Digital security best practices for working remotely

March 13, 2020

Penn State's Office of Information Security has shared the following message with the University community, providing guidance and reminders for handling information securely and in accordance with University policy.

Dear Penn State community,

As we shift to remote learning and as some members of the university community begin working from home, it is important to remember that handling Penn State data outside of our typical workspaces presents unique challenges. Taking a few additional security precautions when working remotely can help to keep Penn State’s valuable information secure. Here are some steps you can take to enhance security:

  1. Watch for phishing attempts. Penn State remains a high-value target for cyberattackers, especially during times of uncertainty. Be especially wary of emails that attempt to get you to share your password as a requirement for working remotely. Attackers will often try to exploit an existing relationship by posing as a person you know or trust (such as a colleague or supervisor) and by creating a sense of urgency. If you suspect an email is a phishing attempt, please forward the email as an attachment to phishing@psu.edu.
  2. Keep work data on your work computer. It is always preferable to conduct Penn State business on Penn State-owned devices, but the University recognizes that this approach may not always be possible. If you must conduct Penn State business on your personal device, do not store Penn State data on that device.
  3. Do not access information classified as Level 3 (“High”) or Level 4 (“Restricted”) under University Policy AD-95 on your personally owned device. Penn State-owned information assets are equipped with secure perimeters including Wi-Fi, VPN, encrypted drives, anti-virus, end-point protection, and active monitoring while on the Penn State network. Personal (non-Penn State owned) devices do not have this level of security and pose a higher level of risk.
  4. Adequately protect your system. This includes activating and/or enabling anti-virus software, regularly updating your operating system, and enabling the firewall on your operating system. If you don’t have anti-virus software, you may visit downloads.its.psu.edu to review possible options.
  5. Avoid public Wi-Fi.  If necessary, use a personal hotspot. ​Public Wi-Fi can introduce significant security risks and should only be used if absolutely necessary. 
  6. Always keep your device with you. Never leave your device or laptop in your car unattended, and make sure your screen can’t be seen by those around you. Password protect your device, not just your Access Account.
  7. Only use Penn State-approved video conferencing applications such as Zoom and Microsoft Teams.
  8. Do not sync Penn State data/files to personally owned devices such as Box Sync. Rather, go to box.psu.edu to access your data/files.  ​
  9. When absolutely necessary, use the Penn State AnyConnect Virtual Private Network (VPN) software to create a secure connection from your device to Penn State. This helps to protect Penn State’s data and keeps you safe in the event you have to use public Wi-Fi or connect from your home network to access a remote file. You can download this software on your personal and Penn State-owned devices by visiting downloads.its.psu.edu and selecting Connecting to Penn State.
  10. If you work with L3 or L4 information, please consult your supervisor and OIS to ensure you can adequately access this data. Email security.psu.edu before attempting to access L3 or L4 data remotely.

Finally, cybercriminals generally tailor email and web-related scams to current topics and trends. With news headlines dominated by information related to pandemics, coronavirus, and COVID-19, the Penn State community should stay vigilant for scams centering around these subjects. Be cautious and take basic online safety precautions when seeking information regarding COVID-19, including:

  • Avoid clicking links in unsolicited email and do not open e-mail attachments from senders you do not recognize.
  • Never give out personal financial information through e-mail.
  • Use legitimate websites as sources of information regarding COVID-19.

Remember, legitimate services and sites including Penn State never have a reason for you to send them your password.

In addition to email, there is at least one known COVID-19 outbreak map being circulated from a non-legitimate website. This particular map loads malware onto the system where it is visited. It is safe to assume that this will also be a commonly used tactic as individuals continue to use resources such as these maps to educate themselves on the current pandemic.

For more information or if you need additional guidance or support, please contact the Office of Information Security at security@psu.edu.

Last Updated March 13, 2020