The beginning of the year can be a time to reflect and improve. For example, did you know that it’s predicted that this year the average Australian household will have 30 connected devices? With such connectivity, how do you ensure that you’re staying cyber-safe and protecting your data?
Below are 5 simple things you can do; each resolution will help protect you, your family, and UQ.
We encourage you to pick one (or a few) to do this year.
Click on the resolution(s) you pick to view further information to support you with it.
-
I will store my files safely and securely to safeguard my personal and work files.
-
I will avoid using my work email for personal activities. This will help safeguard myself, my colleagues, and UQ systems.
-
I will review my sharing permissions, and un-share folders/files/account access as appropriate to help avoid data breaches.
-
I will practice good password hygiene by using different unique passwords for important accounts, and look into using a password manager.
-
I will be vigilant with online scams, and report any suspected scams, to safeguard myself and UQ.
Report UQ scams to IT Support, general to scams to ScamWatch, and mark spam in my personal mailbox.
Find out more about how to stay cyber secure at our Cyber Security at UQ website or the Australian Government’s Stay Smart Online website.
Learn more about data privacy and information protection at the Data at UQ website.
Information to support you with your resolutions
Resolution: I will store my files safely and securely
UQ Files
Our where to store your files and information webpage outlines the different UQ file storage options depending on your needs. Ensure you store UQ files on only UQ-approved and supported systems (not on your personal computer, DropBox, etc), as UQ manages backups and controls to ensure integrity.
Tip: remember to consider the information security classification of the content with when deciding on the most appropriate file storage option.
Personal files
Where you store your personal files will be unique to your needs, however there are a few things to consider to ensure they are saved safely and securely.
-
Personal or sensitive information: Any personal or sensitive information (e.g. bank statements, tax information) should be stored in a secure location that carries a low risk for data breach. Your hard drive on a password-protected personal computer might be a suitable location.
-
Documents or images you need access to on the go: Cloud storage options are ideal for any files you need to access from multiple devices and locations. Such accounts should be protected with a unique password you do not use for any other accounts or services.
Backing up your personal files
For valuable files, it is important to have a backup. Backing up your files will allow you to restore irreplaceable photos and important files should your device fail, become damaged, or inaccessible. The most common back up options are:
-
Cloud back ups (e.g. OneDrive).
-
External hard drive stored in a safe place.
When considering options for back ups, it is important to consider what kind of disaster you are protecting against. For example, an external hard drive might be a convenient option, but may also be damaged in a house fire along with your computer, resulting in a permanent loss of data.
You can read more about recommendations for backing up your files on the Australian Cyber Securiry Centre's website.
Resolution: I will avoid using my work email for personal activities
Why you should avoid using your work email for personal activities
Using your work email for personal activities increases your risk of being scammed, or your account credentials being breached. This is as:
-
The more accounts your UQ email is associated with, the more entities will have access to your UQ email address.
Many companies will even sell your personal data (such as email address) to marketing companies. This means that even further entities will have access to your email address for email marketing, and potentially spam.
-
Note: whenever signing up to a new account, be wary of how they will use your personal information. Check their privacy policy to see if they may provide your details (or even sell them) to 3rd party companies.
-
A common way for cyber criminals to gain access to your account is through ‘password stuffing’. Using your work email for personal activities increases risk of your UQ account being compromised.
Each time you sign up for a new account, you create credentials for this account (generally username/email address and password). The more accounts you have, the higher likelihood that one of these may become breached.
-
The likelihood decreases with legitimacy of the site. For example, your bank has much stronger security controls than a start-up application.
-
If you’re using your UQ email for accounts with weak security controls, it is more likely to be breached.
What is credential compromise and password stuffing?
If a website/application is hacked, criminals can gain access to login credentials (username/email and password) of its users. The hackers will often sell or post these breached credentials on the dark web for other criminals to utilise.
Password stuffing often occurs with breached credentials. Criminals leverage peoples tendencies to reuse passwords for multiple accounts, and will ‘stuff’ the breached credential combinations into other accounts.
-
For example, if your Canva account was breached, criminals could take your login/password combination and ‘stuff’ this into an array of other accounts such as eBay, Spotify, Uber, Outlook, etc.
This process is often automated.
