Training & awareness

Keep your information safe from cyber criminals who resort to social engineering, the practice of manipulating people into providing confidential, personal, or sensitive information. While attacks typically come by way of email, criminals may also resort to calling, SMSing, or social media to gather information.

Protect yourself by following these tips:

1. Independently verify phone numbers when someone calls asking for confidential information, for example via official websites or company phone numbers, and call them back to make sure you know who you’re talking to.
2. Research the facts if in doubt about the legitimacy of someone who has contacted you. Conduct your own research to see if others have reported related scams.
3. Be aware that colleagues can be compromised. Criminals with access to someone’s account also have access to their contact list. If you receive a suspicious message from a trusted contact, confirm with them on another channel to verify the message in question.
4. Be extra careful on smartphones, as web links are often shortened there, making it difficult to see what webpage you're visiting.
5. Don’t assume they know you. Criminals can collect information about you from various sources and websites. Be aware of what personal information is available publicly.

NSW Policies and standards are reviewed and updated as technologies change, and our digital environment is updated.

As you have an obligation to comply, it is important that you review these, and all policies and standards at least once annually to stay up to date:

• The Acceptable Use of UNSW Information Resources Policy sets out the principles for using University information resources: which include any Information Service, Information Asset, or Digital Information.
• The Cyber Security Policy sets out the principles for ensuring University-wide information resources are appropriately protected. This policy: outlines appropriate governance of cyber security, management of cyber security risk, ensuring cyber security events are detected and responded to promptly, and UNSW Information Resources recover from cyber security incidents in a secure and timely manner. 

At our University, digital information is at the core of our daily operations as staff. Personal and financial details - about you, our colleagues, our students, and our business associates - are valuable to cybercriminals. It is therefore important that we as staff understand the significance of our policies and standards when handling, sharing, storing, and disposing of sensitive data.

The University administers several policies on data governance and has a separate learning module available in Moodle. 

Protect sensitive data

During your work, you may come across information of a confidential or sensitive nature. Whether it is student details, research data, or business documents, it is important that you handle this information carefully at all stages:

• When creating or receiving sensitive data. Be sure you only share it with those who require or are authorised to access it. Always store this data in a secure location, such as OneDrive-UNSW or SharePoint. 
• When sharing and accessing data. Always have the appropriate protections for your devices and storage. Laptops, tablets, phones, and even thumb drives should be encrypted. 
• When archiving and disposing of data. Know your obligations around recordkeeping and data retention, as you may need to keep a history or the files themselves. When disposing of University devices, contact the UNSW IT Service Centre to have the devices properly wiped.

Email tips to help protect UNSW sensitive data

Email is the most widely used communication tool for sending attachments and links to potentially sensitive information. Setting up rules in Outlook to automatically forward all UNSW email to an external mailbox potentially exposes that email and any data it includes to security risks.

The University has made significant investments to protect our email system by implementing cyber security controls such as anti-phishing and anti-malware protection. By automatically forwarding email to an external mailbox that doesn't have the same level of security as our University, you are exposing that data to potential compromise, and the University to liability for any associated privacy or security breach.

Follow these recommended email practices to help keep our data safe:

1. Check your UNSW email inbox regularly for important updates.
2. Set up your device to remotely access University email through a supported email application such as Outlook or access your email via Outlook Web Access (OWA) on a browser.
3. Only access your UNSW email on your UNSW-managed device.
4. Only share data with others who are authorised to access it.
5. Disable any automatic email forwarding rules in Outlook. By automatically forwarding sensitive emails to an external mailbox that does not have the same level of security as the University, you expose that data to potential compromise and the University to liability for any associated privacy or security breach.
6. Do not forward sensitive information, especially emails with a do not forward label. 
7. Sensitive and Highly Sensitive data should be stored on trusted platforms such as OneDrive-UNSW and SharePoint. The Cyber Security Standard - Data Security and UNSW Data Governance Policy provide detailed guidelines on the storage of UNSW data.

Reporting data breaches

We all play an important part in protecting the security of our digital information from unauthorised access, use, and disclosure. If you think you have lost information or accidentally shared it, report it immediately to the UNSW IT Service Centre on 02 9385 1333 or open a service ticket. By reporting the breach immediately, the IT Service Centre will escalate the matter to the Data Breach Management Committee who will take the necessary actions to protect the University from further damages.

Learn more

• Learn more about Data Classification and Data Governance. 
• Refer to UNSW Policies to access the Data Classification Standard and Data Handling Guidelines.
• Read the Tips to keep your data safe and tidy article.
• Read the Did you know it's mandatory to report a data breach article.

Your zID is your digital key to a wider range of University online services and resources. When someone else has access to your zID, they also have the information it provides access to. 

Weak passwords are a common vulnerability that can be exploited by cybercriminals to gain unauthorised access to sensitive information. Changing your password to a passphrase will improve your online security. A passphrase is a string of words that is longer than a traditional password, easier to remember, and more difficult to crack.

Follow the below guidance to create strong passphrase:

• Use a passphrase. Your password (passphrase) needs to be a minimum of 14 characters, however the longer it is, the harder it is for cybercriminals to crack. Make your passphrase unpredictable, unique, and difficult to crack but easy for you to remember. 
  
• Be unique. Each password, from your zID to your personal email, should be different from one another. This ensures that if one password is compromised, your other accounts aren't vulnerable.
• Use the Identity Manager portal to change your zID password and perform other functions required. Refer to the Identity Manager for staff or students webpages for more information.
• Use strong security questions. Many sites allow you to reset your password if you correctly answer security questions about yourself. Since this information is readily available online, we recommend avoiding easy-to-guess questions and answers.

Important: Where available in your personal life, enable Multi-Factor Authentication (MFA). This added layer of security requires you to authenticate, after entering your password, via another factor (typically your smartphone). MFA is a requirement for your zID account at UNSW.

Read the Cyber Security update or refer to the Viva Engage post.

• Take care to lock your UNSW laptop when not in use and do not share your passwords.
• Avoid public/unsecured Wi-Fi. Ensure the Wi-Fi being used is secure.
• Be aware of online cyber threats that can place you and our University’s reputation at risk. Think before you click on links in emails or give out personal or business information via social media or public websites.

Things you can do to secure your home workstation:

1. Lock your devices when not in use.
2. Use strong and unique passphrases (see Creating a strong passphrase section above).
3. Be aware of your surroundings.
4. Don’t share work devices with members of your household.
5. Staff should use the UNSW VPN when working from home.

Learn more

• Refer to the working and studying remotely information for more details.

Your information is only as secure as the devices that house them, such as your laptop, tablet, smartphone, and even paper documents. Always ensure your devices have the latest security updates.

Malicious apps are mobile apps that replicate the look or functionality of popular apps to trick you into downloading them thereby infecting devices and stealing data.

To help identify malicious apps:

• Check the legitimacy/publisher of the app.
• Check the app icon for slight differences in shape and colour.
• Check online reviews of the app.
• Watch out for low numbers of downloads on apps.
• Be wary of extra symbols and extra words on the stated app name/developer.
• Check the app description name for spelling and grammar errors.