X Close

Risky Business

Home

Tips and tricks for securing information

Menu

Cyber Security Awareness Month – Week Three

By Daniela Cooper, on 20 October 2021

Welcome to Week Three! Week three is about Cyber Security Career Awareness Week. It’s a nice short one this week and mainly contains links with lots of reading material. We have had another week with lots of entries for our quiz, enter again this week for another chance to win a £25 Amazon voucher.

Cyber Career Profiles

Career awareness is an important piece in solving the cyber workforce shortage. The links below will give you a good idea of the different areas of cyber security including routes to and through cyber security.

https://www.ukcybersecuritycouncil.org.uk/careers-learning/careers-route-map/

https://www.ukcybersecuritycouncil.org.uk/careers-learning/

https://cybersecuritychallenge.org.uk/resources/careers

https://www.cisa.gov/sites/default/files/publications/Cybersecurity%20Awareness%20Month%202021%20-%20Cyber%20Career%20Profiles.pdf

Cyber Security Workforce Training Guide

Whilst the Cyber Security Workforce Training Guide is aimed at US Government employees, it contains detailed explanations on the different jobs available within cyber security and the various pathways to get you there.

Cyber Career Pathways Tool:

https://niccs.cisa.gov/workforce-development/cyber-career-pathways

Quiz Question to win a £25 Amazon voucher

What is the name of the self-regulatory body for the UK’s cyber security profession?

Email isg@ucl.ac.uk with your answer. Please use the subject line: “Cyber Security Awareness Month Week Three Quiz”. Entries will only be accepted from UCL email addresses and Amazon vouchers will only be sent in the internal post to UCL buildings.

Keep an eye out for Week Four – Cyber Security First.

Cyber Security Awareness Month – Week Two

By Daniela Cooper, on 13 October 2021

Week Two already, this week is all about phishing and identity theft. I must say I was really overwhelmed with the number of entries we had for the quiz; we have another £25 Amazon voucher to give away this week so please enter!

Identity Theft and Internet Scams

Technology today allows us to connect around the world, to bank and shop online, and to control our televisions and homes from our smartphones. With this added convenience comes and increased risk of identity theft and Internet scams.

Some of the most common Internet scams include:

  • Covid-19 scams – these take the form of emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information. Be cautious when handling any email with a Covid-19 related subject line, and be wary of social media pleas, texts, or calls related to Covid-19.
  • Imposter scams – these occur when you receive an email or call from a person claiming to be a someone from your bank, or a government official, or some other person requesting personal or financial information.
  • Delivery scams – these are usually text messages but can also be emails, asking for you to pay extra charges before your parcel can be delivered.

Simple Tips, as mentioned last week:

  • Use multi-factor authentication to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in.
  • Use strong passwords and a password manager.
  • Stay up to date – keep your operating system and applications updated. Use anti-virus software, make sure it regularly updates itself and run regular scans.

Protecting yourself from online fraud:

  • Practice safe web surfing by checking for the padlock icon in your browser bar.
  • Avoid free Internet access with no encryption. If you do use an unsecured public access point, avoid sensitive activities that require passwords or credit cards. Your personal hotspot is often a safer alternative to free wi-fi.
  • Don’t reveal personally identifiable information such as your bank account details or date of birth to unknown sources.
  • Type website URLs directly into the address bar instead of clicking on links or cutting and pasting from the email.

Phishing

Phishing attacks use email or malicious websites to infect your machine with malware and viruses to collect personal and financial information. Cyber criminals attempt to lure users to click on a link or open an attachment that infects their computers, creating vulnerabilities for criminals to use to attack. Phishing emails can appear to come from a real financial institution, e-commerce site, government agency, or any other service, business, or individual. The email may also request personal information such as account numbers and passwords. When users respond with the information or click on a link, attackers use it to access users’ accounts.

Spoofing attacks use email addresses, sender names, phone numbers, or website URLs that are disguised as a trusted source. Cyber criminals attempt to deceive users by changing one letter, symbol or number within the name. This tactic is used to convince users that they interacting with a familiar source. Cyber criminals want you to believe these spoofed communications are real to lead you to download malicious software, send money, or disclose personal, financial, or other sensitive information.

