to change the default passwords on any device you connect to the same network you use for work.
7. What is a VPN and should I use one while working remotely?
VPNs, or Virtual Private Networks, allow you to securely access departmental files or resources from a remote location. Units across the university provide a variety of VPN options for employees. Before you access S3 or S4 data, reach out to your local IT to get access to the appropriate VPN for your area. Learn more about VPNs in general here.
8. How do I keep my accounts safe when working from home?
- If credentials are for a university purpose, and the person knowing the credentials is incapacitated, that will cause a business continuity issue. Avoid that risk by using the university-approved solution for university passwords is Privileged Access Manager (PAM). Contact your security coordinator, or local IT and find out how to get access to PAM.
- When considering business continuity, consider your own personal business as well. If you manage family accounts, make sure others know how to do so if you are incapacitated by illness. The use of a password manager can help.
- You should take advantage of multi-factor authentication for any account (university or personal) that provides that feature. Many university systems already require the use of BuckeyePass for login. For critical accounts like banking, credit cards, health care sites; use the method recommended by the providing company to prevent unauthorized access. In addition, it is important to establish a secondary authentication method beyond your cell phone in case that device is misplaced or without battery power.
9. Should I work on a free, open or unsecured Wi-Fi connection?
Only use public Wi-Fi networks when absolutely necessary, and always use a VPN while connected to them. It is preferable to utilize a cellular hotspot instead of a free Wi-Fi network if you have one. If you are an employee of Ohio State, you can review the following activity on Cybersecurity 4 You to learn more about the usage of free Wi-Fi.
10. How do I collaborate with my co-workers securely?
Always use the tools recommended/provided by Ohio State for collaboration. Ohio State offers file sharing via BuckeyeBox/Office 365, conferencing via Skype for Business/CarmenZoom, teaching tools via Carmen and Microsoft Teams.
11. How do I secure my remote office space?
We get it: kids running around, family members lurking. Distractions are a part of this “new normal.” In spite of all of this, don’t lose sight of your computer accessing university systems or data. Treat the machine as seriously as you would on campus. Do not allow your children to surf the internet on an Ohio State device. Always lock your screen when walking away from the computer. If possible, move your work to a segmented space in your home to gain some privacy.
12. What should I do to protect myself against ransomware?
The best practice is always to back up your data somewhere safe. University data should always be stored on a university system. However, remember that those personal photos, files, and documents are important to protect too. Choose an online backup solution or a trusted external device (hard drive, flash/thumb drive) to store those files in case your primary files are encrypted by a cybercriminal.
Avoiding malware like ransomware starts with a good anti-virus, updating your computer, and not falling for phishing scams.
However, if you experience what you believe to be a ransomware attack on your data, first consider whose data it is. If it is university data, you are not permitted to pay the ransom without getting university administration approval. Contact your local IT immediately. DO NOT attempt to correct the issue on your own by deleting files, or shutting down the machine. Otherwise, critical clues about how to get the data back may be lost.
13. How do I keep data safe when I'm using a 3rd party, or cloud, application?
Any 3rd party application that handles university data should go through a security assessment. To check to see whether your app has already been assessed, check the Cloud Assessment Registry. It will give you details on what data classification it can safely handle.
If the application or cloud service you wish to use is not identified on the registry, please contact the Enterprise Security Risk Assessment Team.
For more questions about cybersecurity preparedness during the COVID-19 response, please email firstname.lastname@example.org.
For a security issue or incident, please report this to your local IT team (or by sending an email to email@example.com).
If you work for the Wexner Medical Center, you should report security incidents by emailing ISSecurity@osumc.edu.