Looking after your Passwords

I’ve already written recently about passwords, but the headlines this morning about the cyber attack on TalkTalk’s web site are a timely reminder again to all of us about the need to think carefully about how we use passwords online. It may be a while before they find out exactly how the attack happened, and what information the hackers may have got their hands on, but I thought that the Chief Executive, Dido Harding, provided this morning very sound advice to their customers in the circumstances.

One piece of advice related to passwords. Most of us now use so many online services that it is just not practical to have an individual password for each one – nobody is going to remember that, and you’d end up writing them down. Probably not very smart. However, the other extreme – using the same password for everything – isn’t particularly smart either, especially if you also use the same username (which might, for example, be an email address).

If you use the same password across many web sites, then if any one of these is successfully hacked it is possible that hackers will be able to find your password. Once they’ve done that, it’s an easy task for them to try out your password on other sites – your email for example. If they manage to gain control of your e-mail account they can start to impersonate you and cause all sorts of mayhem in your life. It can be very hard to get control of your email account back in this circumstances – most of the major email providers allow you to provide a backup email address and mobile phone number for these situations, so make sure you have these registered.

This can also present a security risk to University systems. If you use the same password to access your University IT Account and lots of other personal accounts, then you could be putting your University account at risk. If one of your personal accounts was hacked, and the hacker knew (or just guessed) that you worked at RGU, they could gain access to your RGU details. Might be a long shot, but I know an organisation where something very similar to this happened.

It may not be practical to have different passwords for absolutely everything, but think carefully about what is really precious to you and use a range of passwords. I would recommend, unless you’re not bothered about losing money, that the passwords you use for any online banking or investments are unique for each account and not used anywhere else. I would also recommend that you at least use a unique password for work, and a unique password for your personal email account and things like Facebook if you use them regularly. Money, work, and your core means of identity and communication – these things are important.

Beyond that it’s up to you – there will be many accounts where you are happy to reuse a password where the risks are lower. Have an Interflora account? Well, maybe a hacker will send a bunch of flowers to their granny – that’s not quite as bad as losing your life savings. Of course, even in these cases, if you think one of them has been breached it is important to change the password you use but at least the stakes are lower while you go about this.

It’s a good idea to keep a list of all your online accounts somewhere to jog your memory. If you really had to change all your passwords, can you really remember everything you’ve signed up to? And if you are finished using any online service – delete your account. It’s one thing less to worry about.

I’ve called my dog @ff43z*;

If you search on the internet “someone figured out my password”, and look for “images” – you should see a few examples of a poster with a picture of a forlorn looking dog and the caption “Someone figured out my password, now I have to rename my dog!”. Cats don’t find this funny either.

Trying to get people to take IT Security seriously is like pushing water uphill sometimes. . . until something happens. I stopped by the reception desk in one of our buildings this week and whilst I was there, somebody came along and handed over an iPhone that had been left on a chair. The receptionist said that this was a regular occurrence – I hope at least it had a pin number on it. Then, she produced a biscuit tin full of USB sticks that have been found lying about. How many of these contain the only copy in the world of somebody’s dissertation, or worse some confidential information?

USB sticks in a biscuit tin - is yours there?
USB sticks in a biscuit tin – is yours there?

Recently, the worst passwords of 2014 have been announced. The good news is that the word “password” has at last been knocked off its perch as the most common password. The bad news is that it has been replaced by “123456”.

Poor password control puts University systems at risk. Consider this – you have some kind of personal online account with a username and a poor password. You’re human, and remembering all these passwords is such a hassle – so you just use the same one at work – for your e-mail, the University finance system, whatever. Your personal account gets hacked and somebody knows your password. {Easily done – you may received one of these urgent emails which look as if they come from the IT Help Desk and ask you to “click here” to confirm your account or something like that. You’ll be amazed at how many people click the link, but not you of course.}

They make a guess that you might, just might, use the same password at work – bingo, they’re into the University finance system. Far fetched? Well, something very similar to that scenario happened in one organisation that lost a 6 figure sum of money as a result.

Now that I’ve kept your interest to this point, I’ve just revised the University’s policy on use of IT Facilities. Please read it – it’s there to help everyone use our facilities safely and fairly, there’s a very short introduction to the key points, it’s not rocket science and it won’t take you more than a few minutes.

OOPS! – Working from Home

There is a cracking article in a recent edition of “The Economist”, which is available online and in which Yahoo’s new Chief Executive, Marissa Mayer, appears to be driving Yahoo employees to come in to the office unless they have a very good reason to work from home. The memo from the Human Resources Manager is addressed to “Yahoos”. If you are cringing already, read the article!

