Tips for working safely from home
As many employees are working from home as a result of the corona virus, we cannot offer our regular high-level network protection. On this page you can read what you have to and can do yourself to work safely.
Via mail dangerous Emotet virus is spread
Last week we had a lot of problems with the dangerous Emotet virus. Users receive a mail that seems to originate from their own organization. This mail contains a Word- or ZIP-file as an attachment. When users open this file the question is asked if the macro should be executed. If you choose 'allow' your PC will be hacked. Did you click on 'allow'? Then immediately stop working on your laptop, change your password and call CERT team to determine the next steps.
For protection we have therefore immediately set that no more macros can be executed from Word. To perform this setting on all managed laptops it is necessary to set up a VPN connection from home. Please be alert for opening Word- and ZIP-files and do not allow macros to be executed anyway.
Attention! Turn on your VPN connection at home
Due to working from home we do not have access to the campus network. As a result, the university cannot provide the security normally provided on campus, such as run automatic updates. We solve this with a VPN connection. A connection is then established between your computer and that of the university's network. Unfortunately, we cannot automatically enable this VPN connection for you. You need to connect to VPN from home - every time you log in.
The instruction explains how to install the VPN client. You will then need to reconnect to VPN each time you log in (see steps 7 and 8 of the tutorial).
Additional benefit: you will get access to the O:/drive and the Software Center again, whereby you can install applications by yourself.
Be on the alert for phishing mails
Always be on the alert when you receive e-mails. Companies never ask for personal or account details via e-mail. The same goes for the University’s ICT and HR offices. A phishing e-mail is a fake e-mail that is forged so cleverly that it is hard to distinguish from an authentic e-mail. Hackers “fish” for your details in this way, or they spread viruses that give them access to your details.
- Never open attachments, or click on links in e-mails from people you don’t know.
- Check whether the site is genuine by typing the URL directly into the address field of your browser.
- Always check the sender’s e-mail address by hovering the cursor over the sender’s name. If it is a phishing e-mail, the sender’s address is often unfamiliar or vaguely like that of an authentic organization or company.
- A phishing e-mail often contains spelling mistakes or grammatical errors.
- The e-mail always asks you to share private data, usually as a matter of urgency.
If you have fallen for a phishing e-mail or have any doubts, please contact the CERT team straightaway. Has the hacker managed to lay their hands on private data? Report the hack to the Data Protection Officer (DPO) at data firstname.lastname@example.org. The DPO will then decide whether the hack is a data breach that must be reported to the Netherlands Data Protection Authority.
Beware of strange requests from a 'friend' (social engineering)
Sometimes hackers try to pretend to be someone you know (e.g. a colleague), asking the addressee to share certain information. This is a form of social engineering. A typical example is a request to make rush payments or buy gift vouchers for someone who can't do it himself.
If in doubt, always contact the person in question (preferably by telephone) to check whether the request is from that person. And if you are asked for (confidential) information, always consider whether you are allowed/will be able to give that information. In case of doubt: don't!
Tips for working safely
Work in a secure environment
Preferably work at home with a Tilburg University laptop or PC. These are equipped with various security measures, such as an encrypted hard disk, an antivirus program and a set firewall.
Don't have a Tilburg University laptop or PC, but do you work with your own equipment via Remote Desktop? Then you have to take extra safety measures yourself, such as:
- Make sure you protect your own equipment with a virus scanner and that the virus scanner automatically updates itself.
- Make sure that all programs are completely up to date.
The latest version of the software is not only there to improve the ease of use, but also to fill a security breach. Make sure that your device and applications are equipped with the latest updates. If possible, activate automatic updating.
Take a good look at what is being asked and do not click carelessly on "next", "next", "next" until it says "finish". Check at all steps where you agree.
Share your information securely
- Be careful with (personal) data from the university. You should not just store them at home or on your private laptop or PC.
- Consider your work and proceed cautiously.
Your daily work routine is different and you work with distractions that you are not used to in the office. Accidentally a reply all to an outgoing mail is a mistake that is quickly made. To be on the safe side, you can postpone the sending time in your mail, so that you can still withdraw the wrong mail.
- Share your files securely.
Always use your Tilburg University mail account to send work-related communication. Private accounts on, for example, Google Drive and OneDrive are not allowed.
- Mail? Use SURFfilesender if you want to send an email with confidential files. Click here for information about SURFfilesender
- - Do you want to store, synchronize and share files easily and securely with third parties? Then use OneDrive, Teams or SURFdrive.
- Be careful when using (video) chat services.
Handle information that you are discussing differently than usual in group apps and video chats. Preferably share confidential information by telephone instead of via a (video) chat service.
For example, do you use a chat app like Signal or Whatsapp? And have you shared confidential or sensitive information? In any case, delete the chat history after every conversation, so that it is gone on your own equipment (on the server is it not erased).
And remember to check that the app you are using sends your messages encrypted. Secure your internet connection with a strong password.