You can type your email address into https://haveibeenpwned.com/ to see if any associated accounts have been breached.
*Note that haveibeenpwned only reports on known breaches
Protect your UQ account and email address by doing the following:
-
Don’t share your email address online unless you need to.
-
Don’t provide your UQ email for personal activities, such as online shopping.
-
Make sure you use your UQ email – rather than your personal email – for UQ work or study-related activities.
-
Delete spam messages without opening them.
-
Don’t respond to or unsubscribe from suspicious emails – scammers may use this to verify your email address
-
follow the instructions to block suspicious email addresses in Outlook or Office 365.
-
Resolution: I will review my sharing permissions, and un-share folders/files/account access as appropriate
Reviewing permissions at work
-
Update permissions on shared files on cloud storage (e.g. OneDrive) when no longer required.
-
Update your UQRDM project record to remove research collaborators when they leave the project team.
-
If a member of your team resigns, revoke access to network drives and systems.
Protecting your personal device
Many applications on your personal devices will request access to your data. While usually access to data may be necessary for expected application functionality (e.g. a photo editor requiring access to your photos), some applications are more dubious in their data collection and use policies.
It is good practice to regularly review application permissions and ensure settings are appropriate. Refer to these instructions to review application permissions on your android device or iOS device.
Protecting your accounts
Online accounts (e.g. Google, social media) also collect, use and share data about you. You can review your privacy settings with these accounts to ensure they are appropriately secured. Google has a Privacy Checkup you can complete, and Facebook provides information about their Privacy settings and tools.
* Note that it is not recommended to sign up for personal social media accounts using your UQ email address.
Resolution: I will practice good password hygiene
Choosing a strong password
Read 'Create a strong password or passphrase' for information to help you choose a strong password.
Use unique passwords for different important accounts
It is important to use unique passwords for different important accounts, to help protect against credential compromise and password stuffing.
A common way for cyber criminals to gain access to your account is through ‘password stuffing’.
Each time you sign up for a new account, you create credentials for this account (generally username/email address and password). The more accounts you have, the higher likelihood that one of these may become breached.
If a website/application is hacked, criminals can gain access to login credentials (username/email and password) of its users. The hackers will often sell or post these breached credentials on the dark web for other criminals to utilise.
Password stuffing often occurs with breached credentials. Criminals leverage peoples tendencies to reuse passwords for multiple accounts, and will ‘stuff’ the breached credential combinations into other accounts.
-
For example, if your Canva account was breached, criminals could take your login/password combination and ‘stuff’ this into an array of other accounts such as eBay, Spotify, Uber, Outlook, etc.
This process is often automated.
You can type your email address into https://haveibeenpwned.com/ to see if any associated accounts have been breached.
*Note that haveibeenpwned only reports on known breaches
Password managers
The best way to protect against password stuffing is to have unique passwords for every account.
Rather than remembering myriad unique passwords, you can use password managers. Password managers store your login information for all of your accounts in an encrypted database with one master password (you only need to remember this one password), and help you to log in to accounts automatically.
It’s important to use a reputable password manager, as if the password manager you use is breached all your credentials will be available to the hacker.
This article by PCMag compares the best free password managers.
Learn more
Learn more about passwords at UQ here
Learn more about general password security here
Resolution: I will be vigilant with online scams, and report any suspected scams
Types of scams
Common types of email scams today are malware and phishing. You can learn more about email scams here. Most email scams try to lure you into clicking a link, opening an attachment, downloading a file or entering account information. If you do any of these things, the scammer can steal sensitive or confidential information, and your computer and systems can be compromised. It is also common to receive scam links via text or even social media.
Recognising an email scam
Follow these tips to recognise an email scam
Reporting a scam
-
Report UQ scams to IT Support.
-
Report general to scams to ScamWatch.
-
Mark spam in your personal mailbox.
Tips to prevent email scams
While it is extremely likely you will receive scam emails, there are small actions you can take to help reduce scammers getting your details:
-
Don’t share your email address online unless you need to.
-
Mark and delete spam messages without opening them.
-
Don’t respond to or unsubscribe from suspicious emails – scammers may use this to verify your email address
-
follow the instructions to block suspicious email addresses in Outlook or Office 365.
-