Simple Tips:

  • Be wary – if you are unsure who an email is from – even if the details appear accurate – do not respond and do not click on any links or attachments found in that email. Be cautious of generic greetings such as “Hello Bank Customer”, as these are signs of phishing attempts. If you are concerned about the legitimacy of an email, call the company directly.
  • Think before you act – be wary of communications that implore you to act immediately. Many phishing emails attempt to create a sense of urgency, causing the recipient to fear their account or information is in jeopardy. If the email appears to be “phishy” contact the person or organisation directly to verify.
  • Protect your personal information – if people contacting you have key details from your life – your job title, multiple email addresses, full name, and more that you have published online somewhere – they can attempt a direct spear-phishing attack on you. Cyber criminals can also use social engineering with these details to try to manipulate you into skipping normal security protocols.
  • Be wary of hyperlinks – avoid clicking on hyperlinks in emails and hover over links to verify authenticity. Also ensure URLs begin with “https”, the “s” indicates encryption is enabled to protect users’ information.
  • Use multi-factor authentication (MFA).
  • Use strong passwords and a password manager.
  • Use and update anti-virus software.

Quiz Question to win a £25 Amazon voucher

What is the name for attacks that use email addresses, sender names, phone numbers, or website URLs that are disguised as a trusted source?

Email isg@ucl.ac.uk with your answer. Please use the subject line: “Cyber Security Awareness Month Week Two Quiz”. Entries will only be accepted from UCL email addresses and Amazon vouchers will only be sent in the internal post to UCL buildings.

Keep an eye out for Week Three – Explore. Experience. Share.

Cyber Security Awareness Month – Week One

By Daniela Cooper, on 6 October 2021

Another year, another Cyber Security Awareness month. There have been many changes this year with more to come. We have also seen the beginning of getting back to some form of normality. For some of us this means physically returning to work, at least for some of the time.

We will be offering Amazon vouchers again this year, they will be randomly allocated to UCL users that answer the question at the end of the blog post correctly (one £25 Amazon voucher per week).

Do Your Part. #BeCyberSmart

The topic for Week One is ‘Be Cyber Smart’. This includes how to better secure your digital lives and improve the security of your devices.

Cyber Secure at Work

Organisations face significant financial and reputational loss when a cyber-attack occurs. In 2020, a sharp increase was reported in cyber-attacks that target organisations using stolen logins and passwords. Cyber criminals often rely on human error – employees clicking on malicious links or failing to install software patches – to gain access to systems. From the top leadership to the newest employee, cyber security requires the vigilance of everyone to keep data, users, money and reputation secure.

  • Treat work information as personal information – a lot of work information should not be made public, treat it as you would personal information.
  • Stay up-to-date – keep your operating systems and applications updated to the latest version available. Use anti-virus software and run regular scans.
  • Social media is part of the fraud tool set – by searching Google and scanning your organisation’s social medial sites, cyber criminals can gather information about your partners and vendors, as well as HR and Finance departments. Employees should avoid oversharing on social media.
  • It only takes one time – data breaches do not typically happen when a cyber criminal has hacked into an organisation’s infrastructure. Many data breaches can be traced back to a single security vulnerability, phishing attempt, or instance of accidental exposure. Be wary of unusual sources, do not click on unknown links, and delete suspicious messages after reporting them.

Multi-Factor Authentication (MFA)

Security breaches, stolen data and identity theft are becoming more prevalent. As such you should consider using multi-factor authentication (also called two-factor authentication). This technology may already be familiar to you, as many banks require both a password and one of the following to log in: a call, email, or text containing a code. By applying these principles of verification to more of your personal accounts, such as email, social media, and more, you can better secure your information and identity online reducing the risk of online fraud and identity theft.