Store your information securely
Always save your work in a place where colleagues can also access it. It is important that your work is transferable. Think of the situation when you are on holiday and a colleague has to take over your work or when you are absent for a long time, for example in case of illness.
If there is data on a USB stick that you need, make sure that this data is taken from the USB stick and stored in a safe place. A USB stick can easily be lost or even stolen. If it is necessary to transfer files to a USB stick, use an encrypted USB stick using Bitlocker.
Create strong passwords and change them regularly
Do not share passwords via e-mail or shared documents and do not leave any notes with passwords lying around. Keep your passwords in an encrypted document and do not share it with others.
Tips for making strong passwords
- Think of a one-liner, song lyrics, or another line that you can remember easily and use the first letters of each word to set your password. Also use capital letters and punctuation marks.
- Use a unique password for every single one of your accounts. Cyber criminals often try to log on to as many different online services as possible using a single stolen password. And even the website you use
dto set your password can be hacked. Single-account passwords prevent hackers from accessing all or more of your accounts if they can only get their hands on one of your passwords.
- Whenever possible, use two-step authentication: in addition to your password, a second step is required for identification, for example, a text message (SMS) or a code generated by a smartphone app such as Google Authenticator.
Only connect to a reliable Wi-Fi network
Eduroam gives you simple and safe access to Tilburg University’s wired and wireless networks, also at other institutions that offer eduroam.
If you use a public and non-secure WiFi network (for example, on the train, at the airport, or in a restaurant), others can potentially see what you are doing on the internet and what data you are sending. Therefore, do not send sensitive data (e-mail, online banking information) over networks that you are not familiar with or do not trust. If necessary, use, a VPN connection (also on your smartphone). A VPN encrypts all your internet traffic. As a result, it is much more difficult for criminals and others to track and manipulate your online activities.
Do not use Internet Explorer
Microsoft has identified a critical vulnerability in Internet Explorer. Microsoft is working hard to remedy the situation but, until a solution has been found, LIS advises everyone not to use Internet Explorer. It is OK to use other browsers, such as Microsoft Edge or Google Chrome. More information is available here.
Frequently Asked Questions
What can I do for security measures?
- Work with your own account, which has a password, and do not share it with other users of your laptop or PC, such as your children. Other users may only use the guest account.
- Preferably work with a fixed cable. Your connection is much more stable with a fixed Ethernet cable between your modem and PC than with WIFI. And for malicious people, internet traffic via WIFI is much easier to intercept.
- Do not add your university laptop or PC to your home network. This prevents any viruses or malware from spreading from your private equipment to your university equipment.
- Check whether your network connection is sufficiently secured. If necessary, switch to a VPN (virtual private network) connection.
You use a VPN connection to access services and servers over the internet that are not freely accessible via the public internet. For example, for off-campus consultation of special databases of the library. Tilburg University offers a VPN server. Click here for the VPN user manual.
- Encrypt your data.
Storage disk / device
You encrypt your entire storage disk / device with Bitlocker. Click here for more information about Bitlocker.
Do you have a Tilburg University device that is equipped with Windows 10? In that case Bitlocker is already enabled by default.
Do you have a PC at home that is equipped with a Windows Home? Then Bitlocker unfortunately does not work.
Files with sensitive data
In addition to encrypting your storage disk / device, it is recommended to encrypt files with sensitive data separately. You do this with 7-Zip. Click here for the 7Zip manual.
- If you download files from the university on your own device, they will be copied locally. This means that university data is also stored on your own device.
- Make sure you put the copied files in 1 directory structure. So don't put your files in different places so you don't lose or lose files.
- Discuss with your colleagues who takes and edits which files. Preferably do not allow files to be taken by more than one person. Otherwise, uploading the files back will become very difficult.
Which apps can I download?
Do not download just any app, but be aware what you download and how your data are handled. Tips:
- Check the source. Do you know the developer and provider of the app?
- Check its popularity. If an app has been downloaded 150,000 times, chances are that the app is safe and reliable. Be careful if the app was downloaded only 15 times or so.
- Read the app’s terms and conditions and check to what information and functionality you give the app access.
- Update regularly. Updates not only improve functionality, but also security.
Tilburg University has concluded a campus license for various tools. Support is offered for these tools and arrangements have been made with suppliers on the way in which they process personal data and what security measures they have in place. These arrangements have been set out in a processing agreement.
There are also free tools that you can download. For these tools, Tilburg University has not made any agreements with the provider concerning privacy and security. Storing sensitive/personal data in these tools is therefore not wise. If you still want to use such a tool, please be alert as to what information you store in that tool.
The education innovation portal provides an overview of teaching tools available to you as a teacher at Tilburg University. Tilburg University has campus licenses for various tools that can be used in teaching. In addition, the Teacher Technology team has made a selection of free tools for which manuals are available on the internet.
How do I report a data breach?
Have you lost your laptop containing personal data? Or have the wrong people had access to your information or did you send information to the wrong people? This may constitute a data breach. Please report this to CERT immediately.