Adjusting to working from home is new for many of us and one of the changes is that normal cybersecurity protections that apply when working on York University's campuses are no longer protecting you. Follow these simple steps to help keep your work cyber-secure at home.
Beware of fraud and phishing
Attackers have learned that it is often easier to target people rather than technology to get what they want, particularly in times of change or uncertainty. Beware of common frauds such as asking for your password to remotely “fix” a computer issue, email warnings about package delivery failure that ask you to click a malicious link, notice of unexpected lottery winnings, or an ask from someone from work that is urgent and unexpected such as to provide gift card codes or a financial transaction or change that does not follow normal procedure.
Ultimately, you are the best defence against such fraud and if in doubt, verify with the source of unusual work asks verbally over the phone, not via email or text. Be extra careful validating websites and email addresses are correct and trusted.
Also take note that at this time there are a number of scams related to Covid-19 that are now circulating online. These often come via email and in the form of websites purporting to provide information related to infection and response, or charitable donation sites that are fraudulent. Remain vigilant and see more information here: https://infosec.yorku.ca/2020/03/security-awareness-notice-defending-against-covid-19-cyber-scams/.
Secure your PC and computing devices
1) Ensure devices are up to date with latest available software and security updates from the manufacturer and keep them current by enabling automatic updating wherever possible.
2) Run current anti-virus/anti-malware protection. Both Windows and MacOS contain robust built-in malware protection so third-party tools are not required as long as you run current and supported versions of these operating systems.
3) To better protect devices on your home network, including home wireless routers, use CIRA Canadian Shield to enhance protection against viruses, malware, and other cyber threats. This is available from CIRA free of charge for personal use and no registration is required.
4) Ensure your work devices are used only for work purposes to reduce the risk of accidental modification or deletion of work files and software, or accidental infection of the device. Avoid peer-to-peer file sharing such as torrents and visiting websites that may have malicious content. Ensure family and friends are aware of this and set the computer to lock with a password/PIN when you are away from it.
Use York-provided collaboration tools to share information and communicate
Tools such as yuoffice (York’s Office 365 instance), Zoom, Moodle and other software operated by the University are managed and monitored for security and protected with your Passport York (PY) credentials. Avoid using services that are not protected by PY.
When setting up meeting audio/video conferences with Zoom, use the option to include a security PIN for access to the meeting. Keep in mind that without such a PIN, links are public and guessable and can be used by others for eavesdropping or disrupting meetings. See some related tips from Zoom here.
Use of Virtual Private Network (VPN) to access York resources
The York VPN service allows secure access to York information resources and systems that cannot normally be accessed from outside the York campus network. However, keep in mind that in many cases, such as with use of yuoffice/Office 365, there is no need to connect to the VPN to do work. For example, while most mapped drives/file shares require the VPN, yuoffice’s OneDrive, Teams, or Sharepoint can be used to securely store and share work files and do not require the VPN for access.
Report suspicious or malicious cyber activity
While you are working at home, remember you still have colleagues in IT and Information Security ready and willing to help!
To report suspected phishing/email fraud: use the “report phishing” button in Outlook (preferred), or forward to email@example.com.
For reporting any other cybersecurity incident, email firstname.lastname@example.org.
General IT security questions can be directed to email@example.com.