Online Privacy

The Internet touches almost all aspects of our daily lives. We are able to shop, bank, connect with family and friends, all online. These activities require you to provide personally identifiable information (PII) such as your name, date of birth, account numbers, passwords, and location information. Follow these tips when sharing personal information online to reduce the risk of becoming a cyber crime victim:

  • Double your login protection – enable multi-factor authentication (MFA).
  • Use strong passwords – use the longest password or passphrase permissible. Use password managers to remember different, complex passwords for each of your accounts.
  • Keep operating systems and applications up to date.
  • Play hard to get with strangers – cyber criminals use phishing tactics hoping to fool their victims. If you’re unsure who an email is from – even if the details appear accurate – or if the email looks “phishy”, do not respond and do not click on any links or attachments found in the email.
  • Never click and tell – limit what information you post on social media – from personal addresses to where you like to grab coffee. What many people don’t realise is that these seemingly random details are all that criminals need to know to target you, your loved ones, and your physical belongings – online and in the real world. Keep account numbers and passwords private, as well as specific information about yourself, such as your full name, address, birthday, and even holiday plans. Disable location services that allow any one to see where you are – and where you aren’t – at any given time.
  • Keep tabs on your apps – your mobile device could be filled with suspicious apps running in the background or using default permissions you never realised you approved – gathering your personal information without your knowledge which also putting your identity and privacy at risk. Check your app permissions and use the “rule of least privilege” to delete what you don’t need or no longer use. Learn to just say “no” to privilege requests that don’t make sense. Only download apps from trusted vendors and sources.

Protecting Your Digital Home

More of our home devices – including thermostats, door bells and coffee machines – are now connected to the internet. This enables us to control devices on our smartphones which can save us time while providing convenience and even safety. Whilst these advances in technology are truly amazing, they also pose a new set of security risks.

  • Secure your wi-fi network – your home’s wireless router is the primary entrance for cyber criminals to access all your connected devices. Secure wi-fi or digital devices by changing the default password and username.
  • Check your ISP or router manufacturer’s wireless security options – your ISP and router manufacturer may provide information or resources to assist in securing your wireless network.
  • Restrict access – only allow authorised users to access your network. Each piece of hardware connected to a network has a MAC address. You can restrict access to your network by filtering these MAC addresses. You can also utilise the “guest” account, which is a widely used feature on many wireless routers. This feature allows you to grant wireless access to guests on a separate wireless channel with a separate password, while maintaining the privacy of your primary credentials.

Creating Strong Passwords

Creating a strong password is a critical step to protecting yourself online. Using long, complex passwords is one of the easiest ways to defend yourself from cyber crime.

  • Use a long passphrase – consider using the longest password or passphrase permissible.
  • Don’t make passwords easy to guess – do not include personal information in your password such as your name or pets’ names. This information is easy to find on social media, making it easier for cyber criminals to hack your accounts.
  • Avoid using common words – substitute letters with numbers and punctuation marks or symbols.
  • Get creative – use phonetic replacements, such as “ph” instead of “f”. Or make deliberate misspellings, such as “enjin” instead of “engine”.
  • Keep your passwords to yourself – don’t tell anyone your passwords and watch for attackers trying to trick you into revealing your passwords through emails or calls.
  • Unique account, unique password – having different passwords for various accounts helps prevent cyber criminals from gaining access to these accounts and protect you in the event of a breach.
  • Double your login protection – use multi-factor authentication (MFA).
  • Use a password manager to remember passwords – the most secure way to store all of your unique passwords is to use a password manager.

Social Media Security

Now more than ever, people spend increasing amounts of time on the Internet. With every social media account you sign up for, every picture you post, and status you update, you are sharing information about yourself with the world. Use these simple steps to safely navigate the social media world:

  • Remember there is no ‘Delete’ button on the Internet – share with care, because even if you delete a post or picture from your profile seconds after posting it, chances are someone still saw it.
  • Update your privacy settings – set the privacy and security settings to your comfort level for information sharing. Disable geotagging, which allows anyone to see where you are – and where you aren’t – at any given time.
  • Connect only with people you trust – while some social networks might seem safer for connecting because of the limited personal information shared through them, keep your connections to people you know and trust.

Quiz Question to win a £25 Amazon voucher

What is another word for multi-factor authentication?

Email isg@ucl.ac.uk with your answer. Please use the subject line: “Cyber Security Awareness Month Week One Quiz”. Entries will only be accepted from UCL email addresses and Amazon vouchers will only be sent in the internal post to UCL buildings.

Keep an eye out for Week Two – Fight the Phish!

