Employee guidelines when using a personal computer to conduct university business
East Carolina University considers cyber threats to the confidentiality, integrity and availability of systems and data to be a top risk management concern.
The university recognizes that employee use of personally-owned computers and devices to conduct official university business is a particular concern. This IT knowledge base article should help safeguard university systems and data by providing appropriate and necessary guidance to faculty and staff using a personal computer or other device for work.
Antivirus and malware protection
At the top of the security essentials list is antivirus and malware protection.
In the past, ECU offered Symantec antivirus as a free download to students, staff and faculty. However, that license expired in September 2020 and is no longer eligible for software or virus definition updates. If your personal computer is still running this old version of Symantec, it should be uninstalled immediately as your device is now vulnerable to hackers.
All Windows 10 computers have a built-in antivirus program called Windows Defender. If there are no other antivirus apps installed, Windows Defender automatically starts protecting your computer and also provides other security safeguards including firewall protection. To check that your system is protected, see the related article, Check Windows Defender.
Mac computers have built-in antivirus and malware functionality through XProtect.
Email Security
If your ECU email is set up on your personal computer, please be cognizant of essential security best practices.
The majority of data breaches have their origin with phishing attacks delivered through email. To learn more about phishing email and how to avoid phishing, spear phishing and ransomware, see the Phishing Email related article that summarizes various employee email security responsibilities including how to prevent phishing mishaps, how to react when you do receive something suspicious, and how to report phishing scams and spam in order to help protect other ECU colleagues.
It can sometimes be difficult to determine if an email link is legitimate or a trick luring us to malware infection, data loss or identity theft. To help make the correct call on links we receive through email, ITCS has enabled Safe Links for email. The related article, Safe Links Service and Email, describes this security feature and explains how Safe Links work to help us better determine if an email may be legitimate or potentially malicious.
Another useful security protection available to you in managing your university email are spam filters available through Microsoft Exchange Online Protection. The related article, Spam Email Management, provides instructions on managing spam through the Junk folder and utilizing email filtering rules to block (or allow) emails from particular senders.
Encrypt Sensitive Information!
Any emails containing sensitive information sent to recipients outside the ECU network are required to be encrypted. Encryption disguises a message’s text and prevents a hacker from intercepting and reading a message during transit. See the related article, Email Encryption, and learn how to encrypt an email as well as read an encrypted email.
While we, as individual employees, are responsible for our email account and making appropriate decisions about when to encrypt an email, ECU has enabled the Data Loss Prevention program to scan outgoing email for certain “markers” and then takes appropriate action. For example, DLP may flag numbers formatted like a social security number. Unencrypted messages sent outside the ECU network that trigger high sensitivity markers are automatically encrypted and delivered, and senders are reminded of the encryption policy through an email. See the Data Loss Prevention related article to learn more.
Safeguarding your computer account and university systems and data
As defined in the University Student and Employee Computer Use Regulation (East Carolina University, 2016), we are all required to take reasonable precautions to safeguard our ECU computer account and treat computing resources and electronic information as a valuable university resource. Our efforts with such safeguarding may require even more due diligence and thoughtfulness when using a personally-owned computer to conduct university business. Such computers may be used in a home or other environment in close proximity to others, and the computers may be shared by other family members.
Please use good judgment, lock your screen when away from your computer and be sure to log out of applications and data storage when finished working.
Mobile computing security
The ECU Mobile Computing Regulation (East Carolina University, 2019) defines employee responsibilities pertaining to the use of mobile devices, including authorization to access or store sensitive information on mobile devices, device security, device replacement and disposal, and loss or theft of a covered device. Personally-owned devices are also included as a "covered device," and states that employees will ensure all sensitive university information stored on covered devices is encrypted, and that covered devices must be secured in accordance with ECU policies and standards.
For personally-owned devices, the regulation reminds administrative heads and supervisors of their responsibilities to provide guidance to employees concerning the use of mobile devices in conducting university business.
Keeping your computer software up-to-date
New software vulnerabilities are continually emerging, whether associated with your computer's operating system or the applications you use.
The Cybersecurity & Infrastructure Security Agency (2019) emphasizes that the best defense against attackers exploiting vulnerabilities is simple: keep your software up to date!
Regularly running software updates, including patches that address security vulnerabilities, is critical for protecting your computer, devices and data. Enabling Automatic Updates is a best practice whenever possible and this is easily configurable whether you’re using a Windows PC or a Mac (Apple, 2020; Microsoft, 2020).
On the flip side of what is recommended, and perhaps one of the worst things you can do, is using obsolete, end-of-life software no longer supported by the vendor.
Be sure not to forget the importance of keeping your web browsers and mobile device updated as well. Web browsers are particularly vulnerable, and the sites you visit could potentially exploit flaws in them (National Cyber Security Centre. 2020). Many users typically run a large number of apps on their mobile devices, and to prevent known vulnerabilities from being exploited, it’s important that you ensure your mobile device’s operating system and software are kept up-to-date.
Information security while teleworking
A separate but related Knowledge Base Article covers guidance on important topics related to security best practices while teleworking. Please refer to the article Information Security While Teleworking for tips on such matters as connecting to the ECU VPN, approved data storage, and the security of your home network.
References
Apple. (2020, July 31). How to update the software on your Mac. Apple Support. https://support.apple.com/en-us/HT201541
Cybersecurity & Infrastructure Security Agency. (2019, November 19). Understanding patches and software updates. National Cyber Awareness System. https://www.cisa.gov/news-events/news/understanding-patches-and-software-updates
East Carolina University. (2019, November 18). Mobile computing regulation. University Policy Manual. https://www.ecu.edu/prr/08/05/12
East Carolina University. (2016, December 16). University student and employee computer use regulation. University Policy Manual. https://www.ecu.edu/prr/08/05/04
ITCS. (July 23, 2020). Check Windows Defender. Knowledge Base. https://ecu.teamdynamix.com/TDClient/1409/Portal/KB/ArticleDet?ID=67563
ITCS. (2020, July 6). Data loss prevention for email. Knowledge Base. https://ecu.teamdynamix.com/TDClient/1409/Portal/KB/ArticleDet?ID=67359
ITCS. (2020, April 22). Email encryption. Knowledge Base. https://ecu.teamdynamix.com/TDClient/1409/Portal/KB/ArticleDet?ID=67353
ITCS. (October 22, 2019). Phishing email. Knowledge Base. https://ecu.teamdynamix.com/TDClient/1409/Portal/KB/ArticleDet?ID=67368
ITCS (2020, November 20). Safe links service and email security. Knowledge Base. https://ecu.teamdynamix.com/TDClient/1409/Portal/KB/ArticleDet?ID=67587