If your office space is anything like mine, it’s emptying fast. Close of business (21 Dec) is almost here and many of us are journeying home to share Christmas and Hogmanay festivities with loved ones.
As the University continues to wind back into its winter slumber, remember this – crime stops for no one, including Santa Claus. For that very reason, and because prevention is always better than having to cure a data loss incident, please ensure you follow cyber and information security best practices over the holidays.
Sleigh-ing the risks isn’t as hard as you’d think. All you need to do is keep looking after any data you’re accessing and using while away, no matter its classification.
Before you go
- Clear your desk and lock away any paper-based business-sensitive or personal data – avoid taking it home with you
- Conceal or remove any data displayed on notice/white boards – it can’t be readable from outside buildings/offices
- Re-read the GDPR leaflet issued to all staff – additional copies are available on request from Information Governance
- Run through the Information Security Awareness Training on My Dundee again – it can’t hurt to have a quick refresher
While you’re away
Be sure to only access data on secure devices (encrypted, password protected, with the Company Portal app installed (phones and tablets)). Also, follow protocol when using email:
- If sending emails to existing students and staff, use their @dundee.ac.uk email address – specific circumstances where personal email addresses are used must be agreed with the relevant Director or School Manager in advance
- When emailing a group where individuals should not be identified, use BCC – become familiar with this field
- If your email has an attachment with personal information, it must be encrypted and a password for the file must be shared by another medium – consider alternatives like Box as email isn’t always the right approach
- Check you’ve got the right email addresses in the To, CC, and/or BCC field before you hit send – we need to avoid sending data to the incorrect people
- Stay vigilant for spam and phishing emails – question things in your inbox, click/respond with caution, report any you get to Microsoft (even if they appear to come from an internal account), and change your password immediately if you think you’ve fallen victim
We hope you won’t need to report an incident, but if you do…
Any potential data breach, big or small, should be reported immediately to:
- firstname.lastname@example.org during normal operations
- email@example.com when the University is closed during the winter break
Failure to do so risks harm to the individuals whose data has been mismanaged and significant reputational damage.
A prosperous New Year for the University is something we all want. Don’t be shy or bury your head in mince pies if you think you’ve caused a breach, we need to know about it. Every minute counts, as the University has just a 72-hour window under GDPR to decide whether it’s necessary to notify the Information Commissioner’s Office and/or the individuals impacted. Most can be resolved promptly by the University staff we have on hand to mitigate incidents.
Take care, pay attention, keep up good data practice, and have a wonderful holiday 🎉