Common Data Breaches Caused By Human Error

By Simukai Nehonde, on 24 September 2021

The mandatory Data Protection awareness training has proved to be effective over the past couple of years. UCL members are now more aware than ever, of the issues that data breaches can cause; but what are some of the most common causes of data breaches UCL members should look out for?

Data breaches are not only caused by someone acting maliciously. Verizon, one of the world’s largest IT solutions providers, found that more than 1 in 5 incidents resulted from a mistake made by a member of the organisation.

Within UCL the most common data breach incidents are caused by human error: usually involving personally identifiable information (PII) that been sent to the wrong recipient via email, or through the post or giving access to an unauthorised individual to information on IT systems.

In this blog piece I will discuss what UCL members should think about and do when sharing personal data via email.

It is everyone’s responsibility to adopt, maintain and follow information security and data protection best practices when processing information.

Avoiding Human Error When Sending Emails

 

When sharing personal information via emails, it is the responsibility of the sender to ensure the following:

  • Ask yourself what type of information are you sharing? – Any personal or sensitive data should be shared in a secure manner.
  • Who are the intended recipients? – Before sending the data, users are advised to exercise due diligence and double-check that the recipients ‘email addresses are correct.
  • Are there multiple recipients? – When sending emails to multiple recipients, ask yourself whether the recipients are known to each other and whether their email addresses can be disclosed to the other recipients. If not, always use the “BCC” option in your email client which hides email addresses not the “CC” option. Recently the BBC reported that more than 250 people’s lives were put at risk after the MoD mistakenly disclosed email addresses containing names of individuals who were Afghan interpreters. The data breach occurred when the 250 individuals were “CC’d” in an email sent to them, instead of “BCC” meaning they could see each other’s personal information.

Some facts

Human error accounted for 88% of incidents reported to the Information Commissioner’s Office (ICO) in year 2017/2018.

During the 1st Quarter of Year 2021/2022, the Information Commissioner’s Office (ICO) received a total number of 405 data breach incident reports which were caused by emails being sent to the wrong recipients

Human errors leading to data breaches can cause serious reputational damage and financial implications to organisations. In 2016 the BBC reported that an NHS trust was fined £180,000 after a Sexual Health Centre leaked the details of almost 800 patients who had attended the clinic. The disclosure was caused by a human error when a member of staff emailed the patients, entering their email addresses in the “To” field instead of the “BCC” meaning their addresses were visible to all the other recipients.

References:                                                                                                                                                                                                                                         

DATA BREACH INVESTIGATIONS REPORT (Data Breach Investigations Report) Verizon Business. Data Breach Investigations Report. [online] Available at: https://www.verizon.com/business/en-gb/resources/reports/dbir/

AFGHANISTAN: MOD SHARED MORE THAN 250 AFGHAN INTERPRETERS’ DETAILS ON EMAIL: BBC News. 2021. Afghanistan: MoD shared more than 250 Afghan interpreters’ details on email. [online] Available at: https://www.bbc.co.uk/news/uk-58629592

INFORMATION COMMISSIONER’S OFFICE (ICO) (Previous reports, 2021) Ico.org.uk. Previous reports. [online] Available at: https://ico.org.uk/action-weve-taken/data-security-incident-trends/previous-reports/

INFORMATION COMMISSIONER’S OFFICE (ICO) ico.org.uk. [online] Available at: https://ico.org.uk/media/action-weve-taken/csvs/2620168/data-security-incident-trends-q1-202122.csv

NHS TRUST FINED FOR 56 DEAN STREET HIV STATUS LEAK (NHS trust fined for 56 Dean Street HIV status leak) BBC News. NHS trust fined for 56 Dean Street HIV status leak. [online] Available at: https://www.bbc.co.uk/news/technology-36247186

 

Recent Phishing Email

By Daniela Cooper, on 3 March 2021

Lately, we have noticed some slightly more unusual phishing emails that have come in. These emails have been designed to look like they were sent from Microsoft and claim to have an audio attachment. However, the attachment is a .htm file that likely contains something malicious.

