Campaign 2019

Don’t get hooked: secure your personal data!

Information Security and Privacy (ISP) is a subject that concerns everyone:

  • As a member of staff and as a student, you want your personal data that are processed by the VUB to be accessible only to those who are authorised.
  • As a researcher, you want your research data to be managed securely and VUB to meet the ISP standards set by data suppliers so that they are willing to provide the data you need for your research.
  • As a participant in a research project, you want your personal data, provided in the context of this project, to be treated securely and with respect.
  • As an organisation, the VUB wants its integrity and its operating resources to be sufficiently protected against improper use and theft.

The VUB uses a range of technologies and procedures to manage the ISP risks. However, the most important link in the VUB defence are the VUB staff. They can be the strongest or the weakest link. Let’s make them the strongest.

To make staff aware of their role in ISP, every year we conduct an ISP Awareness campaign. In 2018, the focus was on presenting ISP and its representatives, the Chief Information Security Officer (CISO) and the Data Protection Officer (DPO). For 2019, we are concentrating on a few basic principles which every staff member needs to be aware of:

  • Password hygiene
    • Never use the same password for several different websites/applications.
    • Difficulty remembering passwords? Use a password manager such as LastPass, 1Password or KeePass (if you do, you need to keep your main password ultrasecure).
    • Use Multi Factor Authentication where possible.
    • NEVER share your password with ANYONE.
  • Computer hygiene
    • Only use software that the supplier still supports, with the latest updates installed.
    • This goes for your operating systems too (note: Win7 will no longer be supported as of January 2020).
    • Make sure you have an active antivirus that automatically installs the latest virus updates.
    • Activate your hard drive encryption tool if you use a laptop (Win10: Bitlocker / Mac: FileVault).
  • Privacy
    • The information in your databases (often) concerns people: what you do with their data can impact their lives.
    • Don’t simply share personal data with others: think about ‘who’ and ‘why’.
    • Delete data that are no longer needed.
  • Common sense
    • Whatever you do, use your common sense.

These are the basic principles that all staff members need to master and apply consistently. All it takes is one small error to infect a computer and put the entire VUB in danger.

The need for phishing test e-mails.

The VUB, like every other organisation, is attacked as regular as clockwork. In the majority of cases, the attacker tries to install a virus or steal data. Phishing attacks, where a scammer tries to obtain sensitive information (username, password, credit card number, etc.), are one of the biggest information security challenges. Phishing constantly features in the annual top 5 of attack techniques used.

N.B.: Companies do not usually request sensitive information by telephone or e-mail. So be on your guard if you get a phone call or an e-mail like this.

If you receive a suspicious e-mail, it’s best to report it to helpdesk@vub.be. You can do this by adding the suspicious e-mail as an attachment. Do not forward suspicious e-mails. If you do, technical information that the helpdesk may need will be lost.

To make it easier for Office 365 users to report phishing, as of the second half of November a button is being added in Outlook (both desktop and mobile version) and the online webmail:

You select the e-mail in the overview and click on this button. The suspicious e-mail is then automatically sent to the helpdesk. The helpdesk staff will contact you if they need more information.

If you have entered your username and/or password after all, change your password immediately. If you have passed on bank details, contact your bank straight away and freeze your card via CardStop (https://cardstop.be/en/home.html).

Three test phishing e-mails were sent out in 2018.

  • E-mail 1: of the 2,632 recipients, 46% opened this e-mail and 27% clicked on the link. So potentially over 700 staff members could have introduced a virus at the VUB.
  • E-mail 2: of the 178 recipients, 36% opened this e-mail, 10% clicked on the link and 4% gave their user ID and password. The risk that these will be improperly used depends on the access rights of these staff members.
  • E-mail 3: of the 2,632 recipients, 38% opened this e-mail and 9% clicked on the link.

The difference between the first and the last test confirms studies on this subject: phishing tests have a positive effect and reduce the risk for the organisation. Sufficient reason to send out test phishing e-mails again in 2019. You have been warned!

Finally, you are warmly recommended to play the short informative films under Awareness. Be sure to watch the brief demonstration film on voice phishing (phishing by telephone). You will find several examples of actual incidents and GDPR (fines) under News. The official ISP Standard (and principles), Sub-Standards, Guidelines and Hints & Tips can be found under Standards.

 

Wessel Damen                                                                Jan Paredis

Data Protection Officer                                                Chief Information Security Officer

dpo@vub.be                                                                     ciso@vub.be