This is contrary to the direction that most enlightened organisations are travelling in – the ability to work from home or anywhere else off Campus for that matter is increasingly one aspect of a more flexible approach to working life. Of course, there are occasions where face to face contact and participation cannot be easily replaced, but equally there are many activities which can be easily carried out anywhere.  An important aspect of our IT Strategy is to ensure that access to our core IT services can be provided easily to any location, on any device, whilst maintaining security of information and access. A key part of that is the MyApps service, which I have mentioned before and which gives  you access to your University IT resources from anywhere – at work, at home, on the move, on a Pc, on an iPad – even on your phone if you can cope with the small screen size.

The great thing about MyApps is that information and data never leaves the University servers. This is important if you are working from home and relieves you of many responsibilities. Did you know that if you use your personal e-mail account for work then these e-mails are covered by the Freedom of Information Act? Likewise, if you store University documents on your home computer, or take paper documents home, you could be personally liable for any breaches under the data protection act? There are a few things to think about if you are working from home – have a look at the page on the Staff Portal if you want a very comprehensive guide:

We’ve also published an interactive guide to data security for mobile devices under the banner of “OOPS” – “Out Of Protected Spaces” and if you are a member of staff you will already have received that guide in hard copy as well as interactively. We’ve had really good feedback from that – with many people making positive suggestions and asking very relevant questions about particular situations and also requests for additional copies. We did have one person who returned the printed cards with an anonymous note saying “waste of money”. That’s a real disappointment and completely out of step with all the other feedback we have received. Given the amount of press coverage of authorities being fined 6 figure sums of money for data protection breaches, and given the fact that this whole issue is important enough to grab the attention of the University’s Audit Committee, I hope that person has a change of heart on further reflection.

Here is the “OOPS” guide:

OOPS

Files on Fire

 

Last week we had our annual Health and Safety internal conference at RGU. We heard first hand from another University which had experienced a major fire, and was willing to share with us their lessons learned. We’d had a similar talk two years ago from another University which had experienced a major fire. You would think these were rare occurrences, but it was suggested that we should search on the Internet for “University fire explosion” – try it yourself and see what comes up.

It’s a great feature of the HE sector that we have such open sharing of experience and lessons learned. Following each of these major fires, the institutions quickly discovered that many staff were still storing the only copy of some electronic files and documents locally, on their laptops or desktops. They weren’t backed up. In some cases, there were also some local servers with important departmental data on them. They weren’t backed up either. 

For each presentation, we were shown images of burnt and/or soaking wet IT equipment being dried out in large dehumidifier arrangements before some IT recovery firm then set about recovering the precious data. In many cases this was important research data. Amazingly, the recovery was able to retrieve a lot of this data, but it took some weeks and the data was inaccessible during that time. For equipment unfortunate enough to be near the seat of a large fire – forget it.

None of this is anything new. You shouldn’t have to have experienced a car crash to know the importance of wearing a seatbelt. So, we shouldn’t have to experience a fire to know the importance of making sure our important electronic information is securely stored and backed up. If you place it on one of the University Shared Network Drives, or any of the main University systems such as Moodle – it’s all safe and secure.

If, however, you have the only copy of something important stored on your desktop computer, and no backup anywhere else, then as you close the door tonight to go home just imagine that’s the last time you see your office in one piece.

How does that feel?

 

 

 

 

Cyber Security

The whole subject of cyber security is growing in prominence across the UK – indeed across the world. It is recognised as a significant challenge to organisations and national economies, and with the key role that Universities play in research and education they are as vulnerable as any other sector. Universities own areas of intellectual property of immense value and theft of that intellectual property would be an issue not just for the Universities concerned, but for the wider economy as well.

The UK Government’s National Security Strategy lists “hostile attacks upon UK Cyber Space” as amongst the top 4 priority risk areas next to terrorism, war and major accidents/natural hazards.

In November 2011, the Cabinet Office published a “UK Cyber Security Strategy

This strategy sets out how the UK Government will tackle the threats, but also in a way that ensures that “. .  cyberspace remains an open space – open to innovation and the free flow of ideas, information and expression.”

That’s important for Universities. We are very open communities, with large student populations, members of the public, and staff involved in a wide range of activities. Our IT infrastructure needs to be open enough to permit all of that, but secure enough to protect important information resources, personal and confidential information.

Like many organisations, we will be keeping our security measures under constant review, particularly in the light of growing cyber security threats. We want to make it easy for staff and students to access our systems but there will always be the need for some security and it is important that all of our users respect this and follow guidelines and instructions where they are provided. You may feel that you are not involved in anything that is secret or confidential. If you are connected to our network, however, you are just as likely to be a target and if you don’t follow security guidelines your equipment could provide an easy entry point for an attacker.