Guideline no. 5 – Recommendations for the protection of personal data and minimizing threats and risks when working with computer technology, in mobile communication, or on networks when working from home
Recommendations for employees
Beware of fraudulent e-mails
Currently, there is increased activity by hackers trying to exploit the ongoing pandemic situation and the demand for information about the coronavirus. Frequently used methods include sending fraudulent e-mails that contain attachments or links that appear to be important information about the coronavirus.
Fraudulent emails may seem very trustworthy. The aim of these attacks is usually the dishonest acquisition of funds or access to information systems, for example, in order to upload ransomware. Subsequently, ransom money is requested. However, the purpose of such an attack may also be to paralyze Charles University as a whole.
Today, it is no longer the case that fraudulent e-mails can be identified by imperfect Czech. In addition, don’t be fooled by an e-mail allegedly being sent by a person you know. If you believe that an attachment is untrustworthy or you do not expect any e-mail with such an attachment, do not open it. A malicious code may also not appear immediately. If in doubt, always contact your local IT support.
Do not open suspicious links in e-mails
In an e-mail, “phishing” usually hides where the links lead. The hidden destination path of a link is the first sign of a fraudulent e-mail. How do I know where a link in an email leads? Right-click (NOT LEFT CLICK) on the link and select “copy link address” from the menu. Then copy it, for example, into Notepad, and you will see where the real link leads. Also pay attention to shortcuts that mask the real links.
Do not confuse your work computer with a private computer
Knowing that connecting to the Internet when working from home does not usually take place through the connection provided by the employer may lead to you being less cautious when using the Internet on work devices. Thus, an employee may access sites that are typically associated with an increased incidence of various malicious programs that they would never access on the employer’s network. This can introduce a malicious program to a “clean” device, which in turn can be a great risk both for the device itself and the information stored on it and for the organization’s information system after reconnecting such a device. In addition, increased caution is required when a private computer is used for remote access to the employer’s information system. If you use a laptop or other device of the employer, never install any suspicious or unlicensed software.
Avoid using public Wi-Fi networks
Personal data and other sensitive information cannot be transmitted via Wi-Fi networks in public places without additional special measures. Transfers are safer via mobile data or using a VPN when the settings at Charles University units allow this. If you intend to use third-party VPN services, check the reputation of the operator, the registered office, and the legal regulations under which the service is operated.
Select your passwords responsibly
Do not use the same passwords at home and at work. This recommendation especially applies to data that you use to log in to work remotely. If an attack on a home computer is successful, it is usually easy to retrieve saved credentials from browsers and e-mail clients. An attacker should not be able to log in to the business e-mail account or elsewhere with a private e-mail password.
Do not enable macros in ordinary documents
Most crypto viruses use fraudulent e-mails with an attached document for their distribution. It prompts you to enable active content and macros. The attachment itself may look like a message stating that the document is written in an older version of a text editor and that it is not possible to display the actual contents of the file without enabling macros. Never comply with such a requirement, because malicious code could be downloaded and installed. New versions of office programs can work with older versions of documents, and there is no need to install or enable anything.
Do not underestimate the physical security of computers
After turning on a computer, it should require some form of verification, e.g. by entering a password or biometric authentication. You can significantly mitigate the effects of theft by turning on hard disk encryption. For most computers, this feature can be turned on or installed for free, and the impact on performance is negligible. Encryption significantly reduces risk when a device is lost.
Follow other practical security measures
The measures should be appropriate for the level of risk. Important measures include adequate security when other family members want to access the device (or its contents). This especially applies to children who may unintentionally cause some of the risks described in this document.
When should you contact your local IT support?
- When there are files on the disk with unknown extensions instead of your normal documents.
- When there are new files on the disk containing information about making the files available after paying a ransom. They usually contain words such as decrypt, recover, ransom, etc. in the name and content of the file.
- When the desktop wallpaper has changed or notifications are displayed directly on the screen.
- In other cases if you notice suspicious or non-standard behaviour on the device.
When do you report a security incident?
Please note the obligation to report any potential security incident to the data protection officer. Reporting these incidents is the responsibility of every employee or their supervisor who discovers any of the following:
- A device or document that contains personal data was lost or stolen;
- An unauthorized person was given access to personal data on a device or in a document;
- personal data in any form were placed without adequate access protection in a location where the data could be accessed by unauthorized persons;
- Personal data were damaged or lost;
- Personal data may have been changed or modified, but it is not possible to verify whether this actually happened.
Recommendations for employers
Do not underestimate backups and their protection
When encrypting a significant amount of data on the network, the backups for the data need to be protected first and foremost. If a backup is performed by copying files to another location at regular intervals, it should be possible to turn off the automatic backup in an emergency even without the intervention of an administrator. The administrator may not always be available, and any copying of a virus to the backups could have a major impact. It is thus strongly recommended to implement backups in a manner that allows you to return to previous versions of files (e.g. using so-called incremental backups). This should be kept in mind when designing or updating the parameters of the unit’s information network, since advanced ransomware is capable of attacking backups.
Prepare specific procedures for reacting quickly
If a crypto virus begins encrypting data, the affected computer must be shut down as soon as possible, and the network administrator must be informed of the attack. In these cases, every second is important. The less damage the virus causes, the better. Together with the administrator, the data protection officer or other persons responsible for compliance (e.g. communication with state authorities) should ideally be informed. Specific procedures should be part of the internal documentation for dealing with security incidents.
Evaluate and report security breaches If there is a breach of personal data security at the office or when working from home that is assessed as a risk to the rights and freedoms of data subjects, Charles University is obliged to report the breach to the Office for Personal Data Protection. However, if an attack can be stopped in time (i.e. personal data were not compromised by the attacker and the data were restored from backup), it is usually not necessary to report such an attack, since it does not fulfil the condition of risk to the rights and freedoms of the data subjects. However, even in such a case, the incident should be recorded, pursuant to Article 33(5) of the GDPR.