A screenshot of one of these emails:

A quick recap of what to look out for when trying to identify if an email is phishing or not:

•        A sense of:
o        Urgency – makes you feel like you have to do something quickly, so you don’t take the time to wonder if the email is suspicious.
o        Fear – for example, if you don’t click on the link, your account will be deleted, or you will be fined.
o        Promise of reward – lottery win notifications, or “I am the widow of a rich person” type of email.
o        Guilt or sympathy – “I am dying of…” type of email.

•        ‘To’ and ‘From’ address – these can be trivially forged and show false information. Often the ‘To’ address isn’t even your email address; a legitimate email would be addressed to your actual email address.
•        Web link – check to see if the link is in the UCL domain (ucl.ac.uk), it could look like a legitimate UCL URL but check by hovering over it as it could be going somewhere else entirely. If you are unsure about the URL, check with the sender.
•        Asking you to respond with your username and/or password – no legitimate email will ask you to do this.
•        Unexpected attachment – some phishing emails come with attachments that when opened will compromise your computer.
•        Headers and signatures – these can be forged; phishing emails often use them to appear more legitimate.

As always, if you need any help or support with a security related issue, please contact us: isg@ucl.ac.uk.

Coronavirus Related Scams

By Daniela Cooper, on 27 January 2021

I wanted to remind you all that coronavirus scams are rife at the moment, please be vigilant and remember to think before you click. If you are unsure if something is legitimate or not, please verify it with the organisation by using their contact details from their website (use Google to find the website, don’t click on a link to the website in a scam message). If you are unable to do that then please check with us – isg@ucl.ac.uk.

Examples of Coronavirus scams circulating at the moment

  • HRMC COVID-19 scam text messages
    This particular scam mentions a grant that does not exist, however, there have been 275 other HMRC scams discovered since March last year.
  • COVID-19 vaccine scams
    These scams can be via email or text message and are asking for personal and/or financial details. Coronavirus vaccines are free, if you are unsure if a message like this is legitimate or not, contact your local surgery.
  • Continued risk of ransomware
    There is a continued risk of ransomware, be careful not to click on links or open unexpected attachments. Back-up your data just in case!

Where to look for advice and information on scams

The National Cyber Security Centre provide weekly threat reports, and general information on how to protect yourself and your family:
https://www.ncsc.gov.uk

The NCSC have also created a good infographic on phishing:
https://www.ncsc.gov.uk/files/Phishing-attacks-dealing-suspicious-emails-infographic.pdf

Action Fraud is good for reporting scams, for news on the latest scams and tips on how to protect yourself:
https://www.actionfraud.police.uk

 

If you have any questions or need support on any security related issues, please do not hesitate to contact us – isg@ucl.ac.uk.

Check your Computer is Up-To-Date

By Daniela Cooper, on 15 May 2020

Now is a good time to check that your computer is up-to-date, even when using auto updates it is still a good idea to regularly check that these updates are being installed and everything is working as it should. Whether it is a UCL owned computer or your own personal computer, it is really important to make sure that it is up-to-date to minimise the risk of your computer being compromised.

Anti-Virus Software

If it has been a while since you installed your anti-virus software, check the UCL Software Database to see if there is a newer version. Your anti-virus is likely to still be working however the newer version will have newer features and may be able to detect more than the older version. VPNs that use posture checking will often only work with the latest versions of anti-virus even if the anti-virus is working and still receiving regular updates. Don’t forget to make sure that your anti-virus software is set up to regularly scan your computer.

Operating System Updates

It’s important that your operating system is receiving (and installing) updates as these will include security updates. It really is worth checking regularly that your operating system is up-to-date, your computer will have a dedicated update manager although how this is done will vary depending on which operating system you are using.

Application Updates

Like operating system updates it’s important to make sure that your installed applications and software are receiving (and installing) updates too. Out of date browsers are often the reason for some malware infections and compromises so make sure you update any browsers (and plugins) you have installed. Next up is your email client and any office like software you have installed. Lastly, absolutely any other application you have installed. If there are any applications that you have installed but you do not use, consider uninstalling them.

General Tips

Some general tips on keeping yourself and your computer safe:

Phishing

There are lots of scams around at the moment related to the Coronavirus so it’s important to be especially vigilant right now.

When reading your email, look out for the following:

•        A sense of:
o        Urgency – makes you feel like you have to do something quickly, so you don’t take the time to wonder if the email is suspicious.
o        Fear – for example, if you don’t click on the link, your account will be deleted, or you will be fined.
o        Promise of reward – lottery win notifications, or “I am the widow of a rich person” type of email.
o        Guilt or sympathy – “I am dying of…” type of email.
•        ‘To’ and ‘From’ address – these can be trivially forged and show false information. Often the ‘To’ address isn’t even your email address; a legitimate email would be addressed to your actual email address.
•        Web link – check to see if the link is in the UCL domain (ucl.ac.uk), it could look like a legitimate UCL URL but check by hovering over it as it could be going somewhere else entirely. If you are unsure about the URL, check with the sender.
•        Asking you to respond with your username and/or password – no legitimate email will ask you to do this.
•        Unexpected attachment – some phishing emails come with attachments that when opened will compromise your computer.
•        Headers and signatures – these can be forged; phishing emails often use them to appear more legitimate.

Avoiding Malware

  • Keep your browser and plugins up-to-date (particularly Java and Flash)
  • Do not open attachments that you are not expecting
  • Ensure your anti-virus software is working and up-to-date
  • Ensure your firewall is turned on
  • Be careful browsing non-reputable websites

Back-Ups

In the event that something bad does happen, you would be really grateful for back-ups! If you can, use central ISD services as these are backed up for you.

Coronavirus Related Scams

By Daniela Cooper, on 30 March 2020

I was planning on writing a blog post about coronavirus related scams, however I have found that ActionFraud have written a good page on this. So rather than reinvent the wheel I will post a link to their advice below:
https://www.actionfraud.police.uk/campaign/covid-19-guidance-and-advice

UCL have also created a page on ‘Staying safe during the coronavirus crisis’:
https://www.ucl.ac.uk/news/2020/mar/staying-safe-during-coronavirus-crisis

If you receive any coronavirus scams (or other fraudulent scams) please let us know at isg@ucl.ac.uk.

Securing the Dataflow

By utnvrrv, on 18 February 2020

Secure data, where-ever

Data and Information

A key component in research is data, which when processed and interpreted becomes information.  It therefore very important that the data (information) is protected at all stages during its lifecycle.


The Basics

A most common model designed to guide policies and practices for Information Security in an organisation is the AIC (availability, integrity and confidentiality) triad. What this means is that we use the triad to see if there are any risks to the data/information at each stage in the dataflow.
The next section covers a very simple dataflow that involves an exchange of information between entities, its processing, storage and subsequent transformation into a report.

The Case

A research study would like to interview patients (includes medical history and personal details) and prepare a research report. The interviews are conducted using encrypted voice recorders and the interviews are uploaded to the cloud for automated transcription. The converted text is then downloaded to the researcher’s machine and a research report is prepared. Sounds simple enough? Yes, but!

What could possibly go wrong?

There are several gaps where a breach could take place. Let’s identify some of them and see what controls (if any) can be implemented.
The encrypted voice recorders aren’t configured correctly, or the user has forgotten to turn the encryption function on. Maybe the user writes the password down and stores it along with the voice recording device. Oops! Not too bad, but what if the voice recording device is lost along with the password? Another point to watch out for; if the device uses an outmoded algorithm, in which case the encryption can be easily subverted and the recording/s accessed.

Assuming all goes well so far. The researcher now has to upload the encrypted recording to a ‘safe’ area so that decryption is possible. If the decrypting area isn’t sanitised or isn’t up to spec or patched, a hacker could exploit a vulnerability and access the recording. Maybe the hacker changes the encryption keys, thereby denying access to the recording/s and maybe asking for a ransom. Not going well so far? Read on!! There’s more. Anyway, let us assume that there are no problems this far; all the recordings are decrypted and transferred to the researchers laptop. As a precaution, the recordings are deleted from the decrypting server/s. Good practise, yes!! But is it?


And then?

The researcher now has the decrypted recording/s to be uploaded for automated transcription, but, hold on a minute, where’s the laptop that holds the recordings? I thought it was here a moment ago, I just kept it aside for a moment to pay for a beverage.Sounds familiar? Not to worry, the laptop’s password protected, not to mention that I’ve saved the password in my notebook which is safe and sound in the laptop carry bag. Oh no! This isn’t going well. Not to worry, the laptop has full disk encryption; we are safe, but unfortunately the recordings are lost as well as transcriptions. This is now a loss of Availability (refer the AIC triad). All the research data is lost, not to mention the loss of reputation and funding. Keeping source data separate and ensuring that there are secure backups of all versions is a good control to have in this case.


Oh No!!

The researcher can now upload the recording to the cloud application for automated transcription and subsequent download of the text. Hold on a minute, did I just say CLOUD? Where am I uploading the data to? Who controls the application in the “Cloud”? Does UCL have a formal agreement with the application provider? What will the application provider do with my data? Yes, but they’re certified ISO_something. They say so on their site. Yes, that’s good, but, is UCL covered in case the data is misused or their site is hacked. Read the T&Cs carefully. Ask Legal Services for advice and see if they can suggest suitable statements to protect UCL. Check with ISG to see what other controls can be implemented.


What next?

There are further nuances to this story but we will leave that for another post. In the meantime if you feel that there are other controls that can be implemented to protect the information, please email ISG [isg (at) ucl {dot} ac {dot} uk] and mention this post [Securing the Dataflow] and let us know if there are other issues that the researcher did not consider and a control that could’ve been thought about. Here’s your chance to win an Amazon voucher. This is open only to the academic research community at UCL. Quick!! Offer open to the first two entries only, I’m afraid! Good Luck!

How {not} to lose data in the face of GDPR

By utnvrrv, on 25 November 2019

GDPR has now been around for 18 months and is going to stay with us for a while.
The objective of this post is to emphasise how we can protect the data entrusted to us while managing technological change.

Data retention – Let’s delete everything and start afresh!
This means that all information is lost and there aren’t any records to back up any decisions that have been made about the research, not to say, we’ve lost all the patient data that the project relies on. Let’s start again!
Top Tip! Categorise your data holdings. See the UCL Record Retention Schedule for further information.

Let’s just keep everything and not worry – Storage is cheap?
This could fall foul of established data retention policies. If there isn’t one for your specific area of work (record set), it would be a good idea to establish a data retention policy. The more data that is stored, the larger the breach, this may be data that might no longer be required.
Top Tip: Review your data holdings now.

Data Security – Let’s encrypt everything!
What would happen if the key (password/passphrase) was lost, misplaced or forgotten. Maybe a colleague left and forgot to share the password. In this case access to the data would be lost permanently. If encrypted correctly (long passphrase and the key stored securely) and the passphrase being unavailable, it would be difficult to break the encryption. Definitely not a good idea of encrypting everything without a plan if funding depends on the information that we hold about subjects.
Top tip: Use password management software to store and share passwords securely.

Running a legacy Operating System
This isn’t much of a problem unless.. the machine exchanges information by being connected to the network, or the internet or external USB drives being plugged in. A legacy platform, also called a legacy operating system, is an operating system (OS) no longer in widespread use, or that has been supplanted by an updated version of earlier technology. These older operating systems or applications may have security vulnerabilities due to lack of security patches being available or applied. This puts information at risk due to a malware infection, as the malware could encrypt the data or even mangle it in a way that it no longer is usable. Even with backups(possibly also infected), the risk of losing critical research data is also quite high. Article 32 (1)(b) in the GDPR states that (C)onfidentiality, (I)ntegrity, (A)vailability of the data should be assured. Please see the information from the Information Commissioners Office in the References Section below.
Top Tip: Conduct a risk assessment.

Running a self-managed machine
If you have administrator rights on your machine and if the machine isn’t patched frequently with the latest patches, there is a very high risk that some malware could infect your machine and encrypt all the data. If the machine is connected to the network, the malware could spread thereby making everyone’s data unavailable. This is also covered by the ICO’s guidance and Article 32(1)(b) of the GDPR.
Top Tip: You are responsible for the patching of your machine, keep it updated.

Useful links:
UCL Policies – https://www.ucl.ac.uk/information-security/
Guidance from the Information Commissioners Office – https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

If you think that I’ve missed something or if there is an area that you would like to hear more about, then contact ISG: https://www.ucl.ac.uk/isvices/